Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

this is a test post. Virus making it hard to sign in and post


  • This topic is locked This topic is locked
14 replies to this topic

#1 orbiter9

orbiter9

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 06 December 2010 - 02:54 PM

I have a virus. Whenever I try to access a website that has the virus name on it the virus does not allow the page to load. I've already posted once on this page requesting help. Thankfully someone answered but unfortunately I was unable to reply to the post. Instead I sent a private message describing the problem.

I'm not exactly sure due to the virus whether or not he/she actually received the message. therefore I've taken the initative to see if I can fix this problem by starting a test thread. If I can access this new thread while signed in I'll inform the tech of the breakthrough (somehow) and maybe we can move my thread to this new one.

BC AdBot (Login to Remove)

 


#2 orbiter9

orbiter9
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 06 December 2010 - 02:57 PM

reply test

#3 orbiter9

orbiter9
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 06 December 2010 - 03:07 PM

I'm reposting all the required infomation on my computer in anticipation with moving to a thread that I can post in. Attention moderators please consult with myself or the team member helping me ( that would be Noviciate) if this new thread is going to be a problem. Thank you to all parties involved.

DDS (Ver_10-12-05.01) - NTFSx86
Run by Owner at 15:15:08.15 on Sun 12/05/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.24 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AnVir Task Manager Pro\AnVir.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera 10.10 Beta\opera.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.emachines.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [AnVir Task Manager Pro] "c:\program files\anvir task manager pro\AnVir.exe" Minimized
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Easy Dock]
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna3100\WNA3100.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\1iuj60o3.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-17 25608]
R2 WSWNA3100;WSWNA3100;c:\program files\netgear\wna3100\WifiSvc.exe [2010-12-5 278528]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2010-12-5 642432]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-28 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-10-22 16512]
S3 avg9emc;AVG E-mail Scanner;"c:\program files\avg\avg9\avgemc.exe" --> c:\program files\avg\avg9\avgemc.exe [?]
S3 avg9wd;AVG WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-11-17 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-11-17 30104]
S3 avgfws9;AVG Firewall;"c:\program files\avg\avg9\avgfws9.exe" --> c:\program files\avg\avg9\avgfws9.exe [?]
S3 AVGIDSAgent;AVG9IDSAgent;"c:\program files\avg\avg9\identity protection\agent\bin\avgidsagent.exe" avgidsagent --> c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [?]
S3 AVGIDSDriverxpx;AVG9IDSDriver;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsdriver.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [?]
S3 AVGIDSFilterxpx;AVG9IDSFilter;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsfilter.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [?]
S3 AVGIDSShimxpx;AVG9IDSShim;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsshim.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2010-12-5 50704]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2010-1-6 594048]

=============== Created Last 30 ================

2010-12-05 19:46:41 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2010-12-05 19:46:38 100880 ----a-w- c:\windows\system32\Packet.dll
2010-12-05 19:46:37 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2010-12-05 19:46:37 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2010-12-05 19:46:37 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-12-05 19:46:36 -------- d-----w- c:\program files\NETGEAR
2010-12-05 17:51:40 -------- d-----w- c:\program files\Exterminate It!
2010-12-05 16:14:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-05 15:47:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-05 11:55:43 98816 ----a-w- c:\windows\sed.exe
2010-12-05 11:55:43 89088 ----a-w- c:\windows\MBR.exe
2010-12-05 11:55:43 256512 ----a-w- c:\windows\PEV.exe
2010-12-05 11:55:43 161792 ----a-w- c:\windows\SWREG.exe
2010-12-03 17:50:35 -------- d-----w- c:\program files\Stanza
2010-11-26 03:09:10 -------- d-----w- c:\docume~1\owner\applic~1\You've Got Pictures Screensaver
2010-11-24 04:14:01 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-11-24 04:13:28 -------- d-----w- c:\program files\DAEMON Tools Pro
2010-11-24 04:12:51 -------- d-----w- c:\docume~1\owner\applic~1\DAEMON Tools Pro
2010-11-24 04:12:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2010-11-22 09:51:18 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-22 09:51:18 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-22 09:49:54 -------- d-----w- c:\program files\common files\xing shared

