Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with (i don't know the name) google search hijacker!?


  • This topic is locked This topic is locked
10 replies to this topic

#1 chandman

chandman

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 06 January 2011 - 01:02 AM

Hello Everyone, It looks like I'm back again with another Virus related problem. sometimes when I do a search on google, when I click on the results I don't end up where I was intending to. If it helps I have a Win Vista home edition, Comodo firewall, AdAware and I use Malwarebytes for viruses. I used to have a live AntiVirus and Firewall in ZoneAlarm but that was slowing the computer down too much so I switched to Comodo. That is aside from the fact that Chrome keeps crashing on me every once in a while. I have followed the instructions and here are the following the you have asked for:

Thanks alot for all your help in advance,

Chandler


DDS (Ver_10-12-12.02) - NTFSx86
Run by Shervin at 23:08:02.81 on Wed 01/05/2011
Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_18

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\stacsv.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Windows\system32\UI0Detect.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\Users\Shervin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Shervin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Shervin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Shervin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Shervin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Shervin\Desktop\dds.scr
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mystart.com?pr=oovoo2_2
mStart Page = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Updater For ooVoo Toolbar: {442ae524-eba5-4b17-82f3-888d68bc999a} - c:\program files\oovootb\auxi\oovooAu.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {99E00A4C-D35E-11DD-BA95-9B6A56D89593} - No File
BHO: ooVoo Toolbar: {a1fb2f9a-d35e-11dd-8935-e46a56d89593} - c:\program files\oovootb\oovoodx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: SciFinder Scholar Bar: {4e16a8fb-0521-46d1-aa2c-d0fc7abf6af9} - mscoree.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: ooVoo Toolbar: {a1fb2f9a-d35e-11dd-8935-e46a56d89593} - c:\program files\oovootb\oovoodx.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\shervin\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [SONY VGP-UPR1 (Display Adapter)] "c:\program files\displaylink core software\DisplayLinkUI.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: FilterAdministratorToken = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - c:\programs\partygaming\partygammon\RunBackGammon.exe
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
Notify: VESWinlogon - VESWinlogon.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\shervin\appdata\roaming\mozilla\firefox\profiles\aj0ga6iv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\users\shervin\appdata\roaming\mozilla\firefox\profiles\aj0ga6iv.default\extensions\{99e00a4c-d35e-11dd-ba95-9b6a56d89593}\components\dtTransparency.dll
FF - component: c:\users\shervin\appdata\roaming\mozilla\firefox\profiles\aj0ga6iv.default\extensions\{99e00a4c-d35e-11dd-ba95-9b6a56d89593}\components\dtTransparency3.5.dll
FF - component: c:\users\shervin\appdata\roaming\mozilla\firefox\profiles\aj0ga6iv.default\extensions\{99e00a4c-d35e-11dd-ba95-9b6a56d89593}\components\dtTransparency3.6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCDP32.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npSfAppM.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\shervin\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\shervin\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\shervin\appdata\roaming\electronic arts\game face\1.0.0.18\npGameFacePlugin.dll
FF - plugin: c:\users\shervin\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\shervin\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: ooVoo Toolbar: {99E00A4C-D35E-11DD-BA95-9B6A56D89593} - %profile%\extensions\{99E00A4C-D35E-11DD-BA95-9B6A56D89593}
FF - Ext: Modify Headers: {b749fc7c-e949-447f-926c-3f4eed6accfe} - %profile%\extensions\{b749fc7c-e949-447f-926c-3f4eed6accfe}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============

R? btwl2cap;Bluetooth L2CAP Service
R? SCREAMINGBDRIVER;Screaming Bee Audio
R? USBAV708;Instant VideoMPX
R? VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection
R? VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP)
R? VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP)
R? VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager
R? VcmXmlIfHelper;VAIO Content Metadata XML Interface
R? VUAgent;VUAgent
S? cmdGuard;COMODO Internet Security Sandbox Driver
S? cmdHlp;COMODO Internet Security Helper Driver
S? DisplayLinkService;DisplayLink Service
S? dlkmd;dlkmd
S? dlkmdldr;dlkmdldr
S? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
S? Lavasoft Kernexplorer;Lavasoft helper driver
S? R5U870FLx86;R5U870 UVC Lower Filter
S? R5U870FUx86;R5U870 UVC Upper Filter
S? regi;regi
S? SonyImgF;Sony Image Conversion Filter Driver
S? ti21sony;ti21sony

