Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.BHO.H infection


  • This topic is locked This topic is locked
30 replies to this topic

#1 katiejo89

katiejo89

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 28 December 2010 - 11:27 AM

Have been infected with the Trojan.BHO.H virus and Malwarebytes can not remove it! Please help! The contents of my DDS log are as follows:

DDS.txt


DDS (Ver_10-12-12.02) - NTFSx86
Run by Erwin at 10:39:07.72 on Tue 12/28/2010
Internet Explorer: 8.0.6001.18999
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3060.1555 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Windows\system32\igfxsrvc.exe
C:\PROGRA~1\DAILYB~2\bar\1.bin\2vbarsvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATTToolbar\FDServer.exe
C:\Windows\System32\mobsync.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Erwin\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.att.net/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080902
mStart Page = hxxp://www.yahoo.com/?fr=fp-ushdl
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-ushdl
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: TTB000000 Class: {62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} - c:\users\erwin\appdata\local\temp\low\COUPON~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: CouponBar: {5bed3930-2e9e-76d8-bacc-80df2188d455} - c:\users\erwin\appdata\local\temp\low\CouponsBar.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [cdloader] "c:\users\erwin\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\f1u201~1.lnk - c:\program files\belkin\f1u201.401\usbshare.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: liveops.com\agents
Trusted Zone: liveops.com\callcenter
Trusted Zone: liveops.com\forums
Trusted Zone: liveops.com\irc
Trusted Zone: liveops.com\schedule
Trusted Zone: liveops.com\www
Trusted Zone: motive.com\patttbc.att
Trusted Zone: westathome.net\www
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\erwin\appdata\roaming\mozilla\firefox\profiles\7m7azah6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=62133&p=
FF - component: c:\users\erwin\appdata\roaming\mozilla\firefox\profiles\7m7azah6.default\extensions\{771f3037-9885-4423-b50f-a5ede4854e26}\components\Engine.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\dailybibleguide\bar\1.bin\NP2vStub.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\users\erwin\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\erwin\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\erwin\appdata\roaming\mozilla\firefox\profiles\7m7azah6.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\users\erwin\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: InboxDollars: {771f3037-9885-4423-b50f-a5ede4854e26} - %profile%\extensions\{771f3037-9885-4423-b50f-a5ede4854e26}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: DailyBibleGuide: 2vffxtbr@DailyBibleGuide.com - c:\program files\dailybibleguide\bar\1.bin

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
R2 DailyBibleGuideService;DailyBibleGuide Service;c:\progra~1\dailyb~2\bar\1.bin\2vbarsvc.exe [2010-10-19 28766]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\WUSB54GCx86.sys [2008-9-9 256000]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-1-20 21504]

=============== Created Last 30 ================

2010-12-28 15:18:14 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{93a7fe77-c9d1-4f52-8ef8-4aa74e9b16a6}\mpengine.dll
2010-12-22 19:35:34 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{2dabd816-eec6-4140-abd5-1e563ffad586}\gapaengine.dll
2010-12-22 19:21:50 -------- d-----w- c:\windows\Temp81296996-04BF-5C14-E0DF-3F258864FB17-Signatures
2010-12-22 19:21:29 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2010-12-22 19:20:31 -------- d-----w- c:\program files\Microsoft Security Client
2010-12-22 14:33:23 0 ----a-w- c:\users\erwin\appdata\local\Eteheyuhasajubi.bin
2010-12-22 14:33:22 -------- d-----w- c:\users\erwin\appdata\local\{762B9C2E-7FBF-459A-9327-ACFC12D5647A}
2010-12-22 14:28:26 -------- d-----w- c:\progra~2\eDoCl06501
2010-12-02 20:45:57 -------- d-----w- C:\Food Pictures
2010-11-30 20:34:43 -------- d-----w- c:\program files\Dell Support Center
2010-11-30 20:08:39 -------- d-----w- c:\progra~2\PCDr
2010-11-30 20:08:32 -------- d-----w- c:\users\erwin\appdata\roaming\PCDr

