Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware "download registry defender"


  • This topic is locked This topic is locked
22 replies to this topic

#1 phildcat

phildcat

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 28 January 2011 - 07:26 PM

This one has me stumped. The main problem seems to be "download registry defender" It seems to be gone for a while but then returns with popups and then highjacks when I google and goes to sites I never heard of.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 18:07:31.73 on Fri 01/28/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1406.90 [GMT -5:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\PCPitstop\PC MaticRT\PCMaticRT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\PCPitstop\PC MaticRT\PCPitstopRTService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WAG49S8B\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [PC MaticRT] c:\program files\pcpitstop\pc maticrt\PCMaticRT.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {21F08995-D303-425C-A00A-AC7846594211} - hxxps://www22.verizon.com/ForYourHome/VZRepair/vziha/ActiveX/VzInHomeAgentActiveX.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\SymDS.sys [2011-1-13 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\SymEFA.sys [2011-1-13 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-19 691248]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-1-9 21464]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\Ironx86.sys [2011-1-13 136312]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.5.0.125\ccSvcHst.exe [2011-1-13 130000]
R2 PCPitstop Realtime;PCPitstop Realtime;c:\program files\pcpitstop\pc maticrt\PCPitstopRTService.exe [2011-1-18 228352]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-1-9 69976]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-1-21 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-1-13 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20110127.001\IDSXpx86.sys [2011-1-27 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110128.004\NAVENG.SYS [2011-1-28 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110128.004\NAVEX15.SYS [2011-1-28 1360760]
R3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2010-12-26 31872]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-1-22 11520]
S3 IHA_MessageCenter;IHA_MessageCenter;c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [2010-10-13 98304]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2011-1-9 90864]
S3 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2008-3-5 540184]

=============== Created Last 30 ================

2011-01-28 20:23:10 -------- d-----w- c:\windows\pss
2011-01-28 14:07:35 -------- d-----w- c:\program files\Exterminate It!
2011-01-23 19:10:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\WD_SmartWareCommon
2011-01-23 19:09:14 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Western_Digital
2011-01-23 19:07:43 -------- d-----w- c:\docume~1\admini~1\applic~1\Western Digital
2011-01-23 19:07:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Western Digital
2011-01-23 19:06:47 -------- d-----w- c:\program files\Western Digital
2011-01-23 19:06:11 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Western Digital
2011-01-23 19:00:55 -------- d-----w- c:\docume~1\admini~1\applic~1\FreeFileViewer
2011-01-23 18:56:20 -------- d-----w- c:\program files\FreeFileViewer
2011-01-22 18:22:30 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2011-01-22 15:45:45 -------- d-----w- c:\windows\system32\NtmsData
2011-01-17 16:38:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-17 16:38:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-01-16 22:44:11 -------- d-----w- c:\program files\common files\Motive
2011-01-14 20:49:46 -------- d-----w- c:\windows\system32\appmgmt
2011-01-14 17:41:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-14 15:59:35 -------- d-----w- c:\docume~1\admini~1\applic~1\FixCleaner
2011-01-14 15:58:37 -------- d-----w- c:\program files\FixCleaner
2011-01-14 03:50:42 -------- d-----w- c:\program files\NortonInstaller
2011-01-14 03:20:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-14 03:20:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-13 17:48:47 -------- d-----w- C:\033dc24f14b8370baac46d2c
2011-01-09 14:28:39 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
2011-01-09 14:23:26 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-01-09 14:23:25 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-01-09 14:04:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\PCPitstopDat
2011-01-09 14:02:02 -------- d-----w- c:\program files\PCPitstop
2010-12-31 22:06:14 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-12-31 22:06:13 159232 ----a-w- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2011-01-14 17:41:06 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-14 03:51:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDS721680PLA380 rev.P21OABHA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A24C555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a2527b0]; MOV EAX, [0x8a25282c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE136] -> \Device\Harddisk0\DR0[0x8A329AB8]
3 CLASSPNP[0xBA0E905B] -> ntkrnlpa!IofCallDriver[0x804EE136] -> \Device\00000066[0x8A331F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE136] -> [0x8A32FD98]
\Driver\atapi[0x8A2D29C0] -> IRP_MJ_CREATE -> 0x8A24C555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDS721680PLA380_________________P21OABHA#5&297fe631&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A24C39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-28 19:17:38
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HDS721680PLA380 rev.P21OABHA
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwtdypow.sys


