Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit infection assistance, please


  • This topic is locked This topic is locked
9 replies to this topic

#1 whigbee

whigbee

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 04 February 2011 - 01:01 PM

1st of all, my sincere thanks to the generous and unselfish volunteeres who are the experts that help us who
are out here.... I have become infected with a virus that redirects my browser to sites I did not attempt
to reach. I just started getting redirects immediately from sites to which I log on. But for weeks I have been
getting redirected from links upon which I click that are in search engine results. So having read the instructions
before I start, here goes:

This is my log from the dds.txt file:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Bill at 11:58:50.14 on Fri 02/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1303 [GMT -5:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\UTILS\Spybot S&D\TeaTimer.exe
C:\INTERNET\ePrompter\ePrompter.exe
C:\UTILS\SpeedFan\speedfan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
svchost.exe
C:\INTERNET\Thunderbird\thunderbird.exe
C:\INTERNET\FireFox 3\firefox.exe
C:\WINDOWS\explorer.exe
C:\My Documents\My Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SBCONVERT Class: {3017fb3e-9a77-4396-88c5-0ec9548fb42f} - c:\internet\speedbit video downloader\toolbar\tbcore3.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: SearchPredictObj Class: {389943b0-c3a2-4e69-82cb-8596a84cb3dc} - c:\progra~1\search~2\SEARCH~1.DLL
BHO: {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - No File
BHO: {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\utils\spybot s&d\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\internet\dap\DAPIEL~1.DLL
BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\internet\speedb~2\toolbar\grabber.dll
TB: {CCAC5586-44D7-4c43-B64A-F042461A97D2} - No File
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\internet\speedbit video downloader\toolbar\tbcore3.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [SpybotSD TeaTimer] c:\utils\spybot s&d\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [ScanGearStarter] c:\windows\twain_32\cnqsg\SGST.exe RegPushButton
StartupFolder: c:\docume~1\bill~1.des\startm~1\programs\startup\epromp~1.lnk - c:\internet\eprompter\ePrompter.exe
StartupFolder: c:\docume~1\bill~1.des\startm~1\programs\startup\speedfan.lnk - c:\utils\speedfan\speedfan.exe
IE: &Clean Traces - c:\internet\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\internet\dap\dapextie.htm
IE: Download &all with DAP - c:\internet\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\utils\spybot s&d\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234890216671
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234820520171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\utils\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bill~1.des\applic~1\mozilla\firefox\profiles\celzvyqz.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - component: c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\internet\dap\dapfirefox\components\DAPFireFox.dll
FF - component: c:\internet\speedbit video downloader\spfirefox\components\Engine.dll
FF - plugin: c:\documents and settings\bill.desktop\application data\mozilla\firefox\profiles\celzvyqz.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\internet\firefox 3\plugins\NPMGWRAP.DLL
FF - plugin: c:\internet\firefox 3\plugins\NPTURNMED.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\photodex presenter\npPxPlay.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\internet\firefox 3\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\internet\firefox 3\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\internet\firefox 3\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\internet\firefox 3\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\internet\firefox 3\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Nuke Anything Enhanced: {1ced4832-f06e-413f-aa14-9eb63ad40ace} - %profile%\extensions\{1ced4832-f06e-413f-aa14-9eb63ad40ace}
FF - Ext: Fire.fm: {6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3} - %profile%\extensions\{6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: SpeedBit Video Downloader: {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - c:\internet\speedbit video downloader\SPFireFox
FF - Ext: Download Accelerator Plus Integration: {F17C1572-C9EC-4e5c-A542-D05CBB5C5A08} - c:\internet\dap\DAPFireFox
FF - Ext: SpeedBit Video Downloader: {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - c:\internet\speedbit video downloader\SPFireFox

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.urlbar.hideGoButton - false
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-24 294608]
R1 SASDIFSV;SASDIFSV;c:\utils\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\utils\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/10/27 15:33:56];c:\program files\cyberlink\powerdvd9\000.fcl [2009-2-28 87536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-24 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-24 40384]
R2 MLPTDR_C;MLPTDR_C;c:\windows\system32\MLPTDR_C.SYS [2002-9-3 19296]
R2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS [2004-11-18 18848]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2007-7-27 14336]
S3 SBRE;SBRE; [x]
S4 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-11-17 312152]

