Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista Home Premium - Browser Redirect Virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 robb01

robb01

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 28 November 2010 - 11:32 AM

I recently got a virus, I think it was when I was trying to update AVG free, but am unsure. At first I got a warning that my firewall had been turned off. I then had a "fake" antispyware screen come up and start running a scan. It said that my computer was infected and wanted me to buy the software. I knew then that it was a virus. I was able to get rid of that by running malwarebytes antimalware. Now it seems that all of my Internet Explorer Google searches redirect. I'm unable to solve this, and have tried several spyware programs, none of which find anything.






DDS (Ver_10-11-27.01) - NTFSx86
Run by Robert at 9:30:37.73 on Sun 11/28/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.960 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
"C:\Windows\System32\svchost.exe"
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SMINST\BLService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
F:\Virus Removal\DDS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [cftmon] c:\windows\system32\fbzps.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Metropolis] rundll32.exe c:\windows\system32\sshnas21.dll,GetHandle
dRun: [U36VRSFLG6] c:\windows\temp\Jwx.exe
dRun: [454D5A46_ 0] c:\windows\temp\hslyg.exe
dRun: [DnE] c:\windows\temp\e.exe
dRun: [NtWqIVLZEWZU] c:\windows\temp\Jw7.exe
dRunOnce: [nNfPd01701] c:\programdata\nnfpd01701\nNfPd01701.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\users\robert\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {B690420A-1193-4763-A8B3-7C19C7B9FEB9} - c:\windows\system32\config\systemprofile\appdata\local\{b690420a-1193-4763-a8b3-7c19c7b9feb9}\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: PDFescape Extension: {2A1D5949-B519-4924-BF62-8522FE0D5274} - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\extensions\{2A1D5949-B519-4924-BF62-8522FE0D5274}
FF - Extension: CookieSafe: {9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD} - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\extensions\{9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}
FF - Extension: myFireFox: {e213bb8f-8ebd-11db-96b7-005056c00008} - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\extensions\{e213bb8f-8ebd-11db-96b7-005056c00008}
FF - Extension: Abstract Classic: {2fbc1200-ad13-11db-abbd-0800200c9a66} - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\extensions\{2fbc1200-ad13-11db-abbd-0800200c9a66}
FF - Extension: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\9gdxkmwd.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox

============= SERVICES / DRIVERS ===============

R?2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-8-11 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-8-11 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-8-11 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-8-11 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-11 308136]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-6-25 361808]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-3 42528]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-6-24 193840]

=============== Created Last 30 ================

2010-11-21 17:29:54 -------- d-----w- c:\program files\whitesmoketoolbar
2010-11-19 00:22:01 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-16 02:20:42 -------- d-----w- c:\users\robert\appdata\roaming\SUPERAntiSpyware.com
2010-11-16 02:20:42 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-11-16 02:20:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-12 01:36:48 -------- d-----w- c:\windows\system32\MpEngineStore
2010-11-12 00:55:28 -------- d-----w- c:\progra~2\MFAData
2010-11-12 00:54:52 -------- d-----w- c:\users\robert\appdata\roaming\Malwarebytes
2010-11-12 00:54:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-12 00:54:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-12 00:54:43 -------- d-----w- c:\progra~2\Malwarebytes
2010-11-12 00:54:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 23:55:18 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-11-11 23:55:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-10 22:08:06 412160 ----a-w- c:\windows\system32\fbzps.exe
2010-11-10 22:04:10 166 ----a-w- c:\windows\system32\delme.bat
2010-11-10 22:04:09 412160 ----a-w- c:\windows\system32\ptbp.exe
2010-11-10 22:03:48 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2010-11-10 22:03:48 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-11-10 22:03:48 100880 ----a-w- c:\windows\system32\Packet.dll
2010-11-10 22:01:33 -------- d--h--w- C:\$AVG
2010-11-09 00:50:11 -------- d-----w- c:\program files\uTorrent
2010-11-09 00:49:36 -------- d-----w- c:\users\robert\appdata\roaming\uTorrent

==================== Find3M ====================

2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 17:23:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 17:07:35 834048 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 15:23:27 389632 ----a-w- c:\windows\system32\html.iec
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST9200827AS rev.3.BHA -> Harddisk0\DR0 -> \Device\Ide\IdePort3 P3T0L0-5

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86869446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8686f504]; MOV EAX, [0x8686f580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81E81962] -> \Device\Harddisk0\DR0[0x861CCAC8]
3 CLASSPNP[0x824478B3] -> ntkrnlpa!IofCallDriver[0x81E81962] -> [0x8598B838]
5 acpi[0x806116BC] -> ntkrnlpa!IofCallDriver[0x81E81962] -> [0x859678A0]
\Driver\atapi[0x866DB268] -> IRP_MJ_CREATE -> 0x86869446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP3T0L0-5 -> \??\IDE#DiskST9200827AS_____________________________3.BHA___#5&8eb2ae7&0&1.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86869292
user != kernel MBR !!!
sectors 390721966 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 9:32:11.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:12 AM

Posted 28 November 2010 - 01:36 PM

Hello robb01,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.(If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


3.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.


