Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with root something and google keeps redirecting


  • This topic is locked This topic is locked
4 replies to this topic

#1 tony241

tony241

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 15 March 2011 - 09:51 PM

At first I started getting redirected within my browsers, firefox and chrome. Now, however, chrome is unusable and firefox is very slow and crashes frequently. I'm also experiencing problems opening programs after a short period of 15 minutes. Nothing will be able to be opened, virus scanners nor other programs. I have tried running spybot, malware, and other anti-virus programs. They are able to find the same problems, even after I had already previously removed them.

-my computer stalled, will update the next post with DDS logfile, unfortunately everytime i use GMER it causes my computer to shut down.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by tony at 19:00:29.04 on Tue 03/15/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2331 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\tony.SEXY-TONY\Local Settings\Apps\F.lux\flux.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\tony.SEXY-TONY\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.fr/cse?cx=partner-pub-1296532731545970:s7rnojdkqis&ie=ISO-8859-1&q=&sa=Rechercher
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: T10QP3808 Class: {4f4693cd-2b4d-42bd-b512-d2ab0f74d30c} - c:\program files\ietoolbar\google toolbar\frame_search.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Google Toolbar: {5de50a7b-9b62-ddbe-1ba3-c385294e418f} - c:\program files\ietoolbar\google toolbar\frame_search.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [F.lux] "c:\documents and settings\tony.sexy-tony\local settings\apps\f.lux\flux.exe" /noshow
uRun: [SecurityCenter] c:\documents and settings\tony.sexy-tony\application data\desktop security\securitycenter.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
uPolicies-system: kctmpjispcfftumgxlrnTaskMgr = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\tony~1.sex\applic~1\mozilla\firefox\profiles\7enrfdqd.default\
FF - plugin: c:\documents and settings\tony.sexy-tony\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\tony.sexy-tony\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\tony.sexy-tony\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
.
============= SERVICES / DRIVERS ===============
.
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2010-2-27 12672]
S2 tzxryro;Center Boot;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S2 xhqnvu;mulqdcse;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\tony~1.sex\locals~1\temp\alsysio.sys --> c:\docume~1\tony~1.sex\locals~1\temp\ALSysIO.sys [?]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\documents and settings\tony.sexy-tony\desktop\realtemp\WinRing0.sys [2010-8-18 14416]
S4 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-6-27 234888]
S4 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-6-27 68136]
.
=============== Created Last 30 ================
.
2011-03-08 04:22:16 -------- d-----w- c:\docume~1\tony~1.sex\applic~1\Malwarebytes
2011-03-08 04:22:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-08 04:22:05 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-03-08 04:22:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-08 04:22:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-01 11:28:52 -------- d-----w- c:\docume~1\tony~1.sex\locals~1\applic~1\LogMeIn Hamachi
2011-02-28 13:16:53 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\bGlOkAn08514
2011-02-24 03:53:08 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\MFAData
2011-02-23 23:23:13 -------- d-----w- c:\docume~1\tony~1.sex\applic~1\OfferBox
2011-02-23 22:46:42 -------- d-----w- c:\program files\IEToolbar
2011-02-23 22:46:27 135168 --sha-r- c:\windows\system32\normnfkdd.dll
2011-02-15 02:24:45 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
.
==================== Find3M ====================
.
2011-03-15 09:31:20 16608 ----a-w- c:\windows\gdrv.sys
2008-10-21 18:45:29 19645 ----a-w- c:\program files\common files\okisy.bat
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6L250R0 rev.BAJ41G20 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T1L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5AA735]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5b0990]; MOV EAX, [0x8a5b0a0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF16A] -> \Device\Harddisk0\DR0[0x8A668AB8]
3 CLASSPNP[0xBA0E8FCF] -> ntkrnlpa!IofCallDriver[0x804EF16A] -> \Device\0000006b[0x8A66BF18]
5 ACPI[0xB9E74620] -> ntkrnlpa!IofCallDriver[0x804EF16A] -> [0x8A658940]
\Driver\atapi[0x8A5EE848] -> IRP_MJ_CREATE -> 0x8A5AA735
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T1L0-3 -> \??\IDE#DiskMaxtor_6L250R0__________________________BAJ41G20#354c573958314858202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5AA57B
\Driver\atapi -> 0x8a69a1f8
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:01:48.67 ===============

