Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection w/ multiple symptoms


  • This topic is locked This topic is locked
2 replies to this topic

#1 Nash55

Nash55

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 14 November 2010 - 08:44 PM

Hello, I have been having major issues with my computer. I first noticed that my browsers have been hijacked, both Firefox and IE will redirect when using search engines (Google and Yahoo tested). Also I have noticed that once in awhile a new tab will automatically load a page usually going to some adware removal software.

In addition I get the Just In Time Debugger program popping up, sometimes almost constantly with errors in svchost.exe

I was also getting the fake windows essential security pop-up with the unknown trojan like whats shown here it kept me from opening any programs so I booted into safe mode and ran Malwarebytes Anti-Malware and that seemed to solve this problem. I did this before I found your website and have attached the log at the end of the post.

I also run WinPatrol which has been alerting me that two programs are trying add themsleves to my startup folder, taskcgr.exe and oxiqacolalocup.dll to which it also alerts me that something is trying to change a file type for txt files to notepad 1% (I use a different program by default).

In addition I have not been able to post to this forum from the infected computer from either firefox or ie. I have also noticed two instances of an add-on being added to firefox, xulrunner.

I have read and followed the preparation guide and will enable email notification to keep this process moving quick. My logs are below. Thanks in advance for any help it is greatly appreceiated!!!


DDS (Ver_10-11-10.01) - NTFSx86
Run by swanny at 0:31:41.64 on Fri 11/12/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1127 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exea
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\xampp\apache\bin\apache.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\xampp\mysql\bin\mysqld.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AnalogX\NetStat Live\nsl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\vsjitdebugger.exe
C:\Program Files\FileZilla FTP Client\filezilla.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\swanny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uWinlogon: Shell=c:\documents and settings\swanny\application data\hotfix.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Epson Stylus NX510(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatifia.exe /fu "c:\windows\temp\E_S59C.tmp" /EF "HKCU"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NetStat Live] c:\program files\analogx\netstat live\nsl.exe
dRunOnce: [<NO NAME>]
StartupFolder: c:\docume~1\swanny\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-8796-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\taskma~1.lnk - c:\windows\system32\taskmgr.exe
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {D103E85B-5D67-42c1-8C83-F01079DBAB26} - {2B4C4770-27FD-4A09-B17D-33CA580965FB} - c:\program files\httpwatch\httpwtch.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133374681764
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133375123734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14-win.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\swanny\applic~1\mozilla\firefox\profiles\ugx3wexd.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.start-search.net/?sid=10101068100&s=
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.start-search.net/?sid=10101068100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.search-clsid", "{D13D4F38-B5B8-4C71-8077-7D6A3F7C85D7}");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-25 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-26 28544]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138780]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-26 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-26 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-26 108552]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46779]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-12-9 24636]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-26 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2001-11-2 114749]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-26 38224]
S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [2010-10-26 517448]
S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
S4 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\newtech infosystems\backup now ez\BackupNowEZSvr.exe [2009-5-8 45312]

=============== File Associations ===============

.txt=PFE32

=============== Created Last 30 ================

2010-11-12 01:23:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware-New
2010-11-11 19:53:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\aIfOf02039
2010-11-11 19:53:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\WSTB
2010-11-11 19:53:39 204 ----a-w- c:\docume~1\swanny\applic~1\sdfsdfgdsfgh.bat
2010-11-05 16:45:48 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-11-05 16:45:48 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-10-14 16:38:42 -------- d-----w- c:\docume~1\swanny\locals~1\applic~1\Help
2010-10-14 01:09:06 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 01:09:05 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 01:08:38 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-11-12 04:28:25 256 ----a-w- c:\windows\system32\pool.bin
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ------w- c:\windows\system32\corpol.dll
2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec
2010-09-02 19:35:08 398744 ----a-r- c:\windows\system32\cpnprt2.cid
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2100AH rev.00000096 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A676446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a67c504]; MOV EAX, [0x8a67c580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A754AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A6A8620]
\Driver\atapi[0x8A756A08] -> IRP_MJ_CREATE -> 0x8A676446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHV2100AH_______________________00000096#5&17ce0675&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A676292
user != kernel MBR !!!
sectors 195371566 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 0:33:56.87 ===============




GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-12 01:08:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 FUJITSU_MHV2100AH rev.00000096
Running: gmer.exe; Driver: C:\DOCUME~1\swanny\LOCALS~1\Temp\pfliypog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA11887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA118BFE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB860B360, 0x1DF98D, 0xE8000020]
? C:\DOCUME~1\swanny\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1444] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EB000A
.text C:\WINDOWS\Explorer.EXE[1444] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00EC000A
.text C:\WINDOWS\Explorer.EXE[1444] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00EA000C
.text C:\WINDOWS\System32\svchost.exe[1992] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CA000A
.text C:\WINDOWS\System32\svchost.exe[1992] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CB000A
.text C:\WINDOWS\System32\svchost.exe[1992] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C9000C
.text C:\WINDOWS\System32\svchost.exe[1992] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01AD000A
.text C:\WINDOWS\System32\svchost.exe[1992] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00D7000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 012B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 012C000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 012A000C
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3380] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0083000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3380] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0084000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3380] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0082000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A676292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A676292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A676292

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHV2100AH_______________________00000096#5&17ce0675&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 195371312 (+255): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Cookies\system@c3.lkckclckl1i1i[1].txt 0 bytes

---- EOF - GMER 1.0.15 ----


Also here is the mbam log of trojan removal from before finding this site.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5096

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

11/11/2010 8:44:37 PM
mbam-log-2010-11-11 (20-44-37).txt

Scan type: Quick scan
Objects scanned: 197148
Time elapsed: 14 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\swanny\Application Data\hotfix.exe (Rogue.FakeAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\swanny\Local Settings\Temporary Internet Files\Content.IE5\71OR2NL9\ccwavdovd[1].htm (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\swanny\Local Settings\Temporary Internet Files\Content.IE5\71OR2NL9\fjeytaigoj[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\swanny\Local Settings\Temporary Internet Files\Content.IE5\C2LV0U1C\lzdxfqys[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\swanny\Local Settings\Temporary Internet Files\Content.IE5\MRJNTXEJ\bcsaigoid[1].htm (Trojan.LVBP) -> Quarantined and deleted successfully.
C:\Documents and Settings\swanny\Local Settings\Temporary Internet Files\Content.IE5\SII9SB5V\kbrmhsmu[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\swanny\Local Settings\Temporary Internet Files\Content.IE5\SII9SB5V\xkfzhbnup[1].htm (Rogue.FakeAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\swanny\Local Settings\Temporary Internet Files\Content.IE5\WC197PKK\huowdlgamg[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\swanny\Local Settings\Temporary Internet Files\Content.IE5\WC197PKK\kbrmhsmu[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\swanny\Local Settings\Temporary Internet Files\Content.IE5\WS8NX9B1\swnvpxeqks[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\mdi32xt.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Attached Files


Edited by Nash55, 14 November 2010 - 08:49 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:59 PM

Posted 19 November 2010 - 06:38 PM

Hi Nash55,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

Please let me know if you have still the issue or you have resolved the issue.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:59 PM

Posted 25 November 2010 - 01:18 PM

This thread will now be closed due to lack of activity.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users