Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/meredrop has taken over


  • Please log in to reply
1 reply to this topic

#1 justS

justS

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 18 November 2010 - 01:21 AM

I appear to have multiple viruses and/or hijackers on my Windows 7 machine. I traditionally run Microsoft Essentials and it has worked well for me to this point. My daughter was installing a piece of software that she got from a friend and it had a key generator. I already reamed her for the piracy and infection, but what do I do next?

The trojan disabled my real-time protection and when I tried to turn it on it failed. When I ran malwarebytes or hijack this! the bugger rebooted the machine. I was finally able to boot into safe mode and ran both MSE and MWB, both found multiple instances of hijackers including Win32/meredrop.

I was also able to download DDS onto a thumb drive and run it on the infected machine. I then remembered BleepingComputer and came here to seek some assistance.

Below is the DDS log and the attachment for my machine.

DDS (Ver_10-11-10.01) - NTFSx86 MINIMAL
Run by JustLaptop at 22:49:25.96 on Wed 11/17/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.1662.983 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\ctfmon.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\explorer.exe
F:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
O:\dds.scr
C:\Windows\system32\conhost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: c:\windows\system32\ip4i3itof.dll: {b1ba20c1-a503-59bd-f412-03b53a2c8951} - c:\windows\system32\ip4i3itof.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - f:\program files\windows live\toolbar\wltcore.dll
uRun: [Auslogics BoostSpeed 4] f:\program files\auslogics\auslogics boostspeed\boostspeed.exe
uRun: [F.lux] "f:\users\justlaptop\local settings\apps\f.lux\flux.exe" /noshow
uRun: [uTorrent] "f:\program files\utorrent\uTorrent.exe"
uRun: [Mqsuc] c:\windows\lsass.exe
mRun: [Cm106Sound] RunDll32 cm106.cpl,CMICtrlWnd
mRun: [Everything] "f:\program files\everything\Everything.exe" -startup
mRun: [WinampAgent] "f:\program files\winamp\winampa.exe"
mRun: [BCSSync] "f:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Mqsuc] c:\windows\lsass.exe
mRun: [Azotugavopiwamik] rundll32.exe "c:\windows\system32\config\systemprofile\appdata\local\unowowow.dll",Startup
dRun: [Mqsuc] c:\windows\lsass.exe
StartupFolder: f:\users\justla~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - f:\users\justlaptop\appdata\roaming\dropbox\bin\Dropbox.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-explorer: NoTrayItemsDisplay = 00000000
uPolicies-explorer: TaskbarNoNotification = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoCustomizeThisFolder = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-system: NoVirtMemPage = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Append Link Target to Existing PDF - f:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - f:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - f:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - f:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - f:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - f:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - f:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - f:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - f:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - f:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: acaptuser32.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - f:\program files\stardock\fences\FencesMenu.dll
STS: c:\windows\system32\ip4i3itof.dll: {b1ba20c1-a503-59bd-f412-03b53a2c8951} - c:\windows\system32\ip4i3itof.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - f:\progra~1\mif5ba~1\office14\GROOVEEX.DLL
IFEO: taskmgr.exe - "f:\program files\PROCESS_EXPLORER.EXE"

================= FIREFOX ===================

FF - ProfilePath - f:\users\justla~1\appdata\roaming\mozilla\firefox\profiles\xc7b068a.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - component: f:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: f:\users\justlaptop\appdata\roaming\mozilla\firefox\profiles\xc7b068a.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: f:\users\justlaptop\appdata\roaming\mozilla\firefox\profiles\xc7b068a.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar.dll
FF - component: f:\users\justlaptop\appdata\roaming\mozilla\firefox\profiles\xc7b068a.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: f:\users\justlaptop\appdata\roaming\mozilla\firefox\profiles\xc7b068a.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: f:\progra~1\mif5ba~1\office14\NPAUTHZ.DLL
FF - plugin: f:\progra~1\mif5ba~1\office14\NPSPWRAP.DLL
FF - plugin: f:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: f:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: f:\users\justlaptop\appdata\roaming\mozilla\firefox\profiles\xc7b068a.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - HiddenExtension: XULRunner: {FE227122-4B1D-4A3A-A855-7C98FFFD7E9A} - f:\users\justlaptop\appdata\local\{FE227122-4B1D-4A3A-A855-7C98FFFD7E9A}
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
f:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.search-clsid", "{E96431B4-8C0E-47D7-AB20-2EBCC252C2FC}");