---- System - GMER 1.0.15 ----

SSDT 89C08458 ZwAlertResumeThread
SSDT 89C08538 ZwAlertThread
SSDT 89C11AD0 ZwAllocateVirtualMemory
SSDT 89C0CD78 ZwAssignProcessToJobObject
SSDT 89CF6818 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB1301720]
SSDT 89C31E20 ZwCreateMutant
SSDT 89C0CB98 ZwCreateSymbolicLinkObject
SSDT 89C118B0 ZwCreateThread
SSDT 89C0CE38 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB13019A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB1301F00]
SSDT 89C11C68 ZwDuplicateObject
SSDT 89C096B0 ZwFreeVirtualMemory
SSDT 89C31F10 ZwImpersonateAnonymousToken
SSDT 89C31FD0 ZwImpersonateThread
SSDT 8A0CD050 ZwLoadDriver
SSDT 89C34E50 ZwMapViewOfSection
SSDT 89C31D40 ZwOpenEvent
SSDT 89BDD990 ZwOpenProcess
SSDT 89AFC198 ZwOpenProcessToken
SSDT 89C31B80 ZwOpenSection
SSDT 89C11D58 ZwOpenThread
SSDT 89C0CC88 ZwProtectVirtualMemory
SSDT 89C08618 ZwResumeThread
SSDT 89C09358 ZwSetContextThread
SSDT 89C09438 ZwSetInformationProcess
SSDT 89C31A38 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB1302150]
SSDT 89C31C60 ZwSuspendProcess
SSDT 89C086F8 ZwSuspendThread
SSDT 89C51128 ZwTerminateProcess
SSDT 89C087D8 ZwTerminateThread
SSDT 89C09528 ZwUnmapViewOfSection
SSDT 89C097A0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\svchost.exe[2604] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[2604] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes JMP 0091000A
.text C:\WINDOWS\system32\svchost.exe[2604] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[2604] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 008F000C
.text C:\WINDOWS\system32\svchost.exe[2604] USER32.dll!GetCursorPos 7E41BD5E 5 Bytes JMP 0086000A
.text C:\WINDOWS\system32\svchost.exe[2604] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00C6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D5000C
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!DialogBoxParamW 7E425F8F 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!DialogBoxIndirectParamW 7E432062 5 Bytes JMP 3E35203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!MessageBoxIndirectA 7E43A06A 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!DialogBoxParamA 7E43B12C 5 Bytes JMP 3E352003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!MessageBoxExW 7E450750 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!MessageBoxExA 7E450774 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!DialogBoxIndirectParamA 7E456CD0 5 Bytes JMP 3E352079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] USER32.dll!MessageBoxIndirectW 7E466425 5 Bytes JMP 3E20176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4064] ole32.dll!OleLoadFromStream 7753031B 5 Bytes JMP 3E35223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A24C39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A24C39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A24C39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A24C39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A24C39B

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDS721680PLA380_________________P21OABHA#5&297fe631&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


============= FINISH: 18:12:10.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:50 PM

Posted 02 February 2011 - 02:16 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here or here
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.


Step # 2: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 phildcat

phildcat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 02 February 2011 - 06:51 PM

Thanks much for your reply.
2 questions.
1. disable script blocker - how? where? etc
2. Were the dds.txt, script txt and gmer that I included in my original request no good? I ask because they all still reside on my hard drive. Should I delete them and start over?
OK, I guess that's more than 2 questions!
Again, thanks,
Phil

#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:50 PM

Posted 03 February 2011 - 03:12 PM

1. disable script blocker - how? where? etc


That usually means disabling any AntiVirus or AntiSpyware programs you have so they don't interfere with DDS. But it looks like when you ran DDS the first time, it ran fine with your AntiVirus active. :)


2. Were the dds.txt, script txt and gmer that I included in my original request no good? I ask because they all still reside on my hard drive. Should I delete them and start over?