Things to include in your next reply::
Combofix.txt
MBRCheck log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 robb01

robb01
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 28 November 2010 - 03:04 PM

Attached are the logs, things seem to be working better now

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:12 AM

Posted 28 November 2010 - 05:09 PM

Hello,

Things look a little better, but we need to check somethings first.

1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

2.
Re-Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter
    [1] Dump the MBR of a physical disk to file.
    and press the Enter key
  • The program will ask for the file name to dump to, type dump.dat and Press Enter. You should see Dumped successfully.
  • Next, type -1 and press Enter. Next press Enter again, and the program will exit.
  • Save it to your desktop then attach the resultant output in your next reply

3.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Killall::

File::
c:\windows\system32\drivers\oalecuoi.sys
c:\windows\system32\oalecuoi.sys
c:\windows\system32\ptbp.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\WhiteSmokeTranslator
c:\windows\system32\config\systemprofile\AppData\Local\Vjoxedulo.bin
c:\windows\system32\config\systemprofile\AppData\Roaming\sdtsh.bat

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\oalecuoi]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"=-

Driver::
oalecuoi

Reglockdel::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Things to include in your next reply::
Combofix.txt
MBRCheck Dump log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 robb01

robb01
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 28 November 2010 - 05:53 PM

Logs are attached. Everything seems to be working good. Opened IE, did several google searches, and all sent me to the result page with no redirects

Attached Files



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:12 AM

Posted 28 November 2010 - 07:37 PM

Hello,

There should be another MBR file on your desktop that has a .dat or is named MBRDUMP that file in it please attach that in your next reply.

1.
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 22 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

2.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.


Things to include in your next reply:
MBAM log
Eset log
A new DDS log
How i syour machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 robb01

robb01
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 28 November 2010 - 10:30 PM