=============== Created Last 30 ================

2011-02-03 17:09:41 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-03 17:09:41 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-03 00:45:15 -------- d-----w- c:\docume~1\bill~1.des\applic~1\OpenOffice.org
2011-02-03 00:41:39 -------- d-----w- c:\program files\JRE
2011-02-03 00:41:30 -------- d-----w- c:\program files\OpenOffice.org 3
2011-02-03 00:36:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-27 21:49:24 -------- d-----w- C:\finalburner
2011-01-27 21:45:29 178176 ----a-w- c:\windows\system32\unrar.dll
2011-01-27 21:45:21 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-01-27 21:45:21 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2011-01-27 21:45:21 118784 ----a-w- c:\windows\system32\ac3acm.acm
2011-01-27 21:45:20 881664 ----a-w- c:\windows\system32\xvidcore.dll
2011-01-27 21:45:20 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2011-01-27 21:45:19 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-27 21:25:49 -------- d-----w- c:\program files\FinalBurner
2011-01-24 23:16:03 38848 ----a-w- c:\windows\avastSS.scr
2011-01-14 00:15:59 54016 ----a-w- c:\windows\system32\drivers\yrufl.sys

==================== Find3M ====================

2011-01-27 21:34:22 29480 ----a-w- c:\windows\system32\msxml3a.dll
2011-01-27 21:34:21 505128 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-27 21:34:21 353576 ----a-w- c:\windows\system32\msvcr71.dll
2010-12-15 22:08:50 673280 ----a-w- c:\windows\is-1RAD9.exe
2010-11-29 19:14:29 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-60JRA0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-20

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AE00446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ae06504]; MOV EAX, [0x8ae06580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8AE79AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8AEF38B0]
\Driver\atapi[0x8AEFE2D0] -> IRP_MJ_CREATE -> 0x8AE00446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-18 -> \??\IDE#DiskWDC_WD800JD-60JRA0______________________05.01C05#4457572d414d444d303133353330203020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AE00292
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 12:00:20.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:17 AM

Posted 04 February 2011 - 04:27 PM

Good evening. :)

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

Can you also tell me the model of Dell that you have, assuming that it is a Dell, and also whether you received a Recovery Disc with the PC, or not.

So long, and thanks for all the fish.

 

 


#3 whigbee

whigbee
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 07 February 2011 - 12:51 PM

To Team Numpty:
Thanks for your efforts on my behalf. I followed your instructions and here's the content of the
preformat.txt file:

Partition ID: Disk #1, Partition #0
Size: 931.51 GB

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Inc.
Name: Phoenix ROM BIOS PLUS Version 1.10 A06
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~

I bought this PC used and have no original Dell disk, but I do have the Dell drivers in a file on my c: drive.
I'll tell you this: over the 20 years I've been a PC user, I have always dreaded having to do a new install of
all files on a bare drive that's been reformatted. It takes me hours and hours and hours spread over several weeks
to get the unit configured & loaded the way I like. Therefore, it should be understandable that a reformat suggestion
would be my absolute last choice.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:17 AM

Posted 07 February 2011 - 04:43 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#5 whigbee

whigbee
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 08 February 2011 - 09:20 AM

I followed directions: turned off firewall, virus program, shut down all other programs.
Ran CF, after prompting, installed Windows recovery. Ran CF the rest of the way.

Results: search engine redirects are still there and a pop up tab with ads still runs
randomly in my primary browser, Firefox 3.6.13. Below is the log file and as attachment.