The DDS and GMER logs you posted are at least 5 days old. I'd like to get fresh DDS (both the main DDS logs and Attach.txt log) and GMER logs from you so I can have the most recent info from your computer to work with. :)

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#5 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:50 PM

Posted 06 February 2011 - 11:48 PM

phildcat? Do you still need help?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#6 phildcat

phildcat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 07 February 2011 - 08:15 AM

Yes please, I am unable to get this unit on line but will wire it up Friday the 11th and do all you suggest.
Sorry it took so long.
Thanks for your patience

#7 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:50 PM

Posted 07 February 2011 - 03:07 PM

Ok, thanks for the update. :)

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#8 phildcat

phildcat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 11 February 2011 - 02:11 PM

Thanks again for your patience. Here are the requested files.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 14:01:10.90 on Fri 02/11/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1406.469 [GMT -5:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PCPitstop\PC MaticRT\PCPitstopRTService.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S0N1JR5W\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [PC MaticRT] c:\program files\pcpitstop\pc maticrt\PCMaticRT.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {21F08995-D303-425C-A00A-AC7846594211} - hxxps://www22.verizon.com/ForYourHome/VZRepair/vziha/ActiveX/VzInHomeAgentActiveX.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\SymDS.sys [2011-1-13 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\SymEFA.sys [2011-1-13 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-19 691248]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-1-9 21464]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\Ironx86.sys [2011-1-13 136312]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.5.0.125\ccSvcHst.exe [2011-1-13 130000]
R2 PCPitstop Realtime;PCPitstop Realtime;c:\program files\pcpitstop\pc maticrt\PCPitstopRTService.exe [2011-1-18 228352]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-1-9 69976]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-1-21 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-1-13 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20110210.001\IDSXpx86.sys [2011-2-11 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110211.006\NAVENG.SYS [2011-2-11 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110211.006\NAVEX15.SYS [2011-2-11 1360760]
S3 IHA_MessageCenter;IHA_MessageCenter;c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [2010-10-13 98304]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2011-1-9 90864]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2010-12-26 31872]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-1-22 11520]

=============== Created Last 30 ================

2011-02-04 20:25:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Cisco Systems
2011-01-29 14:04:38 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\NPE
2011-01-28 20:23:10 -------- d-----w- c:\windows\pss
2011-01-23 19:10:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\WD_SmartWareCommon
2011-01-23 19:09:14 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Western_Digital
2011-01-23 19:07:43 -------- d-----w- c:\docume~1\admini~1\applic~1\Western Digital
2011-01-23 19:07:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Western Digital
2011-01-23 19:06:47 -------- d-----w- c:\program files\Western Digital
2011-01-23 19:06:11 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Western Digital
2011-01-23 19:00:55 -------- d-----w- c:\docume~1\admini~1\applic~1\FreeFileViewer
2011-01-23 18:56:20 -------- d-----w- c:\program files\FreeFileViewer
2011-01-22 18:22:30 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2011-01-22 15:45:45 -------- d-----w- c:\windows\system32\NtmsData
2011-01-17 16:38:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-17 16:38:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-01-16 22:44:11 -------- d-----w- c:\program files\common files\Motive
2011-01-14 20:49:46 -------- d-----w- c:\windows\system32\appmgmt
2011-01-14 17:41:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-14 15:59:35 -------- d-----w- c:\docume~1\admini~1\applic~1\FixCleaner
2011-01-14 15:58:37 -------- d-----w- c:\program files\FixCleaner
2011-01-14 03:50:42 -------- d-----w- c:\program files\NortonInstaller
2011-01-14 03:20:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-14 03:20:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-13 17:48:47 -------- d-----w- C:\033dc24f14b8370baac46d2c

==================== Find3M ====================

2011-01-14 17:41:06 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-14 03:51:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDS721680PLA380 rev.P21OABHA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A08D555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a0937b0]; MOV EAX, [0x8a09382c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE136] -> \Device\Harddisk0\DR0[0x8A0A8AB8]
3 CLASSPNP[0xBA0E905B] -> ntkrnlpa!IofCallDriver[0x804EE136] -> \Device\00000065[0x8A0ADF18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE136] -> [0x8A11F940]
\Driver\atapi[0x8A16BB08] -> IRP_MJ_CREATE -> 0x8A08D555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5d; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDS721680PLA380_________________P21OABHA#5&297fe631&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A08D39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 14:02:49.21 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/28/2008 4:47:10 AM
System Uptime: 2/11/2011 1:34:27 PM (1 hours ago)