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16:31 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16:30 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16:29 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 16:49:49 369664 ----a-w- c:\windows\system32\html.iec

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDS722580VLAT20 rev.V32OA6MA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81A95555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x81a9b7b0]; MOV EAX, [0x81a9b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x81B066F0]
3 CLASSPNP[0xF964DFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000080[0x81AF5F18]
5 ACPI[0xF9544620] -> nt!IofCallDriver[0x804E37D5] -> [0x81B00B58]
\Driver\atapi[0x81B456E0] -> IRP_MJ_CREATE -> 0x81A95555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHDS722580VLAT20_________________________V32OA6MA#5&1c482b02&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x81A9539B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 15:17:36.73 ===============


here is the combofix log

ComboFix 10-12-04.06 - Owner 12/06/2010 10:35:09.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.91 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ffffff.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-11-06 to 2010-12-06 )))))))))))))))))))))))))))))))
.

2010-12-06 14:15 . 2010-12-06 14:19 -------- d-----w- c:\documents and settings\Administrator
2010-12-05 23:24 . 2010-12-05 23:24 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-12-05 19:46 . 2009-11-06 13:26 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2010-12-05 19:46 . 2010-12-05 19:46 -------- d-----w- c:\program files\NETGEAR
2010-12-05 19:46 . 2010-12-05 19:46 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield
2010-12-05 17:51 . 2010-12-06 14:10 -------- d-----w- c:\program files\Exterminate It!
2010-12-05 16:14 . 2010-12-05 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-12-05 15:47 . 2010-12-05 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-12-05 15:20 . 2010-12-05 15:20 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-12-03 17:50 . 2010-12-03 17:50 -------- d-----w- c:\program files\Stanza
2010-11-26 03:09 . 2010-11-26 03:09 -------- d-----w- c:\documents and settings\Owner\Application Data\You've Got Pictures Screensaver
2010-11-24 04:14 . 2010-11-24 14:14 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-11-24 04:13 . 2010-11-24 04:13 -------- d-----w- c:\program files\DAEMON Tools Pro
2010-11-24 04:12 . 2010-11-24 04:21 -------- d-----w- c:\documents and settings\Owner\Application Data\DAEMON Tools Pro
2010-11-24 04:12 . 2010-11-24 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2010-11-22 09:51 . 2010-11-22 09:51 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-22 09:49 . 2010-11-22 09:49 -------- d-----w- c:\program files\Common Files\xing shared
2010-11-14 05:37 . 2010-12-04 03:29 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:42 . 2009-12-17 06:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2009-12-17 06:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-24 14:14 . 2010-11-24 09:14 697328 ----a-w- c:\windows\system32\drivers\sptd.svs
2010-09-18 16:23 . 2004-08-26 16:11 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-26 16:11 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-26 16:11 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-26 16:11 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16 . 2004-08-26 16:12 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16 . 2004-08-26 16:12 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 16:49 . 2004-08-26 16:11 369664 ----a-w- c:\windows\system32\html.iec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnVir Task Manager Pro"="c:\program files\AnVir Task Manager Pro\AnVir.exe" [2009-10-14 3103456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-04-07 642856]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Easy Dock"="" [BU]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2010-12-5 4562944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-17 21:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\Age of Empires 2\\ac\\Acidmax\\mirc.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\BitTorrent-7.1.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\Age of Empires 2\\New Folder (2)\\New Folder\\Age of Empires 2\\age2_x1.exe"=
"c:\\Program Files\\Opera 10.10 Beta\\opera.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [11/17/2009 4:02 PM 25608]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/28/2009 2:59 PM 135664]
S2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [12/5/2010 2:46 PM 278528]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [10/22/2009 5:14 AM 16512]
S3 avg9emc;AVG E-mail Scanner;"c:\program files\AVG\AVG9\avgemc.exe" --> c:\program files\AVG\AVG9\avgemc.exe [?]
S3 avg9wd;AVG WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [11/17/2009 3:58 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [11/17/2009 3:58 PM 30104]
S3 avgfws9;AVG Firewall;"c:\program files\AVG\AVG9\avgfws9.exe" --> c:\program files\AVG\AVG9\avgfws9.exe [?]
S3 AVGIDSAgent;AVG9IDSAgent;"c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe" AVGIDSAgent --> c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S3 AVGIDSDriverxpx;AVG9IDSDriver;\??\c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys --> c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [?]
S3 AVGIDSFilterxpx;AVG9IDSFilter;\??\c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys --> c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [?]
S3 AVGIDSShimxpx;AVG9IDSShim;\??\c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys --> c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [?]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [12/5/2010 2:46 PM 642432]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [1/6/2010 4:21 PM 594048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/23/2010 11:14 PM 697328]
.
Contents of the 'Scheduled Tasks' folder