MBRCheck did not have another logged named that. I ran it again, and here is the log that it generated. Also attached are the other logs. Seems to be working good still.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Wistron
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: Compaq Presario CQ50 Notebook PC
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 192):
0x81E16000 \SystemRoot\system32\ntkrnlpa.exe
0x821CF000 \SystemRoot\system32\hal.dll
0x8040C000 \SystemRoot\system32\kdcom.dll
0x80413000 \SystemRoot\system32\PSHED.dll
0x80424000 \SystemRoot\system32\BOOTVID.dll
0x8042C000 \SystemRoot\system32\CLFS.SYS
0x8046D000 \SystemRoot\system32\CI.dll
0x8054D000 \SystemRoot\system32\drivers\Wdf01000.sys
0x805C9000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8060E000 \SystemRoot\system32\drivers\acpi.sys
0x80654000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8065D000 \SystemRoot\system32\drivers\msisadrv.sys
0x80665000 \SystemRoot\system32\drivers\pci.sys
0x8068C000 \SystemRoot\system32\drivers\isapnp.sys
0x8069B000 \SystemRoot\system32\drivers\mpio.sys
0x806B7000 \SystemRoot\System32\drivers\partmgr.sys
0x806C6000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x806C9000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x806D3000 \SystemRoot\system32\drivers\volmgr.sys
0x806E2000 \SystemRoot\System32\drivers\volmgrx.sys
0x8072C000 \SystemRoot\system32\drivers\intelide.sys
0x80733000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x80741000 \SystemRoot\system32\drivers\pciide.sys
0x80748000 \SystemRoot\system32\drivers\aliide.sys
0x8074F000 \SystemRoot\system32\drivers\amdide.sys
0x80756000 \SystemRoot\system32\drivers\cmdide.sys
0x8075E000 \SystemRoot\System32\drivers\mountmgr.sys
0x8076E000 \SystemRoot\system32\drivers\msdsm.sys
0x80788000 \SystemRoot\system32\drivers\nvraid.sys
0x807A3000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x807C4000 \SystemRoot\system32\drivers\viaide.sys
0x89C0E000 \SystemRoot\system32\drivers\iastorv.sys
0x89CAF000 \SystemRoot\system32\drivers\atapi.sys
0x89CB7000 \SystemRoot\system32\drivers\ataport.SYS
0x89CD5000 \SystemRoot\system32\drivers\lsi_scsi.sys
0x89CEF000 \SystemRoot\system32\drivers\storport.sys
0x89D30000 \SystemRoot\system32\drivers\nvstor.sys
0x89D3D000 \SystemRoot\system32\drivers\hpcisss.sys
0x89D48000 \SystemRoot\system32\drivers\adp94xx.sys
0x89DB2000 \SystemRoot\system32\drivers\adpahci.sys
0x807CC000 \SystemRoot\system32\drivers\adpu160m.sys
0x805D6000 \SystemRoot\system32\drivers\SCSIPORT.SYS
0x89E03000 \SystemRoot\system32\drivers\adpu320.sys
0x89E29000 \SystemRoot\system32\drivers\djsvs.sys
0x89E3D000 \SystemRoot\system32\drivers\arc.sys
0x89E53000 \SystemRoot\system32\drivers\arcsas.sys
0x89E69000 \SystemRoot\system32\drivers\elxstor.sys
0x89EFD000 \SystemRoot\system32\drivers\i2omp.sys
0x89F07000 \SystemRoot\system32\drivers\iirsp.sys
0x89F17000 \SystemRoot\system32\drivers\iteatapi.sys
0x89F23000 \SystemRoot\system32\drivers\iteraid.sys
0x89F2F000 \SystemRoot\system32\drivers\lsi_fc.sys
0x89F49000 \SystemRoot\system32\drivers\lsi_sas.sys
0x89F61000 \SystemRoot\system32\drivers\megasas.sys
0x8A00C000 \SystemRoot\system32\drivers\megasr.sys
0x8A0C3000 \SystemRoot\system32\drivers\mraid35x.sys
0x8A0CE000 \SystemRoot\system32\drivers\msahci.sys
0x8A0D8000 \SystemRoot\system32\drivers\nfrd960.sys
0x8A205000 \SystemRoot\system32\drivers\ql2300.sys
0x8A33D000 \SystemRoot\system32\drivers\ql40xx.sys
0x8A392000 \SystemRoot\system32\drivers\sisraid2.sys
0x8A39F000 \SystemRoot\system32\drivers\sisraid4.sys
0x8A3B4000 \SystemRoot\system32\drivers\symc8xx.sys
0x8A3C0000 \SystemRoot\system32\drivers\sym_hi.sys
0x8A3CB000 \SystemRoot\system32\drivers\sym_u3.sys
0x8A0E6000 \SystemRoot\system32\drivers\uliahci.sys
0x8A3D6000 \SystemRoot\system32\drivers\ulsata.sys
0x8A122000 \SystemRoot\system32\drivers\ulsata2.sys
0x8A14E000 \SystemRoot\system32\drivers\vsmraid.sys
0x8A16F000 \SystemRoot\system32\drivers\fltmgr.sys
0x8A1A1000 \SystemRoot\system32\drivers\fileinfo.sys
0x89F6B000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8A400000 \SystemRoot\system32\drivers\ndis.sys
0x8A50B000 \SystemRoot\system32\drivers\msrpc.sys
0x8A536000 \SystemRoot\system32\drivers\NETIO.SYS
0x8A600000 \SystemRoot\System32\drivers\tcpip.sys
0x8A6EA000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8A805000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8A915000 \SystemRoot\system32\drivers\wd.sys
0x8A91D000 \SystemRoot\system32\drivers\volsnap.sys
0x8A956000 \SystemRoot\System32\Drivers\spldr.sys
0x8A95E000 \SystemRoot\system32\drivers\sbp2port.sys
0x8A973000 \SystemRoot\System32\Drivers\mup.sys
0x8A982000 \SystemRoot\System32\drivers\ecache.sys
0x8A9A9000 \SystemRoot\system32\drivers\disk.sys
0x8A9BA000 \SystemRoot\system32\drivers\crcdisk.sys
0x8A9E3000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8A9EE000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8A705000 \SystemRoot\system32\DRIVERS\processr.sys
0x8A9F7000 \SystemRoot\system32\DRIVERS\HpqRemHid.sys
0x8A714000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8A9F9000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8A724000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8A72D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8A800000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0x8A740000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8A74B000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8A77B000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8A77D000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8A788000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8A78C000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0x8A794000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8A79E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8A7DC000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8A571000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8A1B1000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8E206000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8E405000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8ED5C000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x8ED5E000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8E303000 \SystemRoot\System32\drivers\watchdog.sys
0x8E30F000 \SystemRoot\system32\DRIVERS\athr.sys
0x8A1C9000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8E3F3000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x89FDC000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8A7EB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8EE09000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8EE2C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8EE3B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8EE4F000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8EE64000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8EE74000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8EE76000 \SystemRoot\system32\DRIVERS\ks.sys
0x8EEA0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8EEAA000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8EEB7000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8EEC0000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8EEF5000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8EF06000 \SystemRoot\system32\drivers\CHDRT32.sys
0x8EF41000 \SystemRoot\system32\drivers\portcls.sys
0x8EF6E000 \SystemRoot\system32\drivers\drmk.sys
0x8EF93000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0x8F405000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x8F508000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x8F5BD000 \SystemRoot\system32\drivers\modem.sys
0x8F5CA000 \SystemRoot\system32\drivers\nvhda32v.sys
0x8F5D8000 \SystemRoot\system32\drivers\RTSTOR.SYS
0x8F5EB000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x8EFD1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8EFDA000 \SystemRoot\System32\Drivers\Null.SYS
0x8EFE1000 \SystemRoot\System32\Drivers\Beep.SYS
0x8EFE8000 \SystemRoot\System32\drivers\vga.sys
0x8F604000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8F625000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8F62D000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8F635000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8F640000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8F64E000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8F657000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8F66D000 \SystemRoot\system32\DRIVERS\smb.sys
0x8F681000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8F6B3000 \SystemRoot\system32\drivers\afd.sys
0x8F6FB000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8F711000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8F71F000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8F732000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8F76E000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8F778000 \SystemRoot\System32\Drivers\dfsc.sys
0x8F78F000 \SystemRoot\System32\Drivers\fastfat.SYS
0x8F7B7000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8F7C4000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8F7CF000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x96630000 \SystemRoot\System32\win32k.sys
0x8F7D7000 \SystemRoot\System32\drivers\Dxapi.sys
0x8F7E1000 \SystemRoot\system32\DRIVERS\monitor.sys
0x96850000 \SystemRoot\System32\TSDDD.dll
0x96870000 \SystemRoot\System32\cdd.dll
0x8A9C3000 \SystemRoot\system32\drivers\luafv.sys
0x9AE05000 \SystemRoot\system32\drivers\spsys.sys
0x9AEB5000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x9AEC5000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9AEEF000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9AEF9000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9AF0C000 \SystemRoot\system32\drivers\HTTP.sys
0x9AF79000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9AF96000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9AFAF000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9AFC4000 \SystemRoot\system32\drivers\mrxdav.sys
0xA1003000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA1022000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xA105B000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xA1073000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA109B000 \SystemRoot\System32\DRIVERS\srv.sys
0xA1101000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA1105000 \SystemRoot\system32\drivers\peauth.sys
0xA11E3000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA11ED000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA10E9000 \SystemRoot\system32\DRIVERS\xaudio.sys
0x9AFE5000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x807E7000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0xA3A05000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77A50000 \Windows\System32\ntdll.dll