Motherboard: MSI | | 0A7C
Processor: AMD Athlon™ 64 Processor 3800+ | Socket M2 | 2394/199mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 65 GiB total, 51.026 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.741 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 1/29/2011 9:26:39 AM - System Checkpoint
RP2: 1/29/2011 9:26:47 AM - Norton_Power_Eraser_20110129092644000
RP3: 1/29/2011 10:05:29 AM - Software Distribution Service 3.0
RP4: 2/4/2011 1:11:55 PM - System Checkpoint

==== Installed Programs ======================


2007 Microsoft Office system
4300
4300_Help
4300Trb
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.1
AiO_Scan_CDA
AiOSoftwareNPI
ATI - Software Uninstall Utility
ATI Display Driver
BufferChm
Business Contact Manager for Outlook 2007
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
DocProc
Dual-Core Optimizer
eSupportQFolder
Fax_CDA
Free File Viewer 2010
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB961118)
HP Backup and Recovery Manager
HP Extended Capabilities 6.1
HP Help and Support
HP Imaging Device Functions 6.1
HP Photosmart Essential
HP PSC & OfficeJet 6.1.A
HP Software Update
HP Solution Center and Imaging Support Tools 6.1
HPProductAssistant
HpSdpAppCoreApp
IHA_MessageCenter
InterVideo Register Manager
InterVideo WinDVD
Java Auto Updater
Java™ 6 Update 23
Java™ SE Runtime Environment 6 Update 1
LastPass (uninstall only)
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft XML Parser
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NewCopy_CDA
Norton Internet Security
PC Matic 1.1.0.33
PC MaticRT 1.0.0.11
ProductContextNPI
Readme
Realtek High Definition Audio Driver
Scan
ScannerCopy
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB981349)
Skype Toolbars
Skype™ 5.0
SolutionCenter
Spybot - Search & Destroy
Status
Toolbox
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Office System 2007 Setup (KB929722)
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911164)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB938828)
Update for Windows XP (KB967715)
Update for Windows XP (KB971737)
Verizon Help and Support Tool
Vz In Home Agent
WD SmartWare
WebFldrs XP
WebReg
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Driver Package - Realtek Semiconductor Corp. (RTL8023xp) Net (03/25/2009 5.719.0325.2009)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302

==== Event Viewer Messages From Past Week ========

2/4/2011 9:49:20 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
2/4/2011 8:44:52 AM, error: ati2mtag [44044] - I2c return failed
2/11/2011 1:38:32 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-11 14:05:01
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HDS721680PLA380 rev.P21OABHA
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwtdypow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A08D39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A08D39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A08D39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A08D39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A08D39B
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDS721680PLA380_________________P21OABHA#5&297fe631&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----

#9 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:50 PM

Posted 11 February 2011 - 03:11 PM

Thanks for the logs. :)

I have a question before we continue.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}


I noticed Norton Internet Security in your Installed Programs List (from the attach.txt log), but not AVG 2011. Did you recently uninstall AVG 2011?


C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S0N1JR5W\dds[1].scr

Please redownload DDS and save it to your Desktop. That way it'll be easier for you to find DDS when I have you run it again later in the fix. :)

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#10 phildcat

phildcat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 12 February 2011 - 09:00 AM

Yes, that is correct, I uninstalled AVG

#11 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:50 PM

Posted 12 February 2011 - 12:54 PM

Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.



Step # 2: Download and Run ComboFix

Download ComboFix from any of the links below. You must rename it to phildcat.exe before saving it. Save it to your Desktop.

Link 1
Link 2

--------------------------------------------------------------------

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on phildcat.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please include C:\ComboFix.txt in your next reply so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#12 phildcat

phildcat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 13 February 2011 - 03:18 PM

Good afternoon, here is the combo fix log.
ComboFix 11-02-12.02 - Administrator 02/13/2011 15:03:27.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1406.959 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\phildcat.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\17F59BBB0361C2A5C4A15B3D2111834A
c:\documents and settings\Administrator\Application Data\17F59BBB0361C2A5C4A15B3D2111834A\enemies-names.txt
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://buy-download.norton.com
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-01-13 to 2011-02-13 )))))))))))))))))))))))))))))))
.

