Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Results Redirect, Popups, Windows Update Blocked


  • This topic is locked This topic is locked
3 replies to this topic

#1 cckcckcc

cckcckcc

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 12 November 2010 - 12:20 AM

Hello,

A couple of days ago, I began to notice symptoms of a malware infection on my computer. I was visiting a seemingly innocuous website when my internet explorer was immediately closed and a false Windows Security Essentials interface came up and tried to suggest that I was infected with some sort of trojan. At this point I was locked out of the task manager and my internet explorer would return a "could not connect to this web page" message for every site I tried to visit. I attempted to use system restore, but upon restarting my computer, I would recieve a blue screen error and my computer would automatically restart. Therefore, I restarted my computer in safe mode and attempted to search for a solution to my problem. It was suggested on a website that Malwarebytes could suffieciently remove the malware in question, so I ran an updated Malwarebytes scan. Malwarebytes fixed a few problems and I was able to restart my computer into normal mode without any problems. At this point, the issue seemed corrected. I saw no problems for about a day. I left my computer on idle the next night, and when I awoke, there was a windows error message saying a Win32 process was terminated unexpectedly. I realized that my computer did not have any sound when i visited webpages now, so I restarted it. However, windows hung on the loading screen everytime I attempted to enter normal mode. I then restarted into safemode again and ran an updated Spybot Search & Destroy scan, which found and was able to delete 4 problems. I was able to restart into normal mode at this point. I decided it would be a good idea to attempt to get the latest updates from Windows to prevent a resurgent problem, but the Windows Update site was blocked when I tried to access it, giving me an "internet explorer could not connect to this web page" message. I also noticed my google search results were being redirected to a variety of malicious or advertising sites when I clicked on them. I decided to seek expert help and came to this website. As I was running the preliminary scans, I encountered more trouble. GMER finished scanning and then my windows firewall was overriden and turned off by some malware program. It then proceeded to flood my desktop with fake security center interfaces and I was unable to access any internet sites. I killed all suspicious processes and could access the internet again to post this information. The requested log files are copied below or attached. Thank you for your help.


DDS (Ver_10-11-10.01) - NTFSx86
Run by Derek Pope at 18:54:06.10 on Thu 11/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.447 [GMT -6:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Derek Pope\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [Logitech Utility] LOGI_MWX.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-8-18 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1375992]
S3 HPx9G+;HPx9G+ Device USB Driver;c:\windows\system32\drivers\HPx9G2k.sys [2010-10-8 12658]

=============== Created Last 30 ================

2010-11-11 23:02:36 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-11-10 18:16:36 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-10 18:16:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-09 03:54:08 -------- d-----w- C:\f8ad45ce2a0c328c5b
2010-11-09 03:50:24 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-11-09 03:43:30 -------- d-----w- c:\docume~1\derekp~1\locals~1\applic~1\Fallout3
2010-11-09 02:51:08 -------- d-----w- c:\program files\Bethesda Softworks
2010-11-09 02:46:34 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-09 02:45:59 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-09 02:45:50 14048 ------w- c:\windows\system32\spmsg2.dll
2010-11-09 02:45:12 -------- d-----w- c:\windows\system32\xlive
2010-11-09 02:44:22 69714 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
2010-11-09 02:44:22 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
2010-11-09 02:44:22 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
2010-11-09 02:44:22 184320 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
2010-11-09 02:44:21 753664 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
2010-11-09 02:44:21 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
2010-11-09 02:44:20 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
2010-11-08 18:55:01 52736 ----a-w- c:\windows\ipuninst.exe
2010-11-08 18:53:13 -------- d-----w- c:\program files\BlackIsle
2010-11-02 02:39:58 -------- d-----w- c:\program files\ICCup
2010-10-28 07:21:13 -------- d-----w- c:\program files\Steam
2010-10-25 04:19:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-10-25 04:19:14 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-10-25 04:18:47 -------- d-----w- c:\docume~1\derekp~1\applic~1\DAEMON Tools Lite
2010-10-25 04:18:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite

==================== Find3M ====================

2010-11-08 07:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-10-29 07:15:04 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-10-05 22:19:51 967 ----a-w- c:\windows\ScUnin.pif
2010-10-05 22:19:51 70656 ----a-w- c:\windows\ScUnin.exe
2010-09-23 06:49:50 60416 ----a-w- c:\windows\ALCFDRTM.VER

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDS722516VLSA80 rev.V34OA6MA -> Harddisk0\DR0 -> \Device\00000032

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x866AE446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x866b4504]; MOV EAX, [0x866b4580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x866DDAB8]
3 CLASSPNP[0xF761CFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000060[0x866FDB88]
5 ACPI[0xF74B3620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86741030]
\Driver\nvata[0x867719B8] -> IRP_MJ_CREATE -> 0x866AE446
error: Read Incorrect function.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\0000005f -> \??\IDE#DiskHDS722516VLSA80_________________________V34OA6MA#2020202020204E564436455444434C4558454134#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 18:55:04.68 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:11 PM

Posted 13 November 2010 - 10:56 AM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 cckcckcc

cckcckcc
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 14 November 2010 - 10:23 PM

Apparently there is some remnant of Adaware's Ad-Watch Live still on my computer even though I uninstalled it days ago. Because your instructions say not to re-run combofix, and as I thought that I had disabled Ad-Watch Live at the time of its running, I did not run the scan with Ad-Watch Live disabled. Here is the log file produced by ComboFix:

ComboFix 10-11-11.01 - Derek Pope 11/14/2010 18:22:50.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.626 [GMT -6:00]
Running from: c:\documents and settings\Derek Pope\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((( Files Created from 2010-10-15 to 2010-11-15 )))))))))))))))))))))))))))))))
.