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-28 19:59]

2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-28 19:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.emachines.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1iuj60o3.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-06 10:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDS722580VLAT20 rev.V32OA6MA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81A96555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x81a9c7b0]; MOV EAX, [0x81a9c82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x81AAE4D8]
3 CLASSPNP[0xF964DFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000081[0x81B483C8]
5 ACPI[0xF9544620] -> nt!IofCallDriver[0x804E37D5] -> [0x81B484E0]
\Driver\atapi[0x81A73458] -> IRP_MJ_CREATE -> 0x81A96555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHDS722580VLAT20_________________________V32OA6MA#5&1c482b02&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x81A9639B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2688)
c:\program files\AnVir Task Manager Pro\AnvirHook61.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
.
**************************************************************************
.
Completion time: 2010-12-06 11:04:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-06 16:04
ComboFix2.txt 2010-12-05 19:42
ComboFix3.txt 2010-12-05 12:40
ComboFix4.txt 2010-02-04 08:58

Pre-Run: 978,907,136 bytes free
Post-Run: 1,066,631,168 bytes free

- - End Of File - - 00964372C6BB54FEDD1D9833307BE103

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:27 AM

Posted 06 December 2010 - 03:50 PM

Good evening. :)

We'll start with a simple scan and then it's likely we'll have to get creative, so it would be helpful if you had access to a small usb flashdrive you could wipe clean and use for a little tool that may prove useful.

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#5 orbiter9

orbiter9
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 06 December 2010 - 07:29 PM

Heya,

I'm glad you made it! I ran malwarebytes and DDS as requested and I'll post the logs down below. Also to let you know I do have a flash drive handy, although its a crappy one so it only holds 1.8 gigs. Anyways let me describe what I've noticed wrong with my computer first and then I'll post all the logs below.

Basically as you know I caught what I think is the k--bf--- virus from Facebook. Like an idiot I opened a link from a friend and opened it. Again like an idiot I let a program download itself onto my computer thinking it was a flash update.

Since then I've noticed svchost running abnormally. I usually have taskmaster and a program called anvir taskmanager pro running at all time so it wasn't hard to notice. memory usage now averages somewhere around 60 to 100,00k when it use to run at a fraction of that. the particular instance of svchost I believe is attached to my audio functions because if I kill the process with taskmaster I lose audio.

I've also noticed a few other weird things. My computer runs a lot slower now. Sometimes my customized toolbars change to an oldschool grey looking skin and new (and what I suspect are) fake virus scan programs pop up at random and try to get me to download programs. My browser was also compromised. I've basically been forced to use the google cache funtion to connect to most websites. If I don't, and especially when I use a new tab, I'm redirected to a host of random web sites (mostly porn). PLus I've noticed my wireless adapter is ALWAYS running.

At this point my computer is completely fubar. I would REALLY appreciate anything you could do for it. So anyways that's my sob story. I'll post the malwarebytes log first and then the DDS. Thanks so much and good luck on your search for the problem.

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5257

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/6/2010 7:03:17 PM
mbam-log-2010-12-06 (19-03-17).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 237338
Time elapsed: 1 hour(s), 55 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\local settings\application data\092390.exe (Malware.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\application data\55972.exe (Malware.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\application data\9136093547.exe (Malware.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\start menu\Programs\security tool.lnk (Rogue.SecurityTool) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\_ex-08.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

And here is the DDS log.