2011-02-11 20:26 . 2011-02-11 20:26 -------- d-----w- c:\program files\Common Files\Skype
2011-02-04 20:25 . 2011-02-04 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
2011-01-29 14:04 . 2011-01-29 14:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2011-01-24 20:46 . 2011-01-24 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ServiceTest
2011-01-23 19:10 . 2011-01-23 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WD_SmartWareCommon
2011-01-23 19:09 . 2011-01-23 19:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western_Digital
2011-01-23 19:07 . 2011-01-23 19:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Western Digital
2011-01-23 19:07 . 2011-01-23 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2011-01-23 19:07 . 2011-01-23 19:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2011-01-23 19:06 . 2011-01-23 19:06 -------- d-----w- c:\program files\Western Digital
2011-01-23 19:06 . 2011-01-23 19:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western Digital
2011-01-23 19:00 . 2011-01-24 20:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\FreeFileViewer
2011-01-23 18:56 . 2011-01-23 18:56 -------- d-----w- c:\program files\FreeFileViewer
2011-01-22 18:22 . 2009-02-13 16:02 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2011-01-22 15:45 . 2011-01-22 15:47 -------- d-----w- c:\windows\system32\NtmsData
2011-01-22 13:44 . 2011-01-22 13:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-01-17 16:38 . 2011-01-18 21:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-17 16:38 . 2011-01-17 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-01-16 22:46 . 2011-01-16 22:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Motive
2011-01-16 22:44 . 2011-01-16 22:45 -------- d-----w- c:\program files\Common Files\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-14 17:41 . 2011-01-14 17:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-14 17:41 . 2008-03-05 06:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-14 03:51 . 2011-01-14 03:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-01-14 03:51 . 2011-01-14 03:51 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-20 23:09 . 2011-01-14 03:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2011-01-14 03:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-01 05:24 . 2011-01-14 03:51 368248 ----a-r- c:\windows\system32\drivers\symtdi.sys
2010-12-01 05:24 . 2011-01-14 03:51 368248 ----a-r- c:\windows\system32\drivers\NIS\1205000.07D\symtdi.sys
2010-12-01 05:24 . 2011-01-14 03:51 295032 ----a-r- c:\windows\system32\drivers\NIS\1205000.07D\symnets.sys
2010-12-01 05:23 . 2011-01-14 03:51 330360 ----a-r- c:\windows\system32\drivers\NIS\1205000.07D\symtdiv.sys
2010-11-23 04:08 . 2011-01-14 03:51 509560 ----a-r- c:\windows\system32\drivers\NIS\1205000.07D\srtsp.sys
2010-11-23 04:08 . 2011-01-14 03:51 50168 ----a-r- c:\windows\system32\drivers\srtspx.sys
2010-11-23 04:08 . 2011-01-14 03:51 50168 ----a-r- c:\windows\system32\drivers\NIS\1205000.07D\srtspx.sys
2010-11-18 02:59 . 2011-01-14 03:51 652336 ----a-r- c:\windows\system32\drivers\SymEFA.sys
2010-11-18 02:59 . 2011-01-14 03:51 652336 ----a-r- c:\windows\system32\drivers\NIS\1205000.07D\SymEFA.sys
2010-11-16 01:45 . 2011-01-14 03:51 136312 ----a-r- c:\windows\system32\drivers\NIS\1205000.07D\Ironx86.sys
2010-11-16 01:45 . 2011-01-14 03:51 136312 ----a-r- c:\windows\system32\drivers\Ironx86.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"PC MaticRT"="c:\program files\PCPitstop\PC MaticRT\PCMaticRT.exe" [2010-12-14 209120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\FreeFileViewer\\FFVCheckForUpdates.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1205000.07D\SymDS.sys [1/13/2011 10:51 PM 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1205000.07D\SymEFA.sys [1/13/2011 10:51 PM 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [1/19/2011 4:26 PM 691248]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [1/9/2011 9:23 AM 21464]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1205000.07D\Ironx86.sys [1/13/2011 10:51 PM 136312]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe [1/13/2011 10:51 PM 130000]
R2 PCPitstop Realtime;PCPitstop Realtime;c:\program files\PCPitstop\PC MaticRT\PCPitstopRTService.exe [1/18/2011 7:06 PM 228352]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [1/9/2011 9:23 AM 69976]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/13/2011 10:53 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20110210.001\IDSXpx86.sys [2/11/2011 1:50 PM 341944]
S3 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 98304]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [1/9/2011 9:02 AM 90864]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [12/26/2010 9:55 AM 31872]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [1/22/2011 1:22 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2011-02-13 c:\windows\Tasks\Free File Viewer Update Checker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2011-01-23 16:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uInternet Settings,ProxyOverride = <local>
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
DPF: {21F08995-D303-425C-A00A-AC7846594211} - hxxps://www22.verizon.com/ForYourHome/VZRepair/vziha/ActiveX/VzInHomeAgentActiveX.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-13 15:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-02-13 15:15:28
ComboFix-quarantined-files.txt 2011-02-13 20:15