============= SERVICES / DRIVERS ===============

R0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2010-11-15 13936]
S1 cfsbbxtv;cfsbbxtv;c:\windows\system32\drivers\cfsbbxtv.sys [2010-11-17 41680]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
S1 nrpmnjvm;nrpmnjvm;c:\windows\system32\drivers\nrpmnjvm.sys [2010-11-17 41680]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 DisplayLinkService;DisplayLinkManager;f:\program files\displaylink core software\DisplayLinkManager.exe [2010-7-31 5199208]
S2 DroidExplorerService;DroidExplorer Service;f:\program files\droid explorer\DroidExplorer.Service.exe [2010-8-21 253952]
S2 gupdate;Google Update Service (gupdate);f:\program files\google\update\GoogleUpdate.exe [2010-11-15 136176]
S2 NeatReceipts Database Controller;NeatReceipts Database Controller;f:\program files\common files\neatreceipts\db controller\NeatReceiptsDBController.exe [2010-11-12 228480]
S2 TeamViewer5;TeamViewer 5;f:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-3-18 172328]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;f:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2010-9-30 1051968]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 CM1063264;C-Media CM106 Like Sound UDAX Interface;c:\windows\system32\drivers\CM106.sys [2010-8-23 1517056]
S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort_5.4.26772.0.sys [2010-11-15 21888]
S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2010-11-15 176240]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-15 54632]
S3 fsssvc;Windows Live Family Safety Service;f:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-11-15 24576]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-17 38224]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;f:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S3 osppsvc;Office Software Protection Platform;f:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-11-12 27192]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2010-3-31 379904]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;f:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2010-2-25 10064]
S3 USBMULCD;USB Multi-Channel Audio Device Interface;c:\windows\system32\drivers\CM106.sys [2010-8-23 1517056]