DDS (Ver_10-12-05.01) - NTFSx86
Run by Owner at 18:56:29.92 on Mon 12/06/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.58 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\AnVir Task Manager Pro\AnVir.exe
C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Opera 10.10 Beta\opera.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.emachines.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [AnVir Task Manager Pro] "c:\program files\anvir task manager pro\AnVir.exe" Minimized
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Easy Dock]
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna3100\WNA3100.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\1iuj60o3.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-11-17 25608]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2010-12-6 642432]
R3 WSWNA3100;WSWNA3100;c:\program files\netgear\wna3100\WifiSvc.exe [2010-12-6 278528]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-28 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-10-22 16512]
S3 avg9emc;AVG E-mail Scanner;"c:\program files\avg\avg9\avgemc.exe" --> c:\program files\avg\avg9\avgemc.exe [?]
S3 avg9wd;AVG WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-11-17 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-11-17 30104]
S3 avgfws9;AVG Firewall;"c:\program files\avg\avg9\avgfws9.exe" --> c:\program files\avg\avg9\avgfws9.exe [?]
S3 AVGIDSAgent;AVG9IDSAgent;"c:\program files\avg\avg9\identity protection\agent\bin\avgidsagent.exe" avgidsagent --> c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [?]
S3 AVGIDSDriverxpx;AVG9IDSDriver;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsdriver.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [?]
S3 AVGIDSFilterxpx;AVG9IDSFilter;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsfilter.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [?]
S3 AVGIDSShimxpx;AVG9IDSShim;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsshim.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2010-12-6 50704]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2010-1-6 594048]
S3 VY;VY;c:\docume~1\owner\locals~1\temp\VY.exe [2010-12-6 375680]

=============== Created Last 30 ================

2010-12-06 18:45:33 898560 ----a-w- c:\docume~1\owner\locals~1\applic~1\9136093547.exe
2010-12-06 18:24:30 900096 ----a-w- c:\docume~1\owner\locals~1\applic~1\55972.exe
2010-12-06 18:16:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\boost_interprocess
2010-12-06 18:16:17 900096 ----a-w- c:\docume~1\owner\locals~1\applic~1\092390.exe
2010-12-06 16:32:48 642432 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2010-12-06 16:32:40 100880 ----a-w- c:\windows\system32\Packet.dll
2010-12-06 16:32:39 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2010-12-06 16:32:39 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2010-12-06 16:32:39 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-12-06 16:32:38 -------- d-----w- c:\program files\NETGEAR
2010-12-05 17:51:40 -------- d-----w- c:\program files\Exterminate It!
2010-12-05 16:14:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-05 15:47:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-05 11:55:43 98816 ----a-w- c:\windows\sed.exe
2010-12-05 11:55:43 89088 ----a-w- c:\windows\MBR.exe
2010-12-05 11:55:43 256512 ----a-w- c:\windows\PEV.exe
2010-12-05 11:55:43 161792 ----a-w- c:\windows\SWREG.exe
2010-12-03 17:50:35 -------- d-----w- c:\program files\Stanza
2010-11-26 03:09:10 -------- d-----w- c:\docume~1\owner\applic~1\You've Got Pictures Screensaver
2010-11-24 04:14:01 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-11-24 04:13:28 -------- d-----w- c:\program files\DAEMON Tools Pro
2010-11-24 04:12:51 -------- d-----w- c:\docume~1\owner\applic~1\DAEMON Tools Pro
2010-11-24 04:12:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2010-11-22 09:51:18 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-22 09:51:18 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-22 09:49:54 -------- d-----w- c:\program files\common files\xing shared

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16:31 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16:30 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16:29 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 16:49:49 369664 ----a-w- c:\windows\system32\html.iec

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDS722580VLAT20 rev.V32OA6MA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81AE7555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x81aed7b0]; MOV EAX, [0x81aed82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x81AFF4D8]
3 CLASSPNP[0xF964DFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000081[0x81B483C8]
5 ACPI[0xF9544620] -> nt!IofCallDriver[0x804E37D5] -> [0x81B484E0]
\Driver\atapi[0x81AC4498] -> IRP_MJ_CREATE -> 0x81AE7555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHDS722580VLAT20_________________________V32OA6MA#5&1c482b02&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x81AE739B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 18:58:05.95 ===============

Attached Files



#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:27 AM

Posted 07 December 2010 - 02:30 PM

Good evening. :)

The flash drive is plenty big enough for what we want. First we'll gather a little background info and then take some executive action.