Processes (total 44):
0 System Idle Process
4 System
420 C:\Windows\System32\smss.exe
540 csrss.exe
592 C:\Windows\System32\wininit.exe
604 csrss.exe
636 C:\Windows\System32\services.exe
648 C:\Windows\System32\lsass.exe
656 C:\Windows\System32\lsm.exe
808 C:\Windows\System32\svchost.exe
852 C:\Windows\System32\nvvsvc.exe
880 C:\Windows\System32\svchost.exe
920 C:\Windows\System32\svchost.exe
968 C:\Windows\System32\svchost.exe
1000 C:\Windows\System32\svchost.exe
1024 C:\Windows\System32\svchost.exe
1088 C:\Windows\System32\winlogon.exe
1136 C:\Windows\System32\audiodg.exe
1168 C:\Windows\System32\SLsvc.exe
1216 C:\Windows\System32\svchost.exe
1332 C:\Windows\System32\svchost.exe
1444 C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
1452 C:\Windows\System32\wlanext.exe
1680 C:\Windows\System32\nvvsvc.exe
1984 C:\Windows\System32\dwm.exe
2008 C:\Windows\explorer.exe
324 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
436 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
496 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
448 C:\Windows\System32\spoolsv.exe
428 C:\Windows\System32\taskeng.exe
876 C:\Windows\System32\svchost.exe
752 C:\Windows\System32\taskeng.exe
2420 C:\Windows\System32\svchost.exe
2564 C:\Windows\SMINST\BLService.exe
2612 C:\Windows\System32\svchost.exe
2660 C:\Windows\System32\svchost.exe
2704 C:\Windows\System32\SearchIndexer.exe
2804 C:\Windows\System32\drivers\XAudio.exe
3056 WUDFHost.exe
3288 C:\Windows\System32\mobsync.exe
4084 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
3592 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
1880 F:\Virus Removal\MBRCheck\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002c`1f400000 (NTFS)

PhysicalDrive0 Model Number: ST9200827AS, Rev: 3.BHA

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 08F21ADD893776C287CC68A3558F8D095B50ED3C


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit): -1

Done!

Attached Files



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:12 AM

Posted 28 November 2010 - 11:05 PM

Hello, robb01.
Congratulations! You now appear clean! :cool:


Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.



Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 robb01

robb01
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 28 November 2010 - 11:24 PM

Everything seems good, can't thank you enough for your help!

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:12 AM

Posted 29 November 2010 - 02:24 AM

Your most Welcome! :busy: :thumbsup:



This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users