Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware infected


  • This topic is locked This topic is locked
2 replies to this topic

#1 MGamble

MGamble

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 09 November 2010 - 09:58 PM

Hello all. Recently I believe that my computer has become infected with a virus/malware/whatever. I get redirects when I search Google. Pop-ups wanting me to scan my registry and download repair tools. Also it wont let me update from windows update or let me use the Chrome browser. My computer, Vista 32bit also takes a couple minutes to fully load..please help. I don't want to do a complete wipe and reload Windows.


DDS (Ver_10-11-09.01) - NTFSx86
Run by Matt at 22:57:59.50 on Mon 11/08/2010
Internet Explorer: 9.0.7930.16406 BrowserJavaVersion: 1.6.0_19
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3582.2185 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AT&T Internet Security Suite AT&T Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
SP: AVG Anti-Virus Free *enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: AT&T Internet Security Suite AT&T Anti-Spyware *enabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
FW: AT&T Internet Security Suite AT&T Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Palm, Inc\novacom\x86\novacomd.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Matt\Downloads\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Matt\Downloads\Defogger.exe
C:\Users\Matt\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\matt\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - c:\program files\trend micro\titanium\uiframework\ProToolbarIMRatingActiveX.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\users\matt\appdata\roaming\mozilla\firefox\profiles\55qtuhil.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2399412&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\trend micro\amsp\module\20004\1.5.1381\6.5.1234\firefoxextension\components\TmFFExt.dll
FF - component: c:\program files\trend micro\titanium\uiframework\toolbar\firefoxextension\components\ToolbarFFHelper.dll
FF - component: c:\users\matt\appdata\roaming\mozilla\firefox\profiles\55qtuhil.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\users\matt\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\matt\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-7-25 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-7-25 41424]
R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2010-10-27 196320]
R2 NovacomD;Palm Novacom;c:\program files\palm, inc\novacom\x86\novacomd.exe [2009-7-2 30720]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-10-27 64080]
R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-23 21504]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-5-29 87760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2010-6-13 25832]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-9 24576]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42480]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-5-29 79888]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-06 00:12:53 -------- d-----w- c:\users\matt\appdata\roaming\Malwarebytes
2010-11-06 00:12:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-06 00:12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-06 00:12:39 -------- d-----w- c:\progra~2\Malwarebytes
2010-11-06 00:12:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-05 19:39:54 6146896 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{0b08b479-ff04-4d0c-8467-a9d496fbe5db}\mpengine.dll
2010-10-28 03:02:54 -------- d-----w- c:\users\matt\appdata\roaming\SUPERAntiSpyware.com
2010-10-28 03:02:54 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-10-28 03:02:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-28 00:36:57 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-10-28 00:36:22 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-10-28 00:36:22 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-10-28 00:36:22 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-10-28 00:11:32 -------- d-----w- c:\progra~2\Trend Micro
2010-10-28 00:11:23 -------- d-----w- c:\program files\Trend Micro
2010-10-27 21:16:35 -------- d-----w- c:\users\matt\appdata\roaming\AVG
2010-10-23 01:58:14 -------- d-----w- c:\users\matt\appdata\roaming\Bioshock2
2010-10-23 01:57:21 -------- d-sh--w- c:\progra~2\SecuROM
2010-10-21 02:56:37 -------- d-----w- c:\windows\49FA793C785E47E993DFBD442B0B45D1.TMP
2010-10-20 03:40:49 -------- d--h--w- C:\$AVG
2010-10-19 23:52:10 -------- d-----w- c:\users\matt\appdata\roaming\AVG10
2010-10-19 21:39:50 -------- d--h--w- c:\progra~2\Common Files
2010-10-19 21:37:52 -------- d-----w- c:\progra~2\AVG10
2010-10-19 21:36:50 -------- d-----w- c:\program files\AVG
2010-10-19 21:27:34 -------- d-----w- c:\progra~2\MFAData
2010-10-14 01:39:16 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2010-10-14 01:39:15 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-14 01:39:03 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-14 01:39:02 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-14 01:39:02 17920 ----a-w- c:\windows\system32\netevent.dll
2010-10-14 01:39:02 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-14 01:39:02 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-14 01:38:54 274944 ----a-w- c:\windows\system32\schannel.dll
2010-10-14 01:38:53 339968 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2010-10-14 01:38:53 1316864 ----a-w- c:\windows\system32\ole32.dll
2010-10-14 01:38:51 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-10-14 01:38:49 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-10-14 01:38:48 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-10-14 01:38:45 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-10-14 01:38:43 231424 ----a-w- c:\windows\system32\msshsq.dll
2010-10-14 01:38:41 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-10-14 01:38:38 531968 ----a-w- c:\windows\system32\comctl32.dll