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#7 orbiter9

orbiter9
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 07 December 2010 - 03:29 PM

Good evening to as well . Here are the logs you requested. I'll start with mbrcheck.exe log and then the one from preformat

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 157):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0x81ACE000 \WINDOWS\system32\KDCOM.DLL
0xF99A1000 \WINDOWS\system32\BOOTVID.dll
0xF953E000 ACPI.sys
0xF9A8D000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF952D000 pci.sys
0xF958D000 isapnp.sys
0xF9B55000 pciide.sys
0xF980D000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF9A8F000 aliide.sys
0xF9A91000 cmdide.sys
0xF9A93000 toside.sys
0xF9A95000 viaide.sys
0xF9A97000 intelide.sys
0xF959D000 MountMgr.sys
0xF950E000 ftdisk.sys
0xF9815000 PartMgr.sys
0xF95AD000 VolSnap.sys
0xF99A5000 cpqarray.sys
0xF94F6000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF94DE000 atapi.sys
0xF99A9000 aha154x.sys
0xF981D000 sparrow.sys
0xF99AD000 symc810.sys
0xF95BD000 aic78xx.sys
0xF99B1000 dac960nt.sys
0xF95CD000 ql10wnt.sys
0xF99B5000 amsint.sys
0xF9825000 asc.sys
0xF99B9000 asc3550.sys
0xF982D000 mraid35x.sys
0xF9835000 i2omp.sys
0xF99BD000 ini910u.sys
0xF95DD000 ql1240.sys
0xF95ED000 aic78u2.sys
0xF983D000 symc8xx.sys
0xF9845000 sym_hi.sys
0xF984D000 sym_u3.sys
0xF9855000 ABP480N5.SYS
0xF985D000 asc3350p.sys
0xF9A99000 cd20xrnt.sys
0xF95FD000 ultra.sys
0xF94C5000 adpu160m.sys
0xF9865000 dpti2o.sys
0xF960D000 ql1080.sys
0xF961D000 ql1280.sys
0xF962D000 ql12160.sys
0xF986D000 perc2.sys
0xF9A9B000 perc2hib.sys
0xF9875000 hpn.sys
0xF99C1000 cbidf2k.sys
0xF9499000 dac2w2k.sys
0xF963D000 disk.sys
0xF964D000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF9479000 fltmgr.sys
0xF9467000 sr.sys
0xF9450000 KSecDD.sys
0xF93C3000 Ntfs.sys
0xF9396000 NDIS.sys
0xF965D000 sisagp.sys
0xF966D000 viaagp.sys
0xF937C000 Mup.sys
0xF967D000 AVGIDSxx.sys
0xF968D000 agp440.sys
0xF969D000 alim1541.sys
0xF96AD000 amdagp.sys
0xF96BD000 agpCPQ.sys
0xF9304000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF881E000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF880A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF8B34000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF87E6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8B2C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF8B24000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF92F4000 \SystemRoot\system32\DRIVERS\serial.sys
0xF8EC3000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF87D2000 \SystemRoot\system32\DRIVERS\parport.sys
0xF92E4000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF8B1C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF874D000 \SystemRoot\system32\drivers\smwdm.sys
0xF8729000 \SystemRoot\system32\drivers\portcls.sys
0xF92D4000 \SystemRoot\system32\drivers\drmk.sys
0xF8706000 \SystemRoot\system32\drivers\ks.sys
0xF9AEF000 \SystemRoot\system32\drivers\aeaudio.sys
0xF9C2F000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF92C4000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF8EBF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF86EF000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF92B4000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF92A4000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF8B14000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF86DE000 \SystemRoot\system32\DRIVERS\psched.sys
0xF9294000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF8B0C000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF8B04000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF96ED000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8AFC000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF9AF1000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF8680000 \SystemRoot\system32\DRIVERS\update.sys