=============== Created Last 30 ================

2010-11-18 05:27:56 96256 ------w- c:\windows\system32\wininit.exeFECAF18F
2010-11-18 05:27:56 41680 ----a-w- c:\windows\system32\drivers\cfsbbxtv.sys
2010-11-18 05:27:56 2614272 ------w- c:\windows\explorer.exe6279F447
2010-11-18 05:27:55 41680 ----a-w- c:\windows\system32\drivers\nrpmnjvm.sys
2010-11-18 05:27:44 96256 ----a-w- c:\windows\system32\wininit.exe739CAB23
2010-11-18 05:27:44 2614272 ----a-w- c:\windows\explorer.exe937EA5F5
2010-11-18 04:46:33 -------- d-----w- f:\users\justla~1\appdata\roaming\GlarySoft
2010-11-18 04:40:49 -------- d-----w- f:\users\justla~1\appdata\roaming\Malwarebytes
2010-11-18 04:40:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-18 04:40:24 -------- d-----w- c:\progra~2\Malwarebytes
2010-11-18 04:40:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 04:40:23 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2010-11-18 04:09:10 0 ----a-w- f:\users\justla~1\appdata\local\Kfuzofipujil.bin
2010-11-18 04:09:02 -------- d-----w- f:\users\justla~1\appdata\local\{FE227122-4B1D-4A3A-A855-7C98FFFD7E9A}
2010-11-18 04:02:58 105984 --sha-r- c:\windows\system32\C_11455.dll
2010-11-18 04:00:35 763392 ----a-w- c:\windows\system32\drivers\djhyurvj.sys
2010-11-18 04:00:21 -------- d-----w- c:\progra~2\WSTB
2010-11-18 04:00:18 30000 ----a-w- c:\windows\system32\ip4i3itof.dll
2010-11-18 04:00:17 47616 ---ha-w- c:\windows\system32\Certlist.dll
2010-11-18 01:30:44 1868800 ----a-r- f:\users\justla~1\appdata\roaming\microsoft\installer\{b4346951-3962-4c93-9a49-79a62ad8a632}\AppIcon.exe
2010-11-17 23:51:40 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{5848cc0b-1b1a-4575-b7cb-114fa10d0e0b}\mpengine.dll
2010-11-17 23:48:00 -------- d-----w- f:\users\justlaptop\.android
2010-11-17 15:48:31 -------- d-----w- f:\program files\Revo Uninstaller Pro
2010-11-16 21:02:49 -------- d-----w- f:\users\justla~1\appdata\roaming\DroidExplorer
2010-11-16 17:53:36 -------- d-----w- f:\program files\Microsoft Synchronization Services
2010-11-16 17:49:37 -------- d-----w- f:\program files\Microsoft Visual Studio 8
2010-11-16 17:48:38 -------- d-----w- f:\program files\Microsoft Analysis Services
2010-11-16 17:15:34 -------- d-----w- f:\program files\XnView
2010-11-16 16:18:48 386923 ----a-w- c:\windows\KMSAct.exe
2010-11-16 11:01:13 -------- d-----w- f:\users\justla~1\appdata\local\Microsoft Help
2010-11-16 10:14:55 3026944 ----a-w- C:\setup.exe
2010-11-16 10:14:54 1675264 ---h--w- f:\users\justla~1\appdata\roaming\svchost.exe
2010-11-16 09:35:15 -------- d-----w- f:\program files\Unlocker
2010-11-16 08:34:59 -------- d-----w- f:\users\justla~1\appdata\local\ElevatedDiagnostics
2010-11-16 07:45:43 -------- d-----w- f:\program files\Microsoft Windows Performance Toolkit
2010-11-16 07:44:34 -------- d-----w- f:\program files\Debugging Tools for Windows (x86)
2010-11-16 07:43:57 -------- d-----w- f:\program files\Application Verifier
2010-11-16 07:06:58 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-11-16 06:47:42 -------- d-----w- f:\users\justla~1\appdata\local\HTC
2010-11-16 06:47:20 -------- d-----w- c:\progra~2\HTC
2010-11-16 06:47:17 -------- d-----w- c:\progra~2\Teleca
2010-11-16 06:46:28 24576 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys
2010-11-16 06:27:23 -------- d-----w- f:\users\justla~1\appdata\local\VS Revo Group
2010-11-16 06:22:42 -------- d-----w- f:\program files\MSXML 4.0
2010-11-16 05:29:56 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-11-16 05:29:55 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-11-16 05:29:19 -------- d-----w- f:\program files\Winamp Detect
2010-11-16 05:29:13 -------- d-----w- c:\progra~2\OrbNetworks
2010-11-16 05:29:09 -------- d-----w- f:\program files\Winamp Remote
2010-11-16 05:21:31 -------- d-----w- f:\program files\Free Fire Screensaver
2010-11-16 05:21:18 -------- d-----w- f:\users\justla~1\appdata\roaming\Laconic Software
2010-11-16 05:05:10 -------- d-----w- f:\program files\NeatReceipts Professional
2010-11-16 04:59:02 -------- d-----w- c:\progra~2\NeatReceipts Professional
2010-11-16 04:54:12 -------- d-----w- f:\program files\PowerISO
2010-11-16 04:52:32 -------- d-----w- f:\users\justla~1\appdata\local\Apps
2010-11-16 04:51:39 -------- d-----w- f:\users\justla~1\appdata\roaming\IrfanView
2010-11-16 04:51:37 -------- d-----w- f:\program files\IrfanView
2010-11-16 04:43:20 -------- d-----w- f:\users\justla~1\appdata\local\Google
2010-11-16 04:42:27 -------- d-----r- f:\program files\Skype
2010-11-16 04:39:12 -------- d-----w- f:\users\justla~1\appdata\roaming\TeamViewer