==================== Find3M ====================

2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-19 15:33:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST3250310AS rev.3.ADA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85E59555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85e5f7b0]; MOV EAX, [0x85e5f82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81844962] -> \Device\Harddisk0\DR0[0x8512E220]
3 CLASSPNP[0x8239D8B3] -> ntkrnlpa!IofCallDriver[0x81844962] -> [0x84F2A918]
5 acpi[0x806A06BC] -> ntkrnlpa!IofCallDriver[0x81844962] -> [0x84582B98]
\Driver\atapi[0x8501E0B8] -> IRP_MJ_CREATE -> 0x85E59555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST3250310AS_____________________________3.ADA___#5&16f139c2&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488281248 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 10:39:46.82 ===============

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 02 January 2011 - 01:42 PM

Hello and welcome. I apologize for the delay. If you no longer need help with this issue, we would appreciate you letting us know. Otherwise, please perform the following steps so I can have a look at the current condition of your machine. I realize that you have already posted logs, but because of the time that has passed I'd like a fresh set.

Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • DDS.txt and Attach.txt logs
  • GMER log

Edited by RPMcMurphy, 02 January 2011 - 01:43 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 katiejo89

katiejo89
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 03 January 2011 - 09:28 AM

Thank you so much for your help!!!


DDS (Ver_10-12-12.02) - NTFSx86
Run by Erwin at 9:22:30.20 on Mon 01/03/2011
Internet Explorer: 8.0.6001.18999
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3060.1890 [GMT -5:00]

AV: Avanquest Fix-It *Disabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
AV: Panda Cloud Antivirus *Disabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: Panda Cloud Antivirus *Disabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Avanquest Fix-It *Disabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\ProgramData\Panda Security Toolbar Antiphishing\panda2_0dn.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\DAILYB~2\bar\1.bin\2vbarsvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATTToolbar\FDServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Erwin\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.att.net/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080902
mStart Page = hxxp://www.yahoo.com/?fr=fp-ushdl
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-ushdl
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
uRun: [cdloader] "c:\users\erwin\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Panda Security Toolbar Antiphishing] "c:\programdata\panda security toolbar antiphishing\panda2_0dn.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\f1u201~1.lnk - c:\program files\belkin\f1u201.401\usbshare.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: liveops.com\agents
Trusted Zone: liveops.com\callcenter
Trusted Zone: liveops.com\forums
Trusted Zone: liveops.com\irc
Trusted Zone: liveops.com\schedule
Trusted Zone: liveops.com\www
Trusted Zone: motive.com\patttbc.att
Trusted Zone: westathome.net\www
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\erwin\appdata\roaming\mozilla\firefox\profiles\7m7azah6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=
FF - component: c:\program files\panda security\panda id protect\firefox\components\FFKeypad.dll
FF - component: c:\users\erwin\appdata\roaming\mozilla\firefox\profiles\7m7azah6.default\extensions\{771f3037-9885-4423-b50f-a5ede4854e26}\components\Engine.dll
FF - component: c:\users\erwin\appdata\roaming\mozilla\firefox\profiles\7m7azah6.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency.dll
FF - component: c:\users\erwin\appdata\roaming\mozilla\firefox\profiles\7m7azah6.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency3.5.dll
FF - component: c:\users\erwin\appdata\roaming\mozilla\firefox\profiles\7m7azah6.default\extensions\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}\components\dtTransparency3.6.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\dailybibleguide\bar\1.bin\NP2vStub.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\users\erwin\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\erwin\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\erwin\appdata\roaming\mozilla\firefox\profiles\7m7azah6.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\users\erwin\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: InboxDollars: {771f3037-9885-4423-b50f-a5ede4854e26} - %profile%\extensions\{771f3037-9885-4423-b50f-a5ede4854e26}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - %profile%\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}
FF - Ext: DailyBibleGuide: 2vffxtbr@DailyBibleGuide.com - c:\program files\dailybibleguide\bar\1.bin
FF - Ext: Panda Identity Protect: widgetruntime@surfsecret.com - c:\program files\panda security\panda id protect\Firefox