ComboFix 11-02-07.02 - Bill 02/08/2011 6:31.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1636 [GMT -5:00]
Running from: c:\documents and settings\Bill.DESKTOP\Desktop\CComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Toolbar4
c:\documents and settings\All Users.WINDOWS\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\icon.ico
c:\documents and settings\All Users.WINDOWS\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\uninstall.exe
c:\documents and settings\All Users.WINDOWS\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\update.exe
c:\documents and settings\Bill.DESKTOP\g2mdlhlpx.exe
c:\documents and settings\Bill\Application Data\inst.exe
c:\program files\Search Toolbar
c:\program files\Search Toolbar\basis.xml
c:\program files\Search Toolbar\bg.bmp
c:\program files\Search Toolbar\bing_logo.png
c:\program files\Search Toolbar\celebrity.png
c:\program files\Search Toolbar\drop_images.png
c:\program files\Search Toolbar\drop_maps.png
c:\program files\Search Toolbar\drop_news.png
c:\program files\Search Toolbar\drop_videos.png
c:\program files\Search Toolbar\drop_web.png
c:\program files\Search Toolbar\facebook.png
c:\program files\Search Toolbar\favicon.png
c:\program files\Search Toolbar\games.png
c:\program files\Search Toolbar\hotmail.png
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\images.png
c:\program files\Search Toolbar\include.xml
c:\program files\Search Toolbar\info.txt
c:\program files\Search Toolbar\lifestyle.png
c:\program files\Search Toolbar\maps.png
c:\program files\Search Toolbar\messenger.png
c:\program files\Search Toolbar\msn.png
c:\program files\Search Toolbar\news.png
c:\program files\Search Toolbar\twitter.png
c:\program files\Search Toolbar\uninstall.exe
c:\program files\Search Toolbar\update.exe
c:\program files\Search Toolbar\version.txt
c:\program files\Search Toolbar\video.png
c:\program files\Search Toolbar\videos.png
c:\program files\Search Toolbar\weather.png
c:\program files\Search Toolbar\web.png
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\Fonts\Applbb__.ttf
c:\windows\Fonts\Candrb__.ttf
c:\windows\Fonts\Candsbst.ttf
c:\windows\Fonts\Cinegbin.ttf
c:\windows\Fonts\Cinegbsh.ttf
c:\windows\Fonts\Coldsb__.ttf
c:\windows\Fonts\Combrb__.ttf
c:\windows\Fonts\Concmbl_.ttf
c:\windows\Fonts\Copasbb_.ttf
c:\windows\Fonts\Crazgbl_.ttf
c:\windows\Fonts\Crazlbin.ttf
c:\windows\Fonts\Darlb___.ttf
c:\windows\Fonts\Dragbd__.ttf
c:\windows\Fonts\Flufsb__.ttf
c:\windows\Fonts\Grilcb__.ttf
c:\windows\Fonts\Heatb___.ttf
c:\windows\Fonts\Holisb__.ttf
c:\windows\Fonts\Holisbq_.ttf
c:\windows\Fonts\Igualb__.ttf
c:\windows\Fonts\Regisbso.ttf
c:\windows\Fonts\Rollwbo_.ttf
c:\windows\Fonts\Smarpbb_.ttf
c:\windows\Fonts\Sneabs__.ttf
c:\windows\Fonts\Tropsb__.ttf
c:\windows\Fonts\Troub___.ttf
c:\windows\Fonts\tt0083m_.ttf
c:\windows\Fonts\TT0209M_.TTF
c:\windows\Fonts\TT0352M_.TTF
c:\windows\Fonts\TT0362M_.TTF
c:\windows\Fonts\tt0420m_.ttf
c:\windows\Fonts\tt0443m_.ttf
c:\windows\Fonts\TT0588M_.TTF
c:\windows\Fonts\TT0592M_.TTF
c:\windows\Fonts\tt0604m_.ttf
c:\windows\Fonts\TT0720M_.TTF
c:\windows\Fonts\TT0756M_.TTF
c:\windows\Fonts\TT0840M_.TTF
c:\windows\Fonts\TT0883M_.TTF
c:\windows\Fonts\TT0896M_.TTF
c:\windows\Fonts\TT0965M_.TTF
c:\windows\Fonts\TT0985M_.TTF
c:\windows\Fonts\TT1047M_.TTF
c:\windows\Fonts\tt1053m_.ttf
c:\windows\Fonts\TT1064M_.TTF
c:\windows\Fonts\TT1141M_.TTF
c:\windows\Fonts\TT1153M_.TTF
c:\windows\Fonts\TT1244M_.TTF
c:\windows\Fonts\Unkcscb_.ttf
c:\windows\Fonts\Younb___.ttf
c:\windows\Fonts\Zolasbb_.ttf
c:\windows\Fonts\Zolsab__.ttf
c:\windows\msconfig.exe
c:\windows\winhelp.ini

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-01-08 to 2011-02-08 )))))))))))))))))))))))))))))))
.