2010-11-16 04:38:57 -------- d-----w- f:\program files\TeamViewer
2010-11-16 04:27:36 -------- d-----w- f:\program files\SuperCopier2
2010-11-16 04:27:16 -------- d-----w- f:\users\justla~1\appdata\roaming\TeraCopy
2010-11-16 04:26:56 -------- d-----w- f:\program files\TeraCopy
2010-11-16 04:24:51 30016 ----a-w- c:\windows\system32\uxtuneup.dll
2010-11-16 04:24:51 21312 ----a-w- c:\windows\system32\authuitu.dll
2010-11-16 04:23:49 -------- d-----w- f:\program files\uTorrent
2010-11-16 04:23:24 -------- d-----w- f:\users\justla~1\appdata\roaming\uTorrent
2010-11-16 04:19:25 30528 ----a-w- c:\windows\system32\TURegOpt.exe
2010-11-16 04:18:44 -------- d-----w- f:\users\justla~1\appdata\roaming\TuneUp Software
2010-11-16 04:18:32 -------- d-----w- f:\program files\TuneUp Utilities 2010
2010-11-16 04:17:39 -------- d-----w- c:\progra~2\TuneUp Software
2010-11-16 04:17:28 -------- d-sh--w- c:\progra~2\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-11-16 04:16:13 -------- d-----w- f:\program files\YouTube Downloader
2010-11-16 04:12:52 -------- d-----w- f:\program files\VideoLAN
2010-11-16 04:12:04 472808 ----a-w- f:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-11-16 04:12:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-16 04:11:34 3830204 ----a-r- f:\program files\ComboFix.exe
2010-11-16 04:11:26 -------- d-s---w- C:\ComboFix
2010-11-16 04:11:22 -------- d-----w- f:\program files\WinDirStat
2010-11-16 03:49:19 -------- d-----w- f:\users\justla~1\appdata\local\Cooliris
2010-11-16 03:43:33 -------- d-----w- f:\users\justla~1\appdata\roaming\Dropbox
2010-11-16 03:43:14 -------- d-----w- f:\program files\Defraggler
2010-11-16 03:09:24 -------- d-----w- f:\users\justla~1\appdata\local\Mozilla
2010-11-16 02:58:08 -------- d-----w- f:\program files\Everything
2010-11-16 02:56:17 -------- d-----w- f:\users\justla~1\appdata\roaming\Stardock
2010-11-16 02:56:16 -------- dc-h--w- c:\progra~2\{A3A26C56-02C3-4F76-A033-12EE2FB52AE6}
2010-11-16 02:56:13 -------- d-----w- f:\program files\Stardock
2010-11-16 02:56:02 -------- d-----w- f:\users\justla~1\appdata\local\PackageAware
2010-11-16 02:54:35 -------- d-----w- f:\program files\Folder Size
2010-11-16 02:52:04 -------- d-----w- f:\program files\Droid Explorer
2010-11-16 02:49:38 -------- d-----w- f:\program files\CCleaner
2010-11-16 02:49:00 -------- d-----w- f:\program files\Bulk Rename Utility
2010-11-16 02:41:31 -------- d-----w- f:\program files\Belarc
2010-11-16 02:38:23 -------- d-----w- f:\users\justla~1\appdata\roaming\Teleca
2010-11-16 02:34:28 -------- d-----w- f:\program files\HTC
2010-11-16 02:34:24 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-11-16 02:33:25 -------- d-----w- c:\windows\Downloaded Installations
2010-11-16 02:31:11 -------- d-----w- f:\users\justla~1\appdata\roaming\Intermedia Software
2010-11-16 02:30:25 -------- d-----w- c:\progra~2\Intermedia Software
2010-11-16 02:30:16 82432 ----a-w- c:\windows\system32\msxml4r.dll
2010-11-16 02:30:16 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-11-16 02:30:15 -------- d-----w- f:\program files\Intermedia Software
2010-11-16 02:28:04 -------- d-----w- f:\program files\Glary Utilities
2010-11-16 02:26:04 -------- d-----w- f:\users\justla~1\appdata\roaming\Auslogics
2010-11-16 02:24:26 -------- d-----w- f:\program files\Auslogics
2010-11-16 02:01:14 -------- d-----w- f:\users\justla~1\appdata\roaming\IObit
2010-11-16 02:01:13 -------- d-----w- f:\program files\IObit
2010-11-16 01:54:51 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-11-16 01:54:51 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-11-16 01:54:51 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-11-16 01:46:20 -------- d-----w- c:\progra~2\ALM
2010-11-16 01:41:46 947472 ----a-w- c:\windows\system32\msjava.dll
2010-11-16 00:48:54 54632 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-11-16 00:47:56 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-11-16 00:47:51 -------- d-----w- f:\program files\Microsoft SQL Server Compact Edition
2010-11-16 00:47:41 -------- d-----w- f:\program files\Microsoft
2010-11-16 00:47:21 -------- d-----w- f:\program files\Windows Live SkyDrive
2010-11-16 00:45:04 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-11-16 00:24:54 -------- d-----w- f:\program files\SyncToy 2.1
2010-11-16 00:22:00 -------- d-----w- f:\users\justla~1\appdata\local\Windows Live
2010-11-16 00:21:33 3181568 ----a-w- c:\windows\system32\mf.dll
2010-11-16 00:21:33 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-11-16 00:21:33 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2010-11-15 20:48:54 -------- d-----w- f:\program files\SuRe Softwares