0xF8EAF000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF96FD000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF00EF000 \SystemRoot\system32\drivers\ialmkchw.sys
0xF00D1000 \SystemRoot\system32\drivers\ialmsbw.sys
0xF97DD000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF9AFD000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF8A58000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF9B23000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF9B74000 \SystemRoot\System32\Drivers\Null.SYS
0xF9B25000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8B54000 \SystemRoot\System32\drivers\vga.sys
0xF9B27000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF9B29000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF9975000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8B6C000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8A54000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEF0A7000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEF04E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEF026000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEF004000 \SystemRoot\System32\drivers\afd.sys
0xF9324000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEEFD9000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEEF41000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF83EA000 \SystemRoot\System32\Drivers\Fips.SYS
0xEEB35000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF83CA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF98D5000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xEE4C6000 \SystemRoot\system32\DRIVERS\bcmwlhigh5.sys
0xF83AA000 \SystemRoot\system32\drivers\usbaudio.sys
0xEEFB9000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xEE8E5000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF8B8C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xEE981000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA1ED000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBA1D5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xEDE6C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xED608000 \SystemRoot\System32\drivers\Dxapi.sys
0xED45F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF9CBC000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF073000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEE975000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF98C5000 \SystemRoot\system32\DRIVERS\pnarp.sys
0xF8B4C000 \SystemRoot\system32\DRIVERS\purendis.sys
0xBA108000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA0CB000 \SystemRoot\system32\drivers\wdmaud.sys
0xED53F000 \SystemRoot\system32\drivers\sysaudio.sys
0xBA0FC000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB9E8D000 \SystemRoot\system32\DRIVERS\srv.sys
0xB9BF4000 \SystemRoot\System32\Drivers\HTTP.sys
0xB98A9000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 25):
0 System Idle Process
4 System
528 C:\WINDOWS\system32\smss.exe
576 csrss.exe
600 C:\WINDOWS\system32\winlogon.exe
644 C:\WINDOWS\system32\services.exe
656 C:\WINDOWS\system32\lsass.exe
804 C:\WINDOWS\system32\svchost.exe
860 svchost.exe
912 C:\WINDOWS\system32\svchost.exe
1060 svchost.exe
1152 svchost.exe
1388 C:\WINDOWS\explorer.exe
1496 C:\WINDOWS\system32\spoolsv.exe
1580 svchost.exe
1840 C:\Program Files\Java\jre6\bin\jqs.exe
1920 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
2004 C:\Program Files\AnVir Task Manager Pro\AnVir.exe
188 C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
316 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
2460 alg.exe
2916 C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
2548 C:\WINDOWS\system32\wuauclt.exe
6976 C:\Program Files\Opera 10.10 Beta\opera.exe
3312 C:\Documents and Settings\Owner\My Documents\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`b64bfc00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: HDS722580VLAT20, Rev: V32OA6MA