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false

============= SERVICES / DRIVERS ===============

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-6-17 126024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-12-31 18816]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2010-12-31 203056]
R2 DailyBibleGuideService;DailyBibleGuide Service;c:\progra~1\dailyb~2\bar\1.bin\2vbarsvc.exe [2010-10-19 28766]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-8-9 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-7-21 99400]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111112]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-7-21 112712]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-8-10 69936]
S2 AvanquestWindowsMonitorService;AvanquestWindowsMonitorService;c:\program files\avanquest\fix-it\AVQWinMonEngine.exe [2010-8-20 328704]
S2 SBAMSvc;Fix-It;c:\program files\common files\antivirus\SBAMSvc.exe [2010-2-22 1012080]
S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\WUSB54GCx86.sys [2008-9-9 256000]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-1-20 21504]

=============== Created Last 30 ================

2011-01-02 15:52:36 -------- d-----w- c:\windows\pss
2011-01-01 17:29:27 428352 ----a-w- c:\windows\system32\StubInstaller.exe
2011-01-01 04:49:38 -------- d-----w- c:\users\erwin\appdata\roaming\SurfSecret Privacy Suite
2011-01-01 04:48:34 -------- d-----w- c:\users\erwin\appdata\local\panda2_0dn
2011-01-01 04:48:32 -------- d-----w- c:\progra~2\Panda Security Toolbar Antiphishing
2011-01-01 04:46:43 -------- d-----w- c:\users\erwin\appdata\roaming\Panda Security
2011-01-01 04:45:30 -------- d-----w- c:\program files\Panda Security
2011-01-01 04:45:30 -------- d-----w- c:\progra~2\Panda Security
2011-01-01 04:41:56 428352 ----a-w- c:\program files\mozilla firefox\StubInstaller.exe
2010-12-31 17:53:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-12-31 17:07:57 -------- d-----w- c:\program files\Sophos
2010-12-31 17:01:06 -------- d-----w- c:\users\erwin\appdata\roaming\SUPERAntiSpyware.com
2010-12-31 17:01:06 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-12-31 17:01:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-31 14:51:10 203056 ----a-w- c:\windows\system32\drivers\sbtis.sys
2010-12-31 14:50:08 35008 ----a-w- c:\windows\system32\mxntdfg.exe
2010-12-31 14:50:08 20512 ----a-w- c:\windows\system32\drivers\mxRCycle.sys
2010-12-31 14:47:56 -------- d-sh--r- C:\_Backup.RC
2010-12-31 14:47:51 -------- d--h--w- C:\_Backup
2010-12-31 14:46:24 -------- d-----w- c:\users\erwin\appdata\roaming\Avanquest
2010-12-31 14:46:24 -------- d-----w- c:\progra~2\Avanquest
2010-12-31 14:46:15 -------- d-----w- c:\program files\common files\AntiVirus
2010-12-31 14:45:10 -------- d-----w- c:\program files\Avanquest
2010-12-31 14:31:07 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2010-12-30 19:03:22 -------- d-----w- c:\users\erwin\appdata\local\Threat Expert
2010-12-30 16:32:06 5283152 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{22ea21fc-292b-4400-a183-71a2bcb11c44}\mpengine.dll
2010-12-30 16:17:12 -------- d-----w- c:\progra~2\PC Tools
2010-12-30 15:55:36 -------- d-s---w- C:\ComboFix
2010-12-22 19:21:50 -------- d-----w- c:\windows\Temp81296996-04BF-5C14-E0DF-3F258864FB17-Signatures
2010-12-22 19:21:29 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2010-12-22 14:33:23 0 ----a-w- c:\users\erwin\appdata\local\Eteheyuhasajubi.bin
2010-12-22 14:33:22 -------- d-----w- c:\users\erwin\appdata\local\{762B9C2E-7FBF-459A-9327-ACFC12D5647A}
2010-12-22 14:28:26 -------- d-----w- c:\progra~2\eDoCl06501

