Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue:Win21/Winwebsec and Browser redirecting


  • This topic is locked This topic is locked
7 replies to this topic

#1 Bobo13

Bobo13

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 01 March 2011 - 02:44 PM

Hi, I had a pop-up virus scan show up 2 nights ago and then my desktop had a large red "Warning" with a message about my family, friends, etc. I tried running Microsoft Security Essentials, but it won't let me run anything relating to virus/spyware. IE is basically nonfunctioning and Firefox will only let me into a few sites. I did finally get MSE to run last night and it found/removed "Rogue:Win21/Winwebsec" twice. I tried running malware bytes, but that won't run either. My firewall has been shut down as well and won't reload. I did get the first log to run, but it will not let me run the GMER, after about 10 minutes it shuts my computer completely down. Here are the DDS and ATTACH logs, thanks!


DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Linda Fritsche at 12:53:05.21 on Tue 03/01/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2408 [GMT -6:00]

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Linda Fritsche\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
IE: &Block this popup - c:\program files\charter high-speed security suite\anti-spyware\blockpopups.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {300DB664-75B5-47c0-8B45-A44ACCF73C00} - {0928F506-07E8-470c-979D-147C296D4879}
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} - hxxps://install.charter.com/diskless/bin/ssctlsma.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {03A89EFD-E023-A200-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInstall.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.0.5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159580619390
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} - hxxp://mvt.mcafee.com/mvt/bin/2,4,1,0/mvt.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/67/install/gtdownls.cab
DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} - hxxp://expressit.broderbund.com/plugin/Download.cab
DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} - hxxp://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} - hxxp://update.hpphoto.com/download/HPSWUpdate.ocx
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lindaf~1\applic~1\mozilla\firefox\profiles\5dtuq4kg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\mozilla firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
S1 MpKsl80f7132b;MpKsl80f7132b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b7eea7b3-42da-44d0-b40e-8d29b4808409}\mpksl80f7132b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b7eea7b3-42da-44d0-b40e-8d29b4808409}\MpKsl80f7132b.sys [?]
S1 MpKsl90936920;MpKsl90936920;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{60078f4c-e087-4bb0-a357-11bd986109bc}\MpKsl90936920.sys [2011-2-28 28752]
S1 MpKslcaf0ff10;MpKslcaf0ff10;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b7eea7b3-42da-44d0-b40e-8d29b4808409}\mpkslcaf0ff10.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b7eea7b3-42da-44d0-b40e-8d29b4808409}\MpKslcaf0ff10.sys [?]
S1 MpKslf8748595;MpKslf8748595;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{60078f4c-e087-4bb0-a357-11bd986109bc}\MpKslf8748595.sys [2011-2-28 28752]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

=============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2011-03-01 03:41:26 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{60078f4c-e087-4bb0-a357-11bd986109bc}\MpKsl90936920.sys
2011-03-01 00:46:43 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{60078f4c-e087-4bb0-a357-11bd986109bc}\MpKslf8748595.sys
2011-02-28 06:34:15 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{60078f4c-e087-4bb0-a357-11bd986109bc}\mpengine.dll
2011-02-28 06:22:41 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-28 06:22:41 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-28 06:22:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2011-02-28 04:56:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\aEnPnPg06308
2011-02-24 15:26:30 11447056 ----a-w- c:\documents and settings\all users\Tempmozy-autoupdate-c0261ff8012aad585d55140a9b6ddcb9.exe
2011-02-10 01:03:34 11444496 ----a-w- c:\documents and settings\all users\Tempmozy-update-1f7fe3012a1778a4fc7c5075f2f61812.exe
2011-02-02 21:33:39 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-02-02 21:33:29 -------- d-----w- c:\program files\Microsoft Security Client

==================== Find3M ====================

2011-02-24 21:10:26 7572 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-04 19:02:15 11336456 ----a-w- c:\documents and settings\all users\Tempmozy-update-a31217e595a1463492ad999467f8f0a1.exe
2006-09-04 17:52:16 52247169 -c--a-w- c:\program files\pro.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JS-75NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AD04735]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ad0a990]; MOV EAX, [0x8ad0aa0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8ADC2AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8AC24030]
\Driver\atapi[0x8ADC1B70] -> IRP_MJ_CREATE -> 0x8AD04735
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD2500JS-75NCB1_____________________10.02E01#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AD0457B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:55:47.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:21 PM

Posted 01 March 2011 - 03:38 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 Bobo13

Bobo13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 01 March 2011 - 09:37 PM

Thanks! Here's the combofix log... doesn't seem to be redirecting me anymore... yet. Still very slow at start up though.