2010-11-14 23:30 . 2010-11-14 23:30 232 ----a-w- c:\documents and settings\Derek Pope\Application Data\sdghzxfg.bat
2010-11-13 17:05 . 2010-11-13 17:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-11-12 03:30 . 2010-11-12 03:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-11 23:02 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-11-10 19:29 . 2010-11-10 19:29 -------- d-----w- c:\program files\Common Files\Adobe
2010-11-10 18:16 . 2010-11-10 18:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-09 03:54 . 2010-11-09 03:54 -------- d-----w- C:\f8ad45ce2a0c328c5b
2010-11-09 03:50 . 2010-11-09 03:50 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-11-09 03:43 . 2010-11-10 00:54 -------- d-----w- c:\documents and settings\Derek Pope\Local Settings\Application Data\Fallout3
2010-11-09 02:51 . 2010-11-09 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Fallout3
2010-11-09 02:51 . 2010-11-09 02:51 -------- d-----w- c:\program files\Bethesda Softworks
2010-11-09 02:49 . 2010-11-09 02:49 -------- d-----w- c:\program files\MSBuild
2010-11-09 02:46 . 2010-11-09 03:54 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-09 02:46 . 2010-11-09 02:46 -------- d-----w- c:\program files\Reference Assemblies
2010-11-09 02:45 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-09 02:45 . 2006-06-29 19:07 14048 ------w- c:\windows\system32\spmsg2.dll
2010-11-09 02:45 . 2010-11-09 02:45 -------- d-----w- c:\windows\system32\xlive
2010-11-09 02:44 . 2005-04-04 05:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2010-11-09 02:44 . 2005-04-04 05:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2010-11-09 02:44 . 2005-04-04 05:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2010-11-09 02:44 . 2005-04-04 04:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2010-11-09 02:44 . 2010-11-09 02:44 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2010-11-09 02:44 . 2005-04-04 05:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2010-11-09 02:44 . 2010-11-09 02:44 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2010-11-08 18:55 . 2010-11-08 18:55 52736 ----a-w- c:\windows\ipuninst.exe
2010-11-08 18:53 . 2010-11-08 18:53 -------- d-----w- c:\program files\BlackIsle
2010-11-02 02:39 . 2010-11-02 02:39 -------- d-----w- c:\program files\ICCup
2010-10-28 07:21 . 2010-11-10 19:27 -------- d-----w- c:\program files\Steam
2010-10-25 04:19 . 2010-10-25 04:19 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-10-25 04:19 . 2010-10-25 04:19 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-10-25 04:18 . 2010-10-25 06:05 -------- d-----w- c:\documents and settings\Derek Pope\Application Data\DAEMON Tools Lite
2010-10-25 04:18 . 2010-10-25 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-04 04:01 . 2010-08-19 03:50 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-29 07:15 . 2010-05-20 01:37 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-10-05 22:19 . 2010-10-05 22:11 967 ----a-w- c:\windows\ScUnin.pif
2010-10-05 22:19 . 2010-10-05 22:11 70656 ----a-w- c:\windows\ScUnin.exe
2010-09-23 06:49 . 2010-02-15 02:30 60416 ----a-w- c:\windows\ALCFDRTM.VER
.

((((((((((((((((((((((((((((( SnapShot_2010-11-12_00.14.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-15 00:18 . 2010-11-15 00:18 16384 c:\windows\Temp\Perflib_Perfdata_730.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
"nwiz"="nwiz.exe" [2005-06-15 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"Logitech Utility"="LOGI_MWX.EXE" [2004-03-03 19968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
egitvo.exe [2010-8-24 134656]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Derek Pope^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Derek Pope\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IJPLMSVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Support\\BlizzardDownloader.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/18/2010 9:51 PM 64288]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 HPx9G+;HPx9G+ Device USB Driver;c:\windows\system32\drivers\HPx9G2k.sys [10/8/2010 6:21 PM 12658]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/24/2010 10:19 PM 691696]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-14 18:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDS722516VLSA80 rev.V34OA6MA -> Harddisk0\DR0 -> \Device\00000032

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x866E9446]<<
c:\docume~1\DEREKP~1\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x866ef504]; MOV EAX, [0x866ef580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8677FAB8]
3 CLASSPNP[0xF761CFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000061[0x8671BA70]
5 ACPI[0xF74B3620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8674B030]
\Driver\nvata[0x866FDBC8] -> IRP_MJ_CREATE -> 0x866E9446
error: Read Incorrect function.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000060 -> \??\IDE#DiskHDS722516VLSA80_________________________V34OA6MA#2020202020204E564436455444434C4558454134#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\WININET.dll
.
Completion time: 2010-11-14 18:34:29
ComboFix-quarantined-files.txt 2010-11-15 00:34
ComboFix2.txt 2010-11-12 00:17
ComboFix3.txt 2010-08-27 21:26

Pre-Run: 79,881,654,272 bytes free
Post-Run: 80,712,556,544 bytes free

- - End Of File - - 5DA51255CA772048136B3BC0E847BB80

Edited by cckcckcc, 14 November 2010 - 10:36 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:11 PM

Posted 14 November 2010 - 11:21 PM

Hi

Please do the following:

Note: If "cure" does not present itself as an option, then please choose "skip", DO NOT choose "delete" or "quarantine"

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT



  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic359992.html/page__view__findpost__p__2018121

Collect::
c:\documents and settings\Derek Pope\Application Data\sdghzxfg.bat

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users