==================== Find3M ====================

2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-19 15:33:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST3250310AS rev.3.ADA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85E01555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85e077b0]; MOV EAX, [0x85e0782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x8188F962] -> \Device\Harddisk0\DR0[0x85126600]
3 CLASSPNP[0x823AA8B3] -> ntkrnlpa!IofCallDriver[0x8188F962] -> [0x84F08918]
5 acpi[0x8069A6BC] -> ntkrnlpa!IofCallDriver[0x8188F962] -> [0x8413C8A0]
\Driver\atapi[0x84FEF340] -> IRP_MJ_CREATE -> 0x85E01555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST3250310AS_____________________________3.ADA___#5&16f139c2&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488281248 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 9:23:28.07 ===============

Attached Files



#4 katiejo89

katiejo89
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 03 January 2011 - 10:03 AM

I just realized that I missed the "show all" check box...you know..the one that you specifically said NOT to miss! I am removing all of the information and will re-post the correct log. Sooooo Sorry!

Edited by katiejo89, 03 January 2011 - 10:42 AM.


#5 katiejo89

katiejo89
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 03 January 2011 - 10:10 AM

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-03 10:55:37
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3250310AS rev.3.ADA
Running: 2fslov87.exe; Driver: C:\Users\Erwin\AppData\Local\Temp\pglcapod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8E075620]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 621 818F7D84 4 Bytes [20, 56, 07, 8E]
PAGE spsys.sys!?SPVersion@@3PADA + 1ABF 80C7503F 110 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1B2F 80C750AF 1 Byte [16]
PAGE spsys.sys!?SPVersion@@3PADA + 1B2F 80C750AF 128 Bytes [16, 3B, C8, 75, E2, B0, 01, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1BB0 80C75130 6 Bytes [0E, 83, 78, 14, 01, 75]
PAGE spsys.sys!?SPVersion@@3PADA + 1BB7 80C75137 2298 Bytes [83, 78, 18, 37, 75, 02, B3, ...]
PAGE ...
? C:\Users\Erwin\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[264] USER32.dll!SetWindowsHookExW 771A87AD 5 Bytes JMP 713E9AE9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] USER32.dll!CallNextHookEx 771A8E3B 5 Bytes JMP 713DD145 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] USER32.dll!UnhookWindowsHookEx 771A98DB 5 Bytes JMP 71354696 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] USER32.dll!CreateWindowExW 771B1305 5 Bytes JMP 713EDB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] USER32.dll!DialogBoxParamW 771D10B0 5 Bytes JMP 71315501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] USER32.dll!DialogBoxIndirectParamW 771D2EF5 5 Bytes JMP 714E4FEF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] USER32.dll!DialogBoxParamA 771E8152 5 Bytes JMP 714E4F8C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] USER32.dll!DialogBoxIndirectParamA 771E847D 5 Bytes JMP 714E5052 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] USER32.dll!MessageBoxIndirectA 771FD4D9 5 Bytes JMP 714E4F21 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] USER32.dll!MessageBoxIndirectW 771FD5D3 5 Bytes JMP 714E4EB6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] USER32.dll!MessageBoxExA 771FD639 5 Bytes JMP 714E4E54 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] USER32.dll!MessageBoxExW 771FD65D 5 Bytes JMP 714E4DF2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] ole32.dll!OleLoadFromStream 77381E80 5 Bytes JMP 714E5370 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] ole32.dll!CoCreateInstance 773B9F3E 5 Bytes JMP 713EDBA0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[264] WS2_32.dll!recv 77B3343A 6 Bytes JMP 711C0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[264] WS2_32.dll!WSASend 77B34496 6 Bytes JMP 71190F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[264] WS2_32.dll!WSALookupServiceNextW 77B3455D 6 Bytes JMP 71250F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[264] WS2_32.dll!WSALookupServiceBeginW 77B34E93 6 Bytes JMP 712B0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[264] WS2_32.dll!WSALookupServiceEnd 77B35564 6 Bytes JMP 71220F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[264] WS2_32.dll!send 77B3659B 6 Bytes JMP 711F0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[264] WS2_32.dll!WSAGetOverlappedResult 77B38143 6 Bytes JMP 71130F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[264] WS2_32.dll!WSARecv 77B38400 6 Bytes JMP 71160F5A
.text C:\Windows\system32\svchost.exe[1304] ntdll.dll!NtProtectVirtualMemory 77C14D34 5 Bytes JMP 0082000A
.text C:\Windows\system32\svchost.exe[1304] ntdll.dll!NtWriteVirtualMemory 77C15674 5 Bytes JMP 0084000A
.text C:\Windows\system32\svchost.exe[1304] ntdll.dll!KiUserExceptionDispatcher 77C15DC8 5 Bytes JMP 0081000A
.text C:\Windows\system32\svchost.exe[1304] ole32.dll!CoCreateInstance 773B9F3E 5 Bytes JMP 008B000A
.text C:\Windows\system32\svchost.exe[1304] USER32.dll!GetCursorPos 771C0B88 5 Bytes JMP 0136000A
.text C:\Windows\Explorer.EXE[2044] ntdll.dll!NtProtectVirtualMemory 77C14D34 5 Bytes JMP 0180000A
.text C:\Windows\Explorer.EXE[2044] ntdll.dll!NtWriteVirtualMemory 77C15674 5 Bytes JMP 0181000A