=============== Created Last 30 ================

2010-12-31 06:06:31 319456 ----a-w- c:\windows\system32\difxapi.dll
2010-12-31 06:06:21 -------- d-----w- C:\Intel
2010-12-31 06:06:20 329752 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-12-31 05:42:12 -------- d-----w- c:\users\shervin\appdata\roaming\DriverCure
2010-12-31 05:41:46 -------- d-----w- c:\progra~2\ParetoLogic
2010-12-31 05:41:45 -------- d-----w- c:\program files\common files\ParetoLogic
2010-12-31 05:41:45 -------- d-----w- c:\progra~2\DriverCure
2010-12-31 05:41:44 -------- d-----w- c:\program files\ParetoLogic
2010-12-18 16:51:22 987136 ----a-w- c:\windows\system32\NCTVideoCoreM.dll
2010-12-18 16:51:22 90112 ----a-w- c:\windows\system32\NCTAudioFormatSettings3.dll
2010-12-18 16:51:22 348160 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2010-12-18 16:51:22 290816 ----a-w- c:\windows\system32\NCTAVIFile.dll
2010-12-18 16:51:22 2469888 ----a-w- c:\windows\system32\NCTAudioCompress3.dll
2010-12-18 16:51:22 2183168 ----a-w- c:\windows\system32\NCTVideoCompress.dll
2010-12-18 16:51:22 196608 ----a-w- c:\windows\system32\NCTWMVFile.dll
2010-12-18 16:51:22 1810432 ----a-w- c:\windows\system32\NCTAudioCompress2.dll
2010-12-18 16:51:22 139264 ----a-w- c:\windows\system32\NCTVideoFile.dll
2010-12-18 16:51:21 -------- d-----w- c:\program files\Free WMV to AVI MPEG Converter
2010-12-18 16:38:36 -------- d-----w- c:\users\shervin\appdata\local\PackageAware
2010-12-15 14:42:34 -------- d-----w- c:\progra~2\MFAData

==================== Find3M ====================

2010-12-31 05:37:18 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-02 00:47:18 1409 ----a-w- c:\windows\QTFont.for
2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: FUJITSU_ rev.0041 -> Harddisk0\DR0 -> \Device\0000006f

device: opened successfully
user: MBR read successfully

Disk trace:
error: Read The device is not ready.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskFUJITSU_MHX2250BT_______________________0041000B#4&295f162b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK

============= FINISH: 23:14:36.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 11 January 2011 - 12:27 AM

Hello and welcome. I apologize for the delay. If you no longer need help with this issue, we would appreciate you letting us know. Otherwise, please perform the following steps so I can have a look at the current condition of your machine. I realize that you have already posted logs, but because of the time that has passed I'd like a fresh set.

Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • DDS.txt and Attach.txt logs
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 chandman

chandman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 11 January 2011 - 01:15 AM

Thank you for your reply, here are the information you requested.

Regards,

Chandler


DDS (Ver_10-12-12.02) - NTFSx86
Run by Shervin at 0:29:19.25 on Tue 01/11/2011
Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_18

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\stacsv.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\conime.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\javaws.exe
C:\Users\Shervin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Shervin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Shervin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Shervin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Shervin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Shervin\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Users\Shervin\Desktop\Computer Problem\dds.scr
C:\Users\Shervin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mystart.com?pr=oovoo2_2
mStart Page = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Updater For ooVoo Toolbar: {442ae524-eba5-4b17-82f3-888d68bc999a} - c:\program files\oovootb\auxi\oovooAu.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {99E00A4C-D35E-11DD-BA95-9B6A56D89593} - No File
BHO: ooVoo Toolbar: {a1fb2f9a-d35e-11dd-8935-e46a56d89593} - c:\program files\oovootb\oovoodx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: SciFinder Scholar Bar: {4e16a8fb-0521-46d1-aa2c-d0fc7abf6af9} - mscoree.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: ooVoo Toolbar: {a1fb2f9a-d35e-11dd-8935-e46a56d89593} - c:\program files\oovootb\oovoodx.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\shervin\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [SONY VGP-UPR1 (Display Adapter)] "c:\program files\displaylink core software\DisplayLinkUI.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: FilterAdministratorToken = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - c:\programs\partygaming\partygammon\RunBackGammon.exe
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
Notify: VESWinlogon - VESWinlogon.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\shervin\appdata\roaming\mozilla\firefox\profiles\aj0ga6iv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\users\shervin\appdata\roaming\mozilla\firefox\profiles\aj0ga6iv.default\extensions\{99e00a4c-d35e-11dd-ba95-9b6a56d89593}\components\dtTransparency.dll
FF - component: c:\users\shervin\appdata\roaming\mozilla\firefox\profiles\aj0ga6iv.default\extensions\{99e00a4c-d35e-11dd-ba95-9b6a56d89593}\components\dtTransparency3.5.dll
FF - component: c:\users\shervin\appdata\roaming\mozilla\firefox\profiles\aj0ga6iv.default\extensions\{99e00a4c-d35e-11dd-ba95-9b6a56d89593}\components\dtTransparency3.6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCDP32.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npSfAppM.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\shervin\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\shervin\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\shervin\appdata\roaming\electronic arts\game face\1.0.0.18\npGameFacePlugin.dll
FF - plugin: c:\users\shervin\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\shervin\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: ooVoo Toolbar: {99E00A4C-D35E-11DD-BA95-9B6A56D89593} - %profile%\extensions\{99E00A4C-D35E-11DD-BA95-9B6A56D89593}
FF - Ext: Modify Headers: {b749fc7c-e949-447f-926c-3f4eed6accfe} - %profile%\extensions\{b749fc7c-e949-447f-926c-3f4eed6accfe}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============