Size Device Name MBR Status
--------------------------------------------
57 GB \\.\PhysicalDrive0 Gateway MBR code detected
SHA1: 007DADCB3671462B53686F6996D328CFD544ABBD


Done!

And now here is the log from preformat


BIOS Manufacturer: Intel Corp.
Name: BIOS Date: 10/05/04 02:43:50 Ver: 08.00.10
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:27 AM

Posted 07 December 2010 - 03:45 PM

Can you tell me the make and model of the PC.

So long, and thanks for all the fish.

 

 


#9 orbiter9

orbiter9
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 07 December 2010 - 03:51 PM

Yes its an emachine t3624

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:27 AM

Posted 07 December 2010 - 06:23 PM

OK, the situation you find yourself in is as follows - your hard drive has an area on it that is known as the Master Boot Record. The nasty that you have picked up has altered the MBR and ideally we would undo the changes to solve the problem.
Unfortunately it isn't quite as easy as typing this and the only option we have available is to replace your infected Master Boot Record with a standard one, which doesn't guarantee to put everything right. Some computer manufacturers use custom MBRs which allow boot access to options such as Factory Restore and this infection will render these unavailable until the custom MBR is written back to the hard drive - an issue which a standard MBR won't solve.

If the custom MBR problem affects you, and your only recovery option is Factory Restore as the PC manufacturer didn't supply you with a Windows Recovery Disc, you will need to contact them and see if they are willing to supply you with this disc. Without it you will be unable to reinstall Windows should the need arise.

The worst-case scenario with overwriting the MBR to clean the infection is that the PC becomes unbootable and you have what is in effect an expensive paperweight, which, although unlikely, needs to be mentioned. While this won't actually physically break anything and you can reinstall the Operating System from a disc, if you have one, the existing installation of Windows will be unusable.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The above contains some cheery information that hasn't proved necessary in any attempt that i've worked on to restore the MBR, but you get it for free anyway - you need to know how bad it could get in theory, at least.

The common sense approach is for you to back-up any important files as it never hurts to have copies ad then we'll rewrite the MBR and hopefully that will resolve your issue. Let me know when you've done this, if it's necessary, and also if you have a Windows installation disc, as it might be handy, and we'll take it from there.

So long, and thanks for all the fish.

 

 


#11 orbiter9

orbiter9
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 07 December 2010 - 07:08 PM

Oh man. Something told me this was a bad infection. Well ok, seeing as though this is just my desktop I'm still open for giving it a shot. I'll take the night to backup everything I can and in the morning I'll around to see if I can get a windows disk. I'm not sure how that would work out and I'm not too optimistic about the odds but if you want to go ahead with the next step that would be fine. Like I said I'll know by tomorrow and if I can't get a disk I'll proceed with the next step. Thanks again for all the help.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:27 AM

Posted 08 December 2010 - 03:18 PM

Good evening. :)

I should stress that although I haven't dealt with vast numbers of these kinds of infections, they have all gone according to plan.
The warning is more a case of having you informed as I think it's fair to do so rather than a serious case of panicsville - but as i'm sure you're aware, nothing in life is ever 1000%, cast iron, copper-bottomed ... you get the idea!

So long, and thanks for all the fish.

 

 


#13 orbiter9

orbiter9
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 08 December 2010 - 06:07 PM

Hey its me. I spent the night and day looking over my computer to see what I wanted to back up or transfer and I got it all sorted out. I also tried to see if I could order a windows disk to use on my computer since as you know windows came preloaded on my Pc. I struck out there. From what I can tell i'll have to buy a whole new disk if I want to wipe my computer clean. So I guess the balls back in your court.

If the worst case scenario materializes I figure I'll just go look for a new desktop. I'm not really worried about it because this is something I would have to do eventually anyways. So I guess I'm ready now to proceed to the next step, sorry to hold up the process like this.

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:27 AM

Posted 08 December 2010 - 06:12 PM

Please download NTBR_CD.exe by noahdfear from here and save it to your Desktop.

  • Double click the file and all being well a folder of the same name will appear.
  • Open the folder and locate BurnItCD.cmd and give it a double click - be careful as your optical drive may open under the control of the program.
  • Follow the prompts to burn the CD.

  • Now you will need to set the CD-Rom as first boot device if it isn't already - there's a handy pictorial guide here.
  • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

  • Insert the newly created CD into your infected PC, if it isn't already, and reboot your computer.
  • Once you have rebooted please hit <ENTER> when prompted to continue booting from CD - you have a whole 15 seconds to do this!
  • Read the warning and then continue as prompted.
  • You first need to select your keyboard layout - hit <ENTER> if you want the default English one.
  • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK.
  • On the following screen enter 5 to select Install standard MBR code.
  • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
  • When asked to confirm please do so.
  • Afterwards, please enter e to leave MBRWORK, then 6 to leave the Bootable CD.
  • Eject the disc and then press ctrl+alt+del to reboot the PC.

Let me know how you get on.

So long, and thanks for all the fish.

 

 


#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:27 AM

Posted 13 December 2010 - 03:28 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users