.text C:\Windows\Explorer.EXE[2044] ntdll.dll!KiUserExceptionDispatcher 77C15DC8 5 Bytes JMP 017F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3000] ntdll.dll!NtProtectVirtualMemory 77C14D34 5 Bytes JMP 0038000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3000] ntdll.dll!NtWriteVirtualMemory 77C15674 5 Bytes JMP 0039000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3000] ntdll.dll!KiUserExceptionDispatcher 77C15DC8 5 Bytes JMP 0037000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3000] USER32.dll!CreateWindowExW 771B1305 5 Bytes JMP 713EDB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3000] USER32.dll!DialogBoxParamW 771D10B0 5 Bytes JMP 71315501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3000] USER32.dll!DialogBoxIndirectParamW 771D2EF5 5 Bytes JMP 714E4FEF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3000] USER32.dll!DialogBoxParamA 771E8152 5 Bytes JMP 714E4F8C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3000] USER32.dll!DialogBoxIndirectParamA 771E847D 5 Bytes JMP 714E5052 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3000] USER32.dll!MessageBoxIndirectA 771FD4D9 5 Bytes JMP 714E4F21 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3000] USER32.dll!MessageBoxIndirectW 771FD5D3 5 Bytes JMP 714E4EB6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3000] USER32.dll!MessageBoxExA 771FD639 5 Bytes JMP 714E4E54 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3000] USER32.dll!MessageBoxExW 771FD65D 5 Bytes JMP 714E4DF2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] ntdll.dll!NtProtectVirtualMemory 77C14D34 5 Bytes JMP 0176000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] ntdll.dll!NtWriteVirtualMemory 77C15674 5 Bytes JMP 0177000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] ntdll.dll!KiUserExceptionDispatcher 77C15DC8 5 Bytes JMP 0175000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!SetWindowsHookExW 771A87AD 5 Bytes JMP 713E9AE9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!CallNextHookEx 771A8E3B 5 Bytes JMP 713DD145 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!UnhookWindowsHookEx 771A98DB 5 Bytes JMP 71354696 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!CreateWindowExW 771B1305 5 Bytes JMP 713EDB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!DialogBoxParamW 771D10B0 5 Bytes JMP 71315501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!DialogBoxIndirectParamW 771D2EF5 5 Bytes JMP 714E4FEF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!DialogBoxParamA 771E8152 5 Bytes JMP 714E4F8C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!DialogBoxIndirectParamA 771E847D 5 Bytes JMP 714E5052 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!MessageBoxIndirectA 771FD4D9 5 Bytes JMP 714E4F21 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!MessageBoxIndirectW 771FD5D3 5 Bytes JMP 714E4EB6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!MessageBoxExA 771FD639 5 Bytes JMP 714E4E54 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!MessageBoxExW 771FD65D 5 Bytes JMP 714E4DF2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] ole32.dll!OleLoadFromStream 77381E80 5 Bytes JMP 714E5370 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] ole32.dll!CoCreateInstance 773B9F3E 5 Bytes JMP 713EDBA0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] USER32.dll!SetWindowsHookExW 771A87AD 5 Bytes JMP 713E9AE9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] USER32.dll!CallNextHookEx 771A8E3B 5 Bytes JMP 713DD145 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] USER32.dll!UnhookWindowsHookEx 771A98DB 5 Bytes JMP 71354696 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] USER32.dll!CreateWindowExW 771B1305 5 Bytes JMP 713EDB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] USER32.dll!DialogBoxParamW 771D10B0 5 Bytes JMP 71315501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] USER32.dll!DialogBoxIndirectParamW 771D2EF5 5 Bytes JMP 714E4FEF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] USER32.dll!DialogBoxParamA 771E8152 5 Bytes JMP 714E4F8C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] USER32.dll!DialogBoxIndirectParamA 771E847D 5 Bytes JMP 714E5052 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] USER32.dll!MessageBoxIndirectA 771FD4D9 5 Bytes JMP 714E4F21 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] USER32.dll!MessageBoxIndirectW 771FD5D3 5 Bytes JMP 714E4EB6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] USER32.dll!MessageBoxExA 771FD639 5 Bytes JMP 714E4E54 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] USER32.dll!MessageBoxExW 771FD65D 5 Bytes JMP 714E4DF2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] ole32.dll!OleLoadFromStream 77381E80 5 Bytes JMP 714E5370 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5688] ole32.dll!CoCreateInstance 773B9F3E 5 Bytes JMP 713EDBA0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\tdx \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\tdx \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST3250310AS_____________________________3.ADA___#5&16f139c2&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 488280994 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Edited by katiejo89, 03 January 2011 - 10:57 AM.


