Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect and svchost script injected


  • This topic is locked This topic is locked
4 replies to this topic

#1 isaac the k

isaac the k

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 26 February 2011 - 08:19 PM

Computer started acting buggy, with random popups and all.
did a couple virus checks, and not much came up.
Google started redirecting.
noticed svchost problems in task manager - one of them was hogging over 140,000k memory
started getting debugging errors on svchost - opened it and viola! a script injection for a random website.
downloaded but have not yet run combofix. here's the log(s) for dds.
haven't run gmer yet - compy's too buggy and it's not opening up winZip for whatever reason... probably will restart? or is that a bad idea?

DDS (Ver_10-12-12.02) - NTFSx86
Run by Ben at 20:05:21.84 on Sat 02/26/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1166 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: AVG Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Documents and Settings\Ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Cobian Backup 10\Cobian.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\Documents and Settings\Ben\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\ben\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Cobian Backup 10 Interface] "c:\program files\cobian backup 10\cbInterface.exe" -service
mRunServices: [WUSB11B.exe] c:\program files\wusb11 wlan monitor\WUSB11B.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\ben\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli modipr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ben\applic~1\mozilla\firefox\profiles\7rj14sab.default\
FF - plugin: c:\documents and settings\ben\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\ben\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: XULRunner: {DE1D2905-DF18-4D10-BD72-FB60FE1332EA} - c:\documents and settings\hp_owner\local settings\application data\{DE1D2905-DF18-4D10-BD72-FB60FE1332EA}
FF - Ext: XULRunner: {2DBD0322-6DFC-410D-AAE9-781C2758FFC4} - c:\documents and settings\ben\local settings\application data\{2DBD0322-6DFC-410D-AAE9-781C2758FFC4}
FF - Ext: XULRunner: {3003D1DB-2CA6-4FB1-802A-14864F3F0355} - c:\documents and settings\hp_owner\local settings\application data\{3003D1DB-2CA6-4FB1-802A-14864F3F0355}
FF - Ext: XULRunner: {DBFD6D0D-A0B0-4D70-A5D4-4BB80AC3B9B7} - c:\documents and settings\ben\local settings\application data\{DBFD6D0D-A0B0-4D70-A5D4-4BB80AC3B9B7}
FF - Ext: XULRunner: {E4026145-045F-43CA-8D22-2365A9B9D0D1} - c:\documents and settings\hp_owner\local settings\application data\{E4026145-045F-43CA-8D22-2365A9B9D0D1}
FF - Ext: XULRunner: {173AAD6C-5EC5-4B73-B599-66BC9CD33E24} - c:\documents and settings\ben\local settings\application data\{173AAD6C-5EC5-4B73-B599-66BC9CD33E24}
FF - Ext: XULRunner: {568A60B2-44D8-4E5F-83FD-C60D3086021E} - c:\documents and settings\hp_owner\local settings\application data\{568A60B2-44D8-4E5F-83FD-C60D3086021E}
FF - Ext: XULRunner: {2673BBB5-E9CE-4776-B567-88513A587057} - c:\documents and settings\ben\local settings\application data\{2673BBB5-E9CE-4776-B567-88513A587057}
FF - Ext: XULRunner: {9F43198E-25BC-41AA-A504-A1D4EE3ABE40} - c:\documents and settings\hp_owner\local settings\application data\{9F43198E-25BC-41AA-A504-A1D4EE3ABE40}
FF - Ext: XULRunner: {13E313D7-E2B6-48E7-81BA-0181902054A7} - c:\documents and settings\hp_owner\local settings\application data\{13E313D7-E2B6-48E7-81BA-0181902054A7}
FF - Ext: XULRunner: {4A2587F0-A506-4781-90D6-51D545032DB9} - c:\documents and settings\ben\local settings\application data\{4A2587F0-A506-4781-90D6-51D545032DB9}
FF - Ext: XULRunner: {E97FBE85-598C-46FD-A1BB-BCF24D7F8DC0} - c:\documents and settings\hp_owner\local settings\application data\{E97FBE85-598C-46FD-A1BB-BCF24D7F8DC0}
FF - Ext: XULRunner: {9833571D-E896-4515-8417-6B48EFEEB47F} - c:\documents and settings\ben\local settings\application data\{9833571D-E896-4515-8417-6B48EFEEB47F}
FF - Ext: XULRunner: {F32FF0A4-B60D-4FD9-8F38-C9C32985600A} - c:\documents and settings\ben\local settings\application data\{F32FF0A4-B60D-4FD9-8F38-C9C32985600A}
FF - Ext: XULRunner: {A0E4AF36-BE55-4628-87B4-CA7E1F5C6787} - c:\documents and settings\ben\local settings\application data\{A0E4AF36-BE55-4628-87B4-CA7E1F5C6787}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-1-27 25608]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165264]
R1 MpKslac645457;MpKslac645457;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{660713c5-47ba-49da-b371-d75943c46b68}\MpKslac645457.sys [2011-2-26 28752]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-2-26 67584]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-1-27 30104]
S0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S1 MpKsl4f993ecb;MpKsl4f993ecb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{660713c5-47ba-49da-b371-d75943c46b68}\mpksl4f993ecb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{660713c5-47ba-49da-b371-d75943c46b68}\MpKsl4f993ecb.sys [?]
S1 MpKsl646fc710;MpKsl646fc710;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be9d88c1-98d4-4a59-9766-665c1209df97}\mpksl646fc710.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{be9d88c1-98d4-4a59-9766-665c1209df97}\MpKsl646fc710.sys [?]
S1 MpKsl8f0c70fa;MpKsl8f0c70fa;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed3ee2d1-6f81-4c63-a47a-f0ea6ef65660}\mpksl8f0c70fa.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ed3ee2d1-6f81-4c63-a47a-f0ea6ef65660}\MpKsl8f0c70fa.sys [?]
S1 MpKsl9c4ac38e;MpKsl9c4ac38e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f25d6107-009d-4dd0-9022-b8caa46bf052}\mpksl9c4ac38e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f25d6107-009d-4dd0-9022-b8caa46bf052}\MpKsl9c4ac38e.sys [?]
S2 CobianBackup10;Cobian Backup 10;c:\program files\cobian backup 10\cbService.exe [2011-2-26 1125376]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-1-27 30104]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-1-27 122376]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-1-27 30216]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-1-27 25736]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [2002-2-20 72576]
S4 avg9wd;AVG WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S4 avgfws9;AVG Firewall;"c:\program files\avg\avg9\avgfws9.exe" --> c:\program files\avg\avg9\avgfws9.exe [?]
S4 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-1-27 5832712]