==================== Find3M ====================

2010-11-07 21:12:36 215152 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-11-07 21:12:34 215152 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-01 04:46:36 1355264 ----a-w- c:\windows\system32\jscript9.dll
2010-09-01 04:44:32 367104 ----a-w- c:\windows\system32\html.iec
2010-09-01 04:44:30 1448448 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 04:44:24 1122304 ----a-w- c:\windows\system32\wininet.dll
2010-09-01 04:44:06 424960 ----a-w- c:\windows\system32\vbscript.dll
2010-09-01 04:43:22 23552 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-01 04:43:12 72704 ----a-w- c:\windows\system32\SetDepNx.exe
2010-09-01 04:43:12 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-01 04:43:12 114176 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-01 04:43:10 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2010-09-01 04:43:10 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2010-09-01 04:42:58 51200 ----a-w- c:\windows\system32\admparse.dll
2010-09-01 04:42:54 75264 ----a-w- c:\windows\system32\iesetup.dll
2010-09-01 04:42:48 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2010-09-01 04:42:42 150016 ----a-w- c:\windows\system32\iexpress.exe
2010-09-01 04:42:42 149504 ----a-w- c:\windows\system32\wextract.exe
2010-09-01 04:42:20 33280 ----a-w- c:\windows\system32\imgutil.dll
2010-09-01 04:42:16 48640 ----a-w- c:\windows\system32\mshtmler.dll
2010-09-01 04:42:12 11264 ----a-w- c:\windows\system32\mshta.exe
2010-09-01 04:42:10 2381824 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-01 04:42:04 63488 ----a-w- c:\windows\system32\tdc.ocx
2010-09-01 04:41:46 160768 ----a-w- c:\windows\system32\msls31.dll
2010-08-17 23:54:51 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2010-08-17 23:54:33 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2010-08-17 23:52:39 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2010-08-17 23:51:50 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2010-08-17 23:51:08 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-08-17 23:51:07 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2010-08-17 23:50:09 680960 ----a-w- c:\windows\system32\d2d1.dll
2010-08-17 23:49:57 1174528 ----a-w- c:\windows\system32\d3d10warp.dll
2010-08-17 23:49:19 1068032 ----a-w- c:\windows\system32\DWrite.dll
2010-08-17 23:49:16 797184 ----a-w- c:\windows\system32\FntCache.dll
2010-08-17 23:48:49 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2010-08-17 23:48:41 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2010-08-17 14:11:37 128000 ----a-w- c:\windows\system32\spoolsv.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: WDC_WD1600AAJS-60PSA0 rev.21.12M22 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-2

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x867A0566]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x867a6624]; MOV EAX, [0x867a66a0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x8204E962] -> \Device\Harddisk0\DR0[0x8620CAC8]
3 CLASSPNP[0x82BA98B3] -> ntkrnlpa!IofCallDriver[0x8204E962] -> [0x85AB7AF8]
5 acpi[0x806976BC] -> ntkrnlpa!IofCallDriver[0x8204E962] -> [0x85AB9958]
\Driver\atapi[0x86618670] -> IRP_MJ_CREATE -> 0x867A0566
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-3 -> \??\IDE#DiskWDC_WD1600AAJS-60PSA0___________________21.12M22#5&239dc6ce&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x867A03B2
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 22:59:05.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:23 AM

Posted 17 November 2010 - 07:14 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------
Please run the TDSSKiller tool

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:23 AM

Posted 22 November 2010 - 08:46 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users