Pre-Run: 54,526,152,704 bytes free
Post-Run: 55,036,137,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 3896BE0147DABB9AD7B88B8A7B227CD0

#13 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:50 PM

Posted 14 February 2011 - 01:37 AM

Step # 1: Run CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    KILLALL::
    
    SecCenter::
    
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




    Posted Image


    Note: This CFScript is for use on phildcat's computer only! Do not use it on your computer.

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#14 phildcat

phildcat
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 14 February 2011 - 10:48 AM

OK here we go,I really appreciate all of this. Who knew it could be this complicated?

ComboFix 11-02-13.04 - Administrator 02/14/2011 10:18:11.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1406.729 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2011-01-14 to 2011-02-14 )))))))))))))))))))))))))))))))
.

2011-02-11 20:26 . 2011-02-11 20:26 -------- d-----w- c:\program files\Common Files\Skype
2011-02-04 20:25 . 2011-02-04 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
2011-01-30 19:57 . 2011-01-30 19:57 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-01-29 14:04 . 2011-01-29 14:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2011-01-24 20:46 . 2011-01-24 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ServiceTest
2011-01-23 19:10 . 2011-01-23 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\WD_SmartWareCommon
2011-01-23 19:09 . 2011-01-23 19:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western_Digital
2011-01-23 19:07 . 2011-01-23 19:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Western Digital
2011-01-23 19:07 . 2011-01-23 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2011-01-23 19:07 . 2011-01-23 19:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2011-01-23 19:06 . 2011-01-23 19:06 -------- d-----w- c:\program files\Western Digital
2011-01-23 19:06 . 2011-01-23 19:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Western Digital
2011-01-23 19:00 . 2011-01-24 20:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\FreeFileViewer
2011-01-23 18:56 . 2011-01-23 18:56 -------- d-----w- c:\program files\FreeFileViewer
2011-01-22 18:22 . 2009-02-13 16:02 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2011-01-22 15:45 . 2011-01-22 15:47 -------- d-----w- c:\windows\system32\NtmsData
2011-01-22 13:44 . 2011-01-22 13:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-01-17 16:38 . 2011-01-18 21:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-17 16:38 . 2011-01-17 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-01-16 22:46 . 2011-01-16 22:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Motive
2011-01-16 22:44 . 2011-01-16 22:45 -------- d-----w- c:\program files\Common Files\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-14 17:41 . 2011-01-14 17:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-14 17:41 . 2008-03-05 06:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-14 03:51 . 2011-01-14 03:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-01-14 03:51 . 2011-01-14 03:51 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-01 05:24 . 2011-01-14 03:51 368248 ----a-r- c:\windows\system32\drivers\symtdi.sys
2010-12-01 05:24 . 2011-01-14 03:51 368248 ----a-r- c:\windows\system32\drivers\NIS\1205000.07D\symtdi.sys
2010-12-01 05:24 . 2011-01-14 03:51 295032 ----a-r- c:\windows\system32\drivers\NIS\1205000.07D\symnets.sys
2010-12-01 05:23 . 2011-01-14 03:51 330360 ----a-r- c:\windows\system32\drivers\NIS\1205000.07D\symtdiv.sys
2010-11-23 04:08 . 2011-01-14 03:51 509560 ----a-r- c:\windows\system32\drivers\NIS\1205000.07D\srtsp.sys
2010-11-23 04:08 . 2011-01-14 03:51 50168 ----a-r- c:\windows\system32\drivers\srtspx.sys
2010-11-23 04:08 . 2011-01-14 03:51 50168 ----a-r- c:\windows\system32\drivers\NIS\1205000.07D\srtspx.sys
2010-11-18 02:59 . 2011-01-14 03:51 652336 ----a-r- c:\windows\system32\drivers\SymEFA.sys
2010-11-18 02:59 . 2011-01-14 03:51 652336 ----a-r- c:\windows\system32\drivers\NIS\1205000.07D\SymEFA.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"PC MaticRT"="c:\program files\PCPitstop\PC MaticRT\PCMaticRT.exe" [2010-12-14 209120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\FreeFileViewer\\FFVCheckForUpdates.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1205000.07D\SymDS.sys [1/13/2011 10:51 PM 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1205000.07D\SymEFA.sys [1/13/2011 10:51 PM 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [1/19/2011 4:26 PM 691248]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [1/9/2011 9:23 AM 21464]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1205000.07D\Ironx86.sys [1/13/2011 10:51 PM 136312]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe [1/13/2011 10:51 PM 130000]
R2 PCPitstop Realtime;PCPitstop Realtime;c:\program files\PCPitstop\PC MaticRT\PCPitstopRTService.exe [1/18/2011 7:06 PM 228352]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [1/9/2011 9:23 AM 69976]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/13/2011 10:53 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20110210.001\IDSXpx86.sys [2/11/2011 1:50 PM 341944]
S3 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 98304]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [1/9/2011 9:02 AM 90864]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [12/26/2010 9:55 AM 31872]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [1/22/2011 1:22 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2011-02-14 c:\windows\Tasks\Free File Viewer Update Checker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2011-01-23 16:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uInternet Settings,ProxyOverride = <local>
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
DPF: {21F08995-D303-425C-A00A-AC7846594211} - hxxps://www22.verizon.com/ForYourHome/VZRepair/vziha/ActiveX/VzInHomeAgentActiveX.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-14 10:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(6028)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2011-02-14 10:29:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-14 15:29
ComboFix2.txt 2011-02-13 20:15