2010-11-15 20:39:02 -------- d-----w- f:\users\justla~1\appdata\local\Downloaded Installations
2010-11-15 20:37:07 -------- d-----w- f:\users\justla~1\appdata\local\Adobe
2010-11-15 18:50:55 176240 ----a-w- c:\windows\system32\drivers\dlkmd.sys
2010-11-15 18:50:55 13936 ----a-w- c:\windows\system32\drivers\dlkmdldr.sys
2010-11-15 18:49:06 0 ----a-w- c:\windows\system32\dlumd9.dll
2010-11-15 18:49:06 0 ----a-w- c:\windows\system32\dlumd11.dll
2010-11-15 18:49:06 0 ----a-w- c:\windows\system32\dlumd10.dll
2010-11-15 18:45:38 21888 ----a-w- c:\windows\system32\drivers\DisplayLinkUsbPort_5.4.26772.0.sys
2010-11-15 18:45:38 2105344 ----a-w- c:\windows\system32\DisplayLinkUsbCo2_5.4.26772.0.dll
2010-11-15 18:45:28 491520 ----a-w- c:\windows\system\cmau106.dll
2010-11-15 18:45:28 143360 ----a-w- c:\windows\Vmix106.dll
2010-11-15 18:45:27 221184 ----a-w- c:\windows\system\cm106eye.exe
2010-11-15 18:45:21 303104 ----a-w- c:\windows\system32\CmiInstallResAll.dll
2010-11-15 18:28:48 -------- d-----w- c:\windows\system32\appmgmt
2010-11-15 17:55:37 552960 ----a-w- c:\windows\system32\Cmeau106.exe
2010-11-15 17:55:26 319968 ----a-r- c:\windows\difxapi.dll
2010-11-15 17:55:25 65536 ----a-r- c:\windows\VMix.dll
2010-11-15 17:48:43 75776 ----a-w- c:\windows\system32\drivers\ser2pl.sys
2010-11-15 16:18:53 -------- d-----w- c:\windows\PCHEALTH
2010-11-15 16:18:32 -------- d-----w- f:\program files\a01cafb8dbd4ef6f87
2010-11-14 10:19:16 0 ----a-w- c:\windows\ativpsrm.bin
2010-11-14 07:13:33 -------- d-sh--w- c:\windows\Installer
2010-11-14 07:10:03 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-11-14 07:07:27 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-11-14 07:07:27 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-11-14 07:07:27 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-11-14 07:07:27 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-11-14 07:07:27 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-11-14 06:59:36 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-11-14 06:59:26 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2010-11-14 06:59:26 146304 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2010-11-14 06:56:55 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-11-14 06:52:02 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-11-14 06:52:02 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-11-14 06:52:02 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-11-14 02:09:37 -------- d-----w- c:\windows\Panther
2010-11-14 02:01:42 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{4a27fa5c-e1e1-4307-b3ae-912c76405008}\mpengine.dll
2010-11-14 02:01:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-14 01:48:33 -------- d-----w- c:\windows\system32\wbem\Performance
2010-11-14 01:46:21 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-11-14 01:46:21 132608 ----a-w- c:\windows\system32\cabview.dll
2010-11-13 22:27:53 204496 ----a-w- f:\program files\StartUpLite.exe
2010-11-13 22:26:11 4155256 ----a-w- f:\program files\process_explorer.exe
2010-11-13 00:18:17 825640 ----a-w- f:\program files\common files\windows live\.cache\bca0b2061cb651308\oem\packages\default\SearchEnhancementPackSetup.EXE
2010-11-13 00:18:12 469256 ----a-w- f:\program files\common files\windows live\.cache\bca0b2061cb651308\InstallManager_WLE_WLE.exe
2010-11-13 00:17:23 15712 ----a-w- f:\program files\common files\windows live\.cache\b43eed9e1cb651307\MeshBetaRemover.exe
2010-11-13 00:17:22 94040 ----a-w- f:\program files\common files\windows live\.cache\b0c95a291cb651306\DSETUP.dll
2010-11-13 00:17:22 525656 ----a-w- f:\program files\common files\windows live\.cache\b0c95a291cb651306\DXSETUP.exe
2010-11-13 00:17:22 1691480 ----a-w- f:\program files\common files\windows live\.cache\b0c95a291cb651306\dsetup32.dll
2010-11-13 00:17:20 94040 ----a-w- f:\program files\common files\windows live\.cache\aaa868af1cb651305\DSETUP.dll
2010-11-13 00:17:20 525656 ----a-w- f:\program files\common files\windows live\.cache\aaa868af1cb651305\DXSETUP.exe
2010-11-13 00:17:20 1691480 ----a-w- f:\program files\common files\windows live\.cache\aaa868af1cb651305\dsetup32.dll
2010-11-13 00:15:38 193408 ----a-w- f:\program files\common files\microsoft shared\windows live\WLIDSVCM.EXE
2010-11-13 00:14:59 812544 ----a-w- f:\program files\common files\microsoft shared\ink\mshwLatin.dll
2010-11-12 21:08:11 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-10-25 21:48:06 -------- d-----w- f:\program files\common files\PX Storage Engine
2010-10-20 15:14:56 13312 ----a-w- f:\program files\mozilla firefox\plugins\npwachk.dll