ComboFix 11-02-28.07 - Linda Fritsche 03/01/2011 20:11:11.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2447 [GMT -6:00]
Running from: c:\documents and settings\Linda Fritsche\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-02-02 to 2011-03-02 )))))))))))))))))))))))))))))))
.

2011-03-01 03:41 . 2011-03-01 03:41 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{60078F4C-E087-4BB0-A357-11BD986109BC}\MpKsl90936920.sys
2011-03-01 00:46 . 2011-03-01 00:46 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{60078F4C-E087-4BB0-A357-11BD986109BC}\MpKslf8748595.sys
2011-02-28 06:34 . 2011-02-11 06:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{60078F4C-E087-4BB0-A357-11BD986109BC}\mpengine.dll
2011-02-28 06:22 . 2011-02-28 06:22 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-28 06:22 . 2011-02-28 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2011-02-28 04:56 . 2011-02-28 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\aEnPnPg06308
2011-02-24 15:26 . 2011-02-24 15:26 11447056 ----a-w- c:\documents and settings\All Users\Tempmozy-autoupdate-c0261ff8012aad585d55140a9b6ddcb9.exe
2011-02-10 01:03 . 2011-02-10 01:03 11444496 ----a-w- c:\documents and settings\All Users\Tempmozy-update-1f7fe3012a1778a4fc7c5075f2f61812.exe
2011-02-02 21:33 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-02-02 21:33 . 2011-02-02 21:34 -------- d-----w- c:\program files\Microsoft Security Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 23:11 . 2010-07-19 05:00 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-13 09:41 . 2010-07-19 23:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-04 19:02 . 2011-01-04 19:01 11336456 ----a-w- c:\documents and settings\All Users\Tempmozy-update-a31217e595a1463492ad999467f8f0a1.exe
2010-12-21 00:09 . 2010-07-16 01:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-07-16 01:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2006-09-04 17:52 . 2006-09-04 17:52 52247169 -c--a-w- c:\program files\pro.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2011-02-08 19:24 3443000 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2011-02-08 19:24 3443000 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-28 98304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-02-28 26112]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-05-07 524288]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2011-2-8 3600184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MozyHome Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk
backup=c:\windows\pss\MozyHome Status.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SENS"=2 (0x2)
"RDSessMgr"=3 (0x3)
"ose"=3 (0x3)
"mnmsrvc"=3 (0x3)
"KodakCCS"=3 (0x3)
"ioloSystemService"=2 (0x2)
"ioloFileInfoList"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"NetSvc"=3 (0x3)
"mozybackup"=2 (0x2)
"LxrJD31s"=2 (0x2)
"idsvc"=3 (0x3)
"FSMA"=2 (0x2)
"FSDFWD"=3 (0x3)
"FSAUA"=3 (0x3)
"F-Secure Gatekeeper Handler Starter"=2 (0x2)
"DSBrokerService"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"AdobeActiveFileMonitor5.0"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:*:Disabled:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"62539:TCP"= 62539:TCP:PORT_62539
"40922:TCP"= 40922:TCP:PORT_40922
"16360:TCP"= 16360:TCP:PORT_16360
"13156:TCP"= 13156:TCP:PORT_13156
"53430:TCP"= 53430:TCP:PORT_53430
"39043:TCP"= 39043:TCP:PORT_39043
"30090:TCP"= 30090:TCP:PORT_30090
"60383:TCP"= 60383:TCP:PORT_60383
"46871:TCP"= 46871:TCP:PORT_46871
"51505:TCP"= 51505:TCP:PORT_51505
"6965:TCP"= 6965:TCP:PORT_6965
"39184:TCP"= 39184:TCP:PORT_39184
"43207:TCP"= 43207:TCP:PORT_43207