#6 katiejo89

katiejo89
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 03 January 2011 - 10:17 AM

**disregard**

Edited by katiejo89, 03 January 2011 - 10:58 AM.


#7 katiejo89

katiejo89
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 03 January 2011 - 10:24 AM

**disregard**

Edited by katiejo89, 03 January 2011 - 10:58 AM.


#8 katiejo89

katiejo89
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 03 January 2011 - 10:32 AM

**disregard**

Edited by katiejo89, 03 January 2011 - 10:58 AM.


#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 03 January 2011 - 10:24 PM

katiejo89:

Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 katiejo89

katiejo89
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 04 January 2011 - 04:18 PM

I have tried to run the Combofix several times and each time I get a blue screen error. (0x0000000008E) *AAAARRRRRRGGGGGGGG!!!!!!* :wacko:

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 04 January 2011 - 04:34 PM

katiejo89:

Let's do this then:

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.
Please include the following in your next post:
  • TDSSKiller log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 katiejo89

katiejo89
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 04 January 2011 - 06:04 PM

Here is the TDSSKiller log. I ran it in Safe Mode...I hope that is ok.

Attached Files



#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 05 January 2011 - 01:36 AM

Hi,

Did you run it in the Safe Mode because it wouldn't run in the Normal Mode?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 katiejo89

katiejo89
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 05 January 2011 - 01:29 PM

No, I had been in safe mode trying to get the first one to run w/ out giving me a blue screen and just automatically hit safe mode when I rebooted the computer. I didn't realize where I was until after I had already run it. Do you need me to run again in normal mode?

Sorry...I am a dork about these things sometimes! :o)

#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 05 January 2011 - 01:35 PM

That's OK - I just wanted to be sure I understood what happened. Please run TDSSKiller from the normal mode and make sure "Cure" is selected when it detects that rootkit, (refer to my earlier instructions if you need to). Post the new log for me when your done.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users