==================== Find3M ====================

2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec
2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-01 04:23:49 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-01 02:34:52 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 04:32:30 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-26 04:39:58 109056 ----a-w- c:\windows\system32\t2embed.dll
2010-08-23 18:05:22 315392 ----a-w- c:\windows\system\fltr106.dll
2010-08-21 05:36:33 738816 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-21 05:36:24 224256 ----a-w- c:\windows\system32\schannel.dll
2010-08-21 05:33:24 530432 ----a-w- c:\windows\system32\comctl32.dll
2010-08-21 05:32:37 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 06:35:56 703352 ----a-w- f:\program files\autoruns.exe
2007-12-26 13:52:44 660936 ----a-w- f:\program files\ISO BURNER.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: Hitachi_HTS542525K9SA00 rev.BBFOC31P -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x847E6446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x847ec504]; MOV EAX, [0x847ec580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81E78458] -> \Device\Harddisk0\DR0[0x847C1270]
3 CLASSPNP[0x8739C59E] -> ntkrnlpa!IofCallDriver[0x81E78458] -> [0x83A158E0]
5 ACPI[0x86E3C3B2] -> ntkrnlpa!IofCallDriver[0x81E78458] -> \IdeDeviceP0T0L0-0[0x83A35908]
\Driver\atapi[0x847C5408] -> IRP_MJ_CREATE -> 0x847E6446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HTS542525K9SA00_________________BBFOC31P#5&1209ffaa&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 22:57:45.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:31 PM

Posted 27 November 2010 - 08:21 AM

hi,

Sorry for the delay, no shortage of posters. You should not use this computer until its cleaned up. Power it off so there is no connectivity. If you still need help post back.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users