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 MpKsl90936920;MpKsl90936920;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{60078F4C-E087-4BB0-A357-11BD986109BC}\MpKsl90936920.sys [2/28/2011 9:41 PM 28752]
R1 MpKslf8748595;MpKslf8748595;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{60078F4C-E087-4BB0-A357-11BD986109BC}\MpKslf8748595.sys [2/28/2011 6:46 PM 28752]
S1 MpKsl80f7132b;MpKsl80f7132b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B7EEA7B3-42DA-44D0-B40E-8D29B4808409}\MpKsl80f7132b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B7EEA7B3-42DA-44D0-B40E-8D29B4808409}\MpKsl80f7132b.sys [?]
S1 MpKslcaf0ff10;MpKslcaf0ff10;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B7EEA7B3-42DA-44D0-B40E-8D29B4808409}\MpKslcaf0ff10.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B7EEA7B3-42DA-44D0-B40E-8D29B4808409}\MpKslcaf0ff10.sys [?]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-11-07 08:04]

2011-03-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]

2011-02-27 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-12-02 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Block this popup - c:\program files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm
DPF: {03A89EFD-E023-A200-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInstall.dll
FF - ProfilePath - c:\documents and settings\Linda Fritsche\Application Data\Mozilla\Firefox\Profiles\5dtuq4kg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-01 20:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-01 20:31:50
ComboFix-quarantined-files.txt 2011-03-02 02:31

Pre-Run: 112,029,167,616 bytes free
Post-Run: 112,411,566,080 bytes free

- - End Of File - - 9440AF8526327E66FA01F15E4B1AC0F1

Edited by Bobo13, 01 March 2011 - 10:34 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:21 PM

Posted 02 March 2011 - 03:07 PM

Good evening. :)

The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.
  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Once you've done the above, do the below:

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you UNCHECK the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Will you also throw in a fresh DDS log and let me know how the PC is behaving now.

So long, and thanks for all the fish.

 

 


#5 Bobo13

Bobo13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 03 March 2011 - 12:45 AM

Phew! that took awhile. The ESET found one infected file. So far the computer is running good other than slow loading at start up.(I probably should also mention that the first DDS was run in safe mode as that was the only way I could get anything to run. The new log was run after a normal start up) I haven't been redirected at all or had any more pop-up warnings since running combofix. Thanks again for the help! Here are the logs...


ESET-

C:\Documents and Settings\Linda Fritsche\Application Data\Dell\Installers\PCTuneUp2.exe probably unknown NewHeur_PE virus

and new DDS-


DDS (Ver_10-12-12.02) - NTFSx86
Run by Linda Fritsche at 23:34:49.57 on Wed 03/02/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2178 [GMT -6:00]

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\tcpsvcs.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Linda Fritsche\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
IE: &Block this popup - c:\program files\charter high-speed security suite\anti-spyware\blockpopups.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {300DB664-75B5-47c0-8B45-A44ACCF73C00} - {0928F506-07E8-470c-979D-147C296D4879}
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} - hxxps://install.charter.com/diskless/bin/ssctlsma.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {03A89EFD-E023-A200-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInstall.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.0.5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159580619390
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} - hxxp://mvt.mcafee.com/mvt/bin/2,4,1,0/mvt.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/67/install/gtdownls.cab
DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} - hxxp://expressit.broderbund.com/plugin/Download.cab
DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} - hxxp://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} - hxxp://update.hpphoto.com/download/HPSWUpdate.ocx
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lindaf~1\applic~1\mozilla\firefox\profiles\5dtuq4kg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\mozilla firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsla21ddfc3;MpKsla21ddfc3;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{35de5f4d-399c-4b79-ba58-a204b210554f}\MpKsla21ddfc3.sys [2011-3-2 28752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S1 MpKsl80f7132b;MpKsl80f7132b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b7eea7b3-42da-44d0-b40e-8d29b4808409}\mpksl80f7132b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b7eea7b3-42da-44d0-b40e-8d29b4808409}\MpKsl80f7132b.sys [?]
S1 MpKslcaf0ff10;MpKslcaf0ff10;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b7eea7b3-42da-44d0-b40e-8d29b4808409}\mpkslcaf0ff10.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b7eea7b3-42da-44d0-b40e-8d29b4808409}\MpKslcaf0ff10.sys [?]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