2011-02-03 17:09 . 2011-02-03 17:09 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-03 00:45 . 2011-02-03 00:45 -------- d-----w- c:\documents and settings\Bill.DESKTOP\Application Data\OpenOffice.org
2011-02-03 00:41 . 2011-02-03 00:41 -------- d-----w- c:\program files\JRE
2011-02-03 00:41 . 2011-02-03 00:41 -------- d-----w- c:\program files\OpenOffice.org 3
2011-02-03 00:37 . 2011-02-03 00:37 -------- d-----w- c:\program files\Common Files\Java
2011-02-03 00:36 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-27 21:49 . 2011-01-27 21:49 -------- d-----w- C:\finalburner
2011-01-27 21:45 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2011-01-27 21:45 . 2008-09-24 18:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-01-27 21:45 . 2007-09-21 00:52 118784 ----a-w- c:\windows\system32\ac3acm.acm
2011-01-27 21:45 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2011-01-27 21:45 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2011-01-27 21:45 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2011-01-27 21:45 . 2009-10-13 18:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-27 21:25 . 2011-01-27 21:45 -------- d-----w- c:\program files\FinalBurner
2011-01-24 23:16 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-24 23:16 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-24 23:16 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-24 23:16 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-24 23:16 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-24 23:16 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-24 23:16 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-24 23:16 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-01-24 23:16 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-14 00:15 . 2011-01-14 00:15 54016 ----a-w- c:\windows\system32\drivers\yrufl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-27 21:34 . 2009-02-18 21:38 29480 ----a-w- c:\windows\system32\msxml3a.dll
2011-01-27 21:34 . 2009-02-18 11:46 505128 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-27 21:34 . 2009-02-18 11:46 353576 ----a-w- c:\windows\system32\msvcr71.dll
2010-12-20 23:09 . 2010-05-03 14:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-05-03 14:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-15 22:08 . 2010-12-15 22:08 673280 ----a-w- c:\windows\is-1RAD9.exe
2010-12-07 11:08 . 2010-12-07 11:08 54016 ----a-w- c:\windows\system32\drivers\ixmmg.sys
2010-11-29 19:14 . 2010-11-29 16:58 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2010-11-18 22:18 . 2010-11-18 22:18 54016 ----a-w- c:\windows\system32\drivers\vunsb.sys
2010-11-12 21:34 . 2009-07-01 15:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3017FB3E-9A77-4396-88C5-0EC9548FB42F}]
2010-06-07 11:12 2447360 ----a-w- c:\internet\SpeedBit Video Downloader\Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{389943B0-C3A2-4E69-82CB-8596A84CB3DC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Bill.DESKTOP\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Bill.DESKTOP\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Bill.DESKTOP\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\utils\Spybot S&D\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

c:\documents and settings\Bill.DESKTOP\Start Menu\Programs\Startup\
ePrompter.lnk - c:\internet\ePrompter\ePrompter.exe [2009-1-13 782336]
SpeedFan.lnk - c:\utils\SpeedFan\speedfan.exe [2009-11-25 4009592]

c:\documents and settings\Bill\Start Menu\Programs\Startup\
ePrompter.lnk - c:\internet\ePrompter\ePrompter.exe [2009-1-13 782336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\utils\SuperAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C\0autocheck autochk /p \??\C\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Bill.DESKTOP^Start Menu^Programs^Startup^Dropbox.lnk]
backup=c:\windows\pss\Dropbox.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"SystemSuite Task Manager"=2 (0x2)
"IS360service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\INTERNET\\FireFox 3\\firefox.exe"=
"c:\\INTERNET\\Netscape 8.1\\netscape.exe"=
"c:\\INTERNET\\DAP\\DAP.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/22/2009 7:15 PM 717296]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/24/2011 6:16 PM 294608]
R1 SASDIFSV;SASDIFSV;c:\utils\SuperAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\utils\SuperAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/10/27 15:33];c:\program files\CyberLink\PowerDVD9\000.fcl [2/28/2009 6:40 PM 87536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/24/2011 6:16 PM 17744]
R2 MLPTDR_C;MLPTDR_C;c:\windows\system32\MLPTDR_C.SYS [9/3/2002 7:31 PM 19296]
R2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS [11/18/2004 8:13 PM 18848]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [6/24/2010 1:46 PM 28256]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [6/24/2010 1:46 PM 28256]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [7/27/2007 7:00 AM 14336]
S3 SBRE;SBRE; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-09-20 02:46 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-12-15 c:\windows\Tasks\GlaryInitialize.job
- c:\utils\Glary Utilities\initialize.exe [2009-01-13 15:47]