Pre-Run: 54,852,653,056 bytes free
Post-Run: 54,839,939,072 bytes free

- - End Of File - - 3EA605BB4863D5BC8C24A79322815C44

DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 10:32:39.75 on Mon 02/14/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1406.638 [GMT -5:00]

AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\PCPitstop\PC MaticRT\PCPitstopRTService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\PCPitstop\PC MaticRT\PCMaticRT.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds 2 13 2011.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [PC MaticRT] c:\program files\pcpitstop\pc maticrt\PCMaticRT.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {21F08995-D303-425C-A00A-AC7846594211} - hxxps://www22.verizon.com/ForYourHome/VZRepair/vziha/ActiveX/VzInHomeAgentActiveX.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\SymDS.sys [2011-1-13 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\SymEFA.sys [2011-1-13 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-19 691248]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-1-9 21464]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\Ironx86.sys [2011-1-13 136312]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.5.0.125\ccSvcHst.exe [2011-1-13 130000]
R2 PCPitstop Realtime;PCPitstop Realtime;c:\program files\pcpitstop\pc maticrt\PCPitstopRTService.exe [2011-1-18 228352]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-1-9 69976]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-1-21 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-1-13 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20110210.001\IDSXpx86.sys [2011-2-11 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110211.006\NAVENG.SYS [2011-2-11 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110211.006\NAVEX15.SYS [2011-2-11 1360760]
S3 IHA_MessageCenter;IHA_MessageCenter;c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [2010-10-13 98304]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2011-1-9 90864]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2010-12-26 31872]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-1-22 11520]

=============== Created Last 30 ================

2011-02-13 19:54:30 -------- d-sha-r- C:\cmdcons
2011-02-13 19:50:56 98816 ----a-w- c:\windows\sed.exe
2011-02-13 19:50:56 89088 ----a-w- c:\windows\MBR.exe
2011-02-13 19:50:56 256512 ----a-w- c:\windows\PEV.exe
2011-02-13 19:50:56 161792 ----a-w- c:\windows\SWREG.exe
2011-02-04 20:25:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Cisco Systems
2011-01-30 19:57:00 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-01-29 14:04:38 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\NPE
2011-01-28 20:23:10 -------- d-----w- c:\windows\pss
2011-01-23 19:10:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\WD_SmartWareCommon
2011-01-23 19:09:14 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Western_Digital
2011-01-23 19:07:43 -------- d-----w- c:\docume~1\admini~1\applic~1\Western Digital
2011-01-23 19:07:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Western Digital
2011-01-23 19:06:47 -------- d-----w- c:\program files\Western Digital
2011-01-23 19:06:11 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Western Digital
2011-01-23 19:00:55 -------- d-----w- c:\docume~1\admini~1\applic~1\FreeFileViewer
2011-01-23 18:56:20 -------- d-----w- c:\program files\FreeFileViewer
2011-01-22 18:22:30 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2011-01-22 15:45:45 -------- d-----w- c:\windows\system32\NtmsData
2011-01-17 16:38:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-17 16:38:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-01-16 22:44:11 -------- d-----w- c:\program files\common files\Motive