=============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2011-03-03 03:20:50 -------- d-----w- c:\program files\ESET
2011-03-03 02:39:36 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{35de5f4d-399c-4b79-ba58-a204b210554f}\MpKsla21ddfc3.sys
2011-03-03 02:39:06 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{35de5f4d-399c-4b79-ba58-a204b210554f}\mpengine.dll
2011-03-02 01:55:12 98816 ----a-w- c:\windows\sed.exe
2011-03-02 01:55:12 89088 ----a-w- c:\windows\MBR.exe
2011-03-02 01:55:12 256512 ----a-w- c:\windows\PEV.exe
2011-03-02 01:55:12 161792 ----a-w- c:\windows\SWREG.exe
2011-02-28 06:22:41 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-28 06:22:41 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-28 06:22:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2011-02-28 04:56:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\aEnPnPg06308
2011-02-24 15:26:30 11447056 ----a-w- c:\documents and settings\all users\Tempmozy-autoupdate-c0261ff8012aad585d55140a9b6ddcb9.exe
2011-02-10 01:03:34 11444496 ----a-w- c:\documents and settings\all users\Tempmozy-update-1f7fe3012a1778a4fc7c5075f2f61812.exe
2011-02-02 21:33:39 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-02-02 21:33:29 -------- d-----w- c:\program files\Microsoft Security Client

==================== Find3M ====================

2011-02-24 21:10:26 7572 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-04 19:02:15 11336456 ----a-w- c:\documents and settings\all users\Tempmozy-update-a31217e595a1463492ad999467f8f0a1.exe
2006-09-04 17:52:16 52247169 -c--a-w- c:\program files\pro.exe

============= FINISH: 23:35:35.57 ===============

Attached Files


Edited by Bobo13, 03 March 2011 - 12:55 AM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:21 PM

Posted 03 March 2011 - 03:52 PM

Good evening. :)

I'll split this into two parts, for a reason that will become obvious a little later.

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***

  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The one problem that remains, apart from the boot-up speed which you'll need to post elsewhere on the forum for better minds than mine to look at, is an issue with Dell System Restore. This utility is designed to enable you to rewind your operating system back to the state that it was in when you turned the PC on for the very first time.
It relies on a custom Master Boot Record in order to work correctly, and which now won't work. The infection your PC had involved an infected MBR which had to be replaced to fix and the tool that fixed it uses a standard XP MBR which enables the PC to work fine as long as you don't want to access Dell System restore.

If your system came with a Recovery disk or gave you the ability to burn one yourself, then you are A-OK as you have a recovery option should you need it. If you don't have disks, then you have to decide what you want to do about it.
Option one is to contact Dell and get hold of the necessary disks, which isn't that grievous, or Option two is that we tweak the MBR to enable Dell SR to be accessed, if necessary. Although I don't have a great many repairs under my belt, they have all been successful, so really it is up to you as to how you wish to proceed.
It isn't the simplest procedure in the world, but it should be within our combined wit to sort things out.

So long, and thanks for all the fish.

 

 


#7 Bobo13

Bobo13
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 03 March 2011 - 06:42 PM

Hello again, I have installed a 3rd party firewall and run the other updates as suggested. I believe I did make a recovery disk when I set up the computer. If I can't locate it I will contact Dell regarding obtaining one. If I run into a problem with that, I will post to ask for help. Thank you again for all the help!

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:21 PM

Posted 05 March 2011 - 02:39 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users