=============== Created Last 30 ================

2011-02-27 01:01:41 -------- d-----w- c:\docume~1\ben\locals~1\applic~1\Safe mirror
2011-02-27 00:58:24 -------- d-----w- c:\program files\Cobian Backup 10
2011-02-27 00:23:22 -------- d-----w- c:\program files\ESET
2011-02-26 23:50:02 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{660713c5-47ba-49da-b371-d75943c46b68}\MpKslac645457.sys
2011-02-25 20:34:17 -------- d-----w- c:\docume~1\ben\applic~1\Ikqav
2011-02-25 20:34:17 -------- d-----w- c:\docume~1\ben\applic~1\Ciulym
2011-02-22 23:35:18 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{660713c5-47ba-49da-b371-d75943c46b68}\mpengine.dll
2011-02-21 23:16:01 -------- d-----w- c:\docume~1\ben\locals~1\applic~1\Identities
2011-02-14 16:29:43 -------- d-----w- C:\12b197230b2f8e462243a8
2011-02-14 00:30:46 -------- d-----w- c:\docume~1\ben\locals~1\applic~1\Intuit
2011-02-14 00:08:34 -------- d-----w- c:\program files\TurboTax
2011-02-13 23:49:58 -------- d-----w- c:\windows\system32\XPSViewer
2011-02-13 23:49:25 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-02-13 23:48:41 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-02-13 23:48:41 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-02-13 23:48:41 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-02-13 23:48:41 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-02-13 23:48:41 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-02-13 23:48:41 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-02-13 23:48:41 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-02-13 23:48:41 117760 ------w- c:\windows\system32\prntvpt.dll
2011-02-13 23:48:40 -------- d-----w- C:\2fd66a87e772e8c424959e651d9e9ba4
2011-02-10 21:59:56 89680 ----a-w- c:\documents and settings\ben\MSSSerif120.fon
2011-01-28 16:09:56 -------- d-----w- c:\windows\TempD20FFA14-CF38-FF7D-809E-178F1F0A71ED-Signatures
2011-01-28 16:09:49 -------- d-----w- c:\program files\Microsoft Security Client

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08:45 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08:45 17408 ------w- c:\windows\system32\corpol.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160812AS rev.3.AHH -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A562439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5687b8]; MOV EAX, [0x8a568834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A572AB8]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A58A5B8]
\Driver\atapi[0x8A296A58] -> IRP_MJ_CREATE -> 0x8A562439
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST3160812AS_____________________________3.AHH___#5&1e79a9c8&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A56227F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 20:09:15.79 ===============

BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:05:18 PM

Posted 27 February 2011 - 12:24 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 isaac the k

isaac the k
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 27 February 2011 - 09:10 PM

Fortunately, we haven't really used the compy for anything sensitive over the past few days since before these problems started popping up.
Presently, I'm posting on another computer hooked up to a different monitor, and trying to work out issues on the original slimline, but it's being a pain.
particularly, combofix is reading avg as being installed so it won't run, but avg isn't appearing in the installed programs under windows, and i can't seem to find anything within the original avg\ directories that will enable me to uninstall it... short of a re-install?

At this point, i'm wondering if it's just better off to wipe the drive. I've got a lot of data/papers/pics/etc on the machine, so the question on that - is it safe to hook up the drive to another machine to pull data off of it? or is it a legit to fear that the virus could make the jump over to another compy?
I'm getting fed up with that old xp computer anyhow, so i'm just as inclined to wipe it and move it over to ubuntu or somesuch.

thanks for the help, ST.

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:05:18 PM

Posted 28 February 2011 - 12:26 PM

Hello isaac the k,

Sorry to hear about the issues you are experiencing when you tried to run ComboFix.

I've got a lot of data/papers/pics/etc on the machine, so the question on that - is it safe to hook up the drive to another machine to pull data off of it? or is it a legit to fear that the virus could make the jump over to another compy?

This is somewhat of a difficult question, because it really depends on what other infections may be present on your computer (i'm not able to see everything from the DDS log)

First thing is first. Lets remove the main infection so that we can have some wiggle room with things:

Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


NEXT:


Now in regards to ComboFix, we can try to run the AVG removal tool to see if that will allow ComboFix to run for you:

AVG Removal Tool

Download and save AVG Removal Tool to your desktop

Run it to remove AVG. After this, please restart your computer.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:05:18 PM

Posted 03 March 2011 - 08:12 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users