==================== Find3M ====================

2011-01-14 17:41:06 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-14 17:41:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-14 03:51:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

============= FINISH: 10:33:24.75 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/28/2008 4:47:10 AM
System Uptime: 2/14/2011 10:22:07 AM (0 hours ago)

Motherboard: MSI | | 0A7C
Processor: AMD Athlon™ 64 Processor 3800+ | Socket M2 | 2394/199mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 65 GiB total, 51.101 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.741 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 1/29/2011 9:26:39 AM - System Checkpoint
RP2: 1/29/2011 9:26:47 AM - Norton_Power_Eraser_20110129092644000
RP3: 1/29/2011 10:05:29 AM - Software Distribution Service 3.0
RP4: 2/4/2011 1:11:55 PM - System Checkpoint
RP5: 2/13/2011 2:51:19 PM - ComboFix created restore point
RP6: 2/14/2011 9:54:21 AM - Software Distribution Service 3.0

==== Installed Programs ======================


2007 Microsoft Office system
4300
4300_Help
4300Trb
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.2
AiO_Scan_CDA
AiOSoftwareNPI
ATI - Software Uninstall Utility
ATI Display Driver
BufferChm
Business Contact Manager for Outlook 2007
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
DocProc
Dual-Core Optimizer
eSupportQFolder
Fax_CDA
Free File Viewer 2010
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB961118)
HP Backup and Recovery Manager
HP Extended Capabilities 6.1
HP Help and Support
HP Imaging Device Functions 6.1
HP Photosmart Essential
HP PSC & OfficeJet 6.1.A
HP Software Update
HP Solution Center and Imaging Support Tools 6.1
HPProductAssistant
HpSdpAppCoreApp
IHA_MessageCenter
InterVideo Register Manager
InterVideo WinDVD
Java Auto Updater
Java™ 6 Update 23
Java™ SE Runtime Environment 6 Update 1
LastPass (uninstall only)
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft XML Parser
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NewCopy_CDA
Norton Internet Security
PC Matic 1.1.0.33
PC MaticRT 1.0.0.11
ProductContextNPI
Readme
Realtek High Definition Audio Driver
Scan
ScannerCopy
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB981349)
Skype Toolbars
Skype™ 5.1
SolutionCenter
Spybot - Search & Destroy
Status
Toolbox
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Office System 2007 Setup (KB929722)
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911164)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB938828)
Update for Windows XP (KB967715)
Update for Windows XP (KB971737)
Verizon Help and Support Tool
Vz In Home Agent
WD SmartWare
WebFldrs XP
WebReg
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Driver Package - Realtek Semiconductor Corp. (RTL8023xp) Net (03/25/2009 5.719.0325.2009)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302

==== Event Viewer Messages From Past Week ========

2/14/2011 10:18:07 AM, error: Service Control Manager [7034] - The WD SmartWare Drive Manager service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 10:18:07 AM, error: Service Control Manager [7034] - The WD SmartWare Background Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 10:18:07 AM, error: Service Control Manager [7034] - The SQL Server (MSSMLBIZ) service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 10:18:07 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 10:18:07 AM, error: Service Control Manager [7034] - The PCPitstop Realtime service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 10:18:07 AM, error: Service Control Manager [7034] - The McciCMService service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 10:18:07 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
2/13/2011 1:58:49 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
2/13/2011 1:55:15 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
2/13/2011 1:27:57 PM, error: ati2mtag [44044] - I2c return failed

==== End Of File ===========================

#15 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:50 PM

Posted 14 February 2011 - 02:22 PM

Step # 1 Remove old versions of Java

Older Java versions have vulnerabilities and need to be removed.

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

Java™ SE Runtime Environment 6 Update 1

Reboot your Computer.


Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Step # 3 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Post the MalwareBytes' Log in your next post/reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users