Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xp home... xp anti-virus 2011. Need a fix please


  • This topic is locked This topic is locked
2 replies to this topic

#1 rogerrabbitsj

rogerrabbitsj

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 07 March 2011 - 08:54 PM

Okay so i have these pop ups and messages saying my computer is infected. I know that the warning itself is fake. I tried clearing out old temp files and cookies via safe mode, when that didnt work i tried following the guide to preparing computer before the use of malware removal software. Some programs such as gmer and defogger wont work ( gives me a message asking me what program to use to open the aforementioned programs with .exe extension). I was only able to use dds to create a log that i will post below. Sorry if it sounds like a mess. But i hope the information provided may be enough for you all to give me some guidance on how to start cleaning up this mess.



.
DDS (Ver_11-03-05.01) - NTFSx86
Run by admin at 17:27:57.89 on Mon 03/07/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.59 [GMT -8:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\admin\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;localhost
uSearchAssistant = hxxp://www.google.com
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\drop down deals\YontooIEClient.dll
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PCTools FGuard] c:\program files\pc tools security\bdt\FGuard.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00000161-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaud.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {32564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\d68ovfgr.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo-Mp3Tube
FF - prefs.js: browser.startup.homepage - hxxp://mp3tubetoolbarsearch.com/?tmp=toolbar_Mp3Tube_homepage&prt=pinballtb04ff&clid=7a83da5f62f7412f8580eed78feabf9f&subid=
FF - prefs.js: keyword.URL - hxxp://mp3tubetoolbarsearch.com/?prt=pinballtb02ff&Keywords=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: ResultBar: {34EFA911-B536-4C08-BECE-CD5E55C875B0} - c:\program files\mozilla firefox\extensions\{34EFA911-B536-4C08-BECE-CD5E55C875B0}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: XULRunner: {BBED55C3-54A5-4003-99C1-0028B2D7C1FB} - c:\documents and settings\admin\local settings\application data\{BBED55C3-54A5-4003-99C1-0028B2D7C1FB}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: keyword.URL - hxxp://mp3tubetoolbarsearch.com/?prt=pinballtb02ff&Keywords=
FF - user.js: keyword.enabled - 1
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-3-7 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-3-7 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-3-7 656320]
R1 serv;serv;c:\windows\system32\drivers\ip4fw.sys [2011-3-7 8000]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2011-3-7 247760]
S0 dlsxyel;dlsxyel;c:\windows\system32\drivers\oynftsxa.sys --> c:\windows\system32\drivers\oynftsxa.sys [?]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [2008-12-8 220079]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-3-7 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-3-7 1150936]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
.
=============== File Associations ===============
.
exefile="c:\documents and settings\localservice\local settings\application data\mxo.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-03-08 01:04:58 323584 --sha-w- c:\docume~1\admin\locals~1\applic~1\iup.exe
2011-03-07 20:59:35 -------- d-----w- c:\docume~1\admin\locals~1\applic~1\Threat Expert
2011-03-07 16:56:49 767952 ----a-w- c:\windows\BDTSupport.dll
2011-03-07 16:56:48 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-03-07 16:56:48 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-03-07 16:56:48 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-03-07 16:54:13 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-03-07 16:54:13 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-03-07 16:54:11 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-03-07 16:53:58 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-03-07 16:53:58 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-03-07 16:53:32 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-03-07 16:53:13 -------- d-----w- c:\program files\common files\PC Tools
2011-03-07 16:53:12 -------- d-----w- c:\program files\PC Tools Security
2011-03-07 16:53:12 -------- d-----w- c:\docume~1\admin\applic~1\PC Tools
2011-03-07 16:51:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-03-07 16:40:38 -------- d-----w- c:\program files\whitesmoketoolbar
2011-03-07 16:39:53 -------- d-----w- c:\program files\Drop Down Deals
2011-03-07 16:39:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
2011-03-07 09:35:11 8000 ----a-w- c:\windows\system32\drivers\ip4fw.sys
2011-03-06 19:28:15 -------- d-----w- c:\program files\CCleaner
2011-03-06 07:33:12 -------- d-----w- c:\docume~1\admin\applic~1\DriverCure
2011-03-06 07:33:11 -------- d-----w- c:\docume~1\admin\applic~1\ParetoLogic
2011-03-06 07:32:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2011-03-06 06:43:15 -------- d-----w- c:\docume~1\admin\locals~1\applic~1\PackageAware
2011-03-05 21:15:29 323584 --sha-w- c:\docume~1\admin\locals~1\applic~1\fil.exe
2011-03-05 21:07:23 323584 --sha-w- c:\docume~1\admin\locals~1\applic~1\iqj.exe
2011-03-05 21:07:03 323584 --sha-w- c:\docume~1\admin\locals~1\applic~1\vko.exe
2011-03-03 12:33:45 -------- d-----w- c:\program files\Yontoo Layers Client
.
==================== Find3M ====================
.
2010-02-27 03:13:51 549888 ----a-w- c:\program files\OTL.exe
2010-02-26 13:43:09 136946 ----a-w- c:\program files\Ryan's surprise.exe
2010-02-26 13:40:22 215786 ----a-w- c:\program files\mbam-setup.exe
2003-08-27 22:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_2F040L0 rev.VAM51JJ0 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x82F6F439]<<
c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f757b8]; MOV EAX, [0x82f75834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82F51AB8]
3 CLASSPNP[0xF853905B] -> nt!IofCallDriver[0x804E37D5] -> [0x82F9A920]
5 PCTCore[0xF8403099] -> nt!IofCallDriver[0x804E37D5] -> [0x82F97D98]
\Driver\atapi[0x82F887F8] -> IRP_MJ_CREATE -> 0x82F6F439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_2F040L0__________________________VAM51JJ0#3146594336544554202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F6F27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:30:31.04 ===============

Edited by boopme, 07 March 2011 - 09:02 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:43 AM

Posted 07 March 2011 - 10:22 PM

Hi

Please do the following:

Download Combofix from either of the links below. You must rename it to iexplore before saving it.
Save it to your desktop. Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2

-----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

    -----------------------------------------------------------

  • Double click on the renamed ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------



If it wont run in normal mode, then boot into safe mode and run it:

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Edited by CatByte, 07 March 2011 - 10:30 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:43 AM

Posted 13 March 2011 - 11:21 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users