R? btwl2cap;Bluetooth L2CAP Service
R? Lavasoft Kernexplorer;Lavasoft helper driver
R? SCREAMINGBDRIVER;Screaming Bee Audio
R? USBAV708;Instant VideoMPX
R? VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection
R? VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP)
R? VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP)
R? VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager
R? VcmXmlIfHelper;VAIO Content Metadata XML Interface
R? VUAgent;VUAgent
S? cmdGuard;COMODO Internet Security Sandbox Driver
S? cmdHlp;COMODO Internet Security Helper Driver
S? DisplayLinkService;DisplayLink Service
S? dlkmd;dlkmd
S? dlkmdldr;dlkmdldr
S? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
S? R5U870FLx86;R5U870 UVC Lower Filter
S? R5U870FUx86;R5U870 UVC Upper Filter
S? regi;regi
S? SonyImgF;Sony Image Conversion Filter Driver
S? ti21sony;ti21sony

=============== Created Last 30 ================

2010-12-31 06:06:31 319456 ----a-w- c:\windows\system32\difxapi.dll
2010-12-31 06:06:21 -------- d-----w- C:\Intel
2010-12-31 06:06:20 329752 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-12-31 05:42:12 -------- d-----w- c:\users\shervin\appdata\roaming\DriverCure
2010-12-31 05:41:46 -------- d-----w- c:\progra~2\ParetoLogic
2010-12-31 05:41:45 -------- d-----w- c:\program files\common files\ParetoLogic
2010-12-31 05:41:45 -------- d-----w- c:\progra~2\DriverCure
2010-12-31 05:41:44 -------- d-----w- c:\program files\ParetoLogic
2010-12-18 16:51:22 987136 ----a-w- c:\windows\system32\NCTVideoCoreM.dll
2010-12-18 16:51:22 90112 ----a-w- c:\windows\system32\NCTAudioFormatSettings3.dll
2010-12-18 16:51:22 348160 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2010-12-18 16:51:22 290816 ----a-w- c:\windows\system32\NCTAVIFile.dll
2010-12-18 16:51:22 2469888 ----a-w- c:\windows\system32\NCTAudioCompress3.dll
2010-12-18 16:51:22 2183168 ----a-w- c:\windows\system32\NCTVideoCompress.dll
2010-12-18 16:51:22 196608 ----a-w- c:\windows\system32\NCTWMVFile.dll
2010-12-18 16:51:22 1810432 ----a-w- c:\windows\system32\NCTAudioCompress2.dll
2010-12-18 16:51:22 139264 ----a-w- c:\windows\system32\NCTVideoFile.dll
2010-12-18 16:51:21 -------- d-----w- c:\program files\Free WMV to AVI MPEG Converter
2010-12-18 16:38:36 -------- d-----w- c:\users\shervin\appdata\local\PackageAware
2010-12-15 14:42:34 -------- d-----w- c:\progra~2\MFAData

==================== Find3M ====================

2010-12-31 05:37:18 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-12-02 00:47:18 1409 ----a-w- c:\windows\QTFont.for
2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: FUJITSU_ rev.0041 -> Harddisk0\DR0 -> \Device\0000006f

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x87574555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8757a7b0]; MOV EAX, [0x8757a82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82E7E962] -> \Device\Harddisk0\DR0[0x86ED88D8]
3 CLASSPNP[0x891AD8B3] -> ntkrnlpa!IofCallDriver[0x82E7E962] -> [0x85E39CB8]
5 acpi[0x8349B6BC] -> ntkrnlpa!IofCallDriver[0x82E7E962] -> [0x85DEC028]
\Driver\iaStor[0x8687B3B8] -> IRP_MJ_CREATE -> 0x87574555
error: Read The device is not ready.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskFUJITSU_MHX2250BT_______________________0041000B#4&295f162b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 0:30:40.87 ===============

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 11 January 2011 - 01:33 AM

Chandler:

Posted Image P2P - I see you have P2P software (uTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete.

Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 chandman

chandman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 11 January 2011 - 02:28 PM

I have deleted the torrent program, but I can't run combofix, it gives me the blue screen BSOD with iastor.sys the culprit. Any ways around it?

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 11 January 2011 - 03:07 PM

Chandler:

Please run this:

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.
Please include the following in your next post:
  • TDSSKiller log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 chandman

chandman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 11 January 2011 - 03:40 PM

I ran the software as you asked, there was one object found, I selected 'cure' and restarted it. please find the log attached to this post.

Attached Files



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 11 January 2011 - 03:43 PM

Chandler:

Posted Image Delete your existing copy of Combofix and download a new one from either of the links below, saving it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 chandman

chandman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 11 January 2011 - 07:39 PM

Combofix did go to completion. Thank you for your help...I hope that has solved the problem. Please find attached the log generated by the software.

Attached Files

  • Attached File  log.txt   37.56KB   2 downloads


#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 12 January 2011 - 09:23 PM

Chandler:

How is it running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to this page.
  • Scroll down to where it says "Java Platform, Standard Edition."
  • Click the "Download JRE" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
Please include the following in your next post:
  • MBAM log
  • ESET log
  • How is the computer running now?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:11 PM

Posted 17 January 2011 - 10:46 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users