2011-01-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

2011-02-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-484763869-2077806209-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

2011-02-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

2011-02-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-484763869-2077806209-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

2011-01-17 c:\windows\Tasks\SmartDefrag.job
- c:\utils\IObit SmartDefrag\IObit SmartDefrag.exe [2010-06-03 22:08]

2011-02-03 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\utils\Spybot S&D\SpybotSD.exe [2010-11-27 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
IE: &Clean Traces - c:\internet\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\internet\DAP\dapextie.htm
IE: Download &all with DAP - c:\internet\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Bill.DESKTOP\Application Data\Mozilla\Firefox\Profiles\celzvyqz.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\internet\FireFox 3\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\internet\FireFox 3\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\internet\FireFox 3\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\internet\FireFox 3\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\internet\FireFox 3\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Nuke Anything Enhanced: {1ced4832-f06e-413f-aa14-9eb63ad40ace} - %profile%\extensions\{1ced4832-f06e-413f-aa14-9eb63ad40ace}
FF - Ext: Fire.fm: {6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3} - %profile%\extensions\{6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: SpeedBit Video Downloader: {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - c:\internet\SpeedBit Video Downloader\SPFireFox
FF - Ext: Download Accelerator Plus Integration: {F17C1572-C9EC-4e5c-A542-D05CBB5C5A08} - c:\internet\DAP\DAPFireFox
FF - Ext: SpeedBit Video Downloader: {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - c:\internet\SpeedBit Video Downloader\SPFireFox
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.urlbar.hideGoButton - false
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-08 06:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-60JRA0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-20

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AE00446]<<
c:\docume~1\BILL~1.DES\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ae06504]; MOV EAX, [0x8ae06580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8AE79AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8ADAA5B8]
\Driver\atapi[0x8AEFE2D0] -> IRP_MJ_CREATE -> 0x8AE00446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-18 -> \??\IDE#DiskWDC_WD800JD-60JRA0______________________05.01C05#4457572d414d444d303133353330203020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AE00292
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,d2,c5,74,da,9f,9d,40,81,2c,b9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,d2,c5,74,da,9f,9d,40,81,2c,b9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
@DACL=(02 0010)
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@DACL=(02 0010)
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1644)
c:\windows\system32\WININET.dll
c:\utils\SuperAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(1752)
c:\windows\system32\WININET.dll
.
Completion time: 2011-02-08 06:55:03
ComboFix-quarantined-files.txt 2011-02-08 11:54

Pre-Run: 36,490,870,784 bytes free
Post-Run: 36,990,111,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - ECDF5687FFE38640E30FECCAEE5B6C7E

Attached Files

  • Attached File  log.txt   22.1KB   0 downloads


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:17 AM

Posted 08 February 2011 - 03:17 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#7 whigbee

whigbee
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 08 February 2011 - 06:29 PM

1st of all, I want to once again express my appreciation and gratitude to you for
your unselfish sharing of time and talent with my to defeat the issue on my PC.

The program found/made one change.
I followed your instructions and am attaching the report file as you ask.

whigbee

Attached Files



#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:17 AM

Posted 09 February 2011 - 02:49 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you UNCHECK the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

I'd also like a fresh DDS log and tell me if the redirections you've been suffering have now dried up, or not.

So long, and thanks for all the fish.

 

 


#9 whigbee

whigbee
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 AM

Posted 09 February 2011 - 03:04 PM

Thanks for the next set of instructions.

Since I followed the previous procedure yesterday, the minbehaviour seems to
have stopped. I'm going to run for a day or two to make sure all is well.
But if my issues are solved, I'm thinking it would not be necessary to take
any further corrective action.

I'll let you know in my next post.

And once again, I'm grateful to you for your unselfish gift of time and talent
to me, an unknown PC user.

Cheers,
Bill Higbee

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:17 AM

Posted 14 February 2011 - 04:51 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users