EDIT: Posts merged ~BP

Edited by Budapest, 15 March 2011 - 10:08 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:51 PM

Posted 18 March 2011 - 08:56 PM

Hi

Please do the following:

Download Combofix from either of the links below. You must rename it to iexplore before saving it.
Save it to your desktop. Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2

-----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

    -----------------------------------------------------------

  • Double click on the renamed ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 tony241

tony241
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 19 March 2011 - 07:28 AM

First of all, thank you so much for your assistance!

The log from combo fix:


ComboFix 11-03-18.03 - tony 03/19/2011 7:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2946 [GMT -7:00]
Running from: c:\documents and settings\tony.SEXY-TONY\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\tony.SEXY-TONY\Application Data\Desktop Security
c:\documents and settings\tony.SEXY-TONY\Application Data\MSA
c:\documents and settings\tony.SEXY-TONY\Application Data\OfferBox
c:\documents and settings\tony.SEXY-TONY\Application Data\OfferBox\config.xml
c:\documents and settings\tony.SEXY-TONY\Application Data\Sun\lfmt.txt
c:\documents and settings\tony.SEXY-TONY\Application Data\Sun\mxd1.txt
c:\documents and settings\tony\Cookies\capoxa.exe
c:\documents and settings\tony\Cookies\odemilym.inf
c:\documents and settings\tony\Cookies\zuwiwud.lib
c:\documents and settings\tony\Local Settings\Temporary Internet Files\ejas.vbs
c:\documents and settings\tony\Local Settings\Temporary Internet Files\fezomajyso.reg
C:\install.exe
c:\program files\IEToolbar
c:\program files\IEToolbar\Google Toolbar\arrow_refresh.png
c:\program files\IEToolbar\Google Toolbar\basis.xml
c:\program files\IEToolbar\Google Toolbar\cog.png
c:\program files\IEToolbar\Google Toolbar\computer_delete.png
c:\program files\IEToolbar\Google Toolbar\frame_search.crc
c:\program files\IEToolbar\Google Toolbar\frame_search.dll
c:\program files\IEToolbar\Google Toolbar\Google.bmp
c:\program files\IEToolbar\Google Toolbar\icons.bmp
c:\program files\IEToolbar\Google Toolbar\info.txt
c:\program files\IEToolbar\Google Toolbar\options.html
c:\program files\IEToolbar\Google Toolbar\TbCommonUtils.dll
c:\program files\IEToolbar\Google Toolbar\tbhelper.dll
c:\program files\IEToolbar\Google Toolbar\TbHelper2.exe
c:\program files\IEToolbar\Google Toolbar\tbs_include_script_024945.js
c:\program files\IEToolbar\Google Toolbar\tbs_include_script_029031.js
c:\program files\IEToolbar\Google Toolbar\tbu08803\arrow_refresh.png
c:\program files\IEToolbar\Google Toolbar\tbu08803\basis.xml
c:\program files\IEToolbar\Google Toolbar\tbu08803\cog.png
c:\program files\IEToolbar\Google Toolbar\tbu08803\computer_delete.png
c:\program files\IEToolbar\Google Toolbar\tbu08803\frame_search.crc
c:\program files\IEToolbar\Google Toolbar\tbu08803\frame_search.dll
c:\program files\IEToolbar\Google Toolbar\tbu08803\Google.bmp
c:\program files\IEToolbar\Google Toolbar\tbu08803\icons.bmp
c:\program files\IEToolbar\Google Toolbar\tbu08803\info.txt
c:\program files\IEToolbar\Google Toolbar\tbu08803\options.html
c:\program files\IEToolbar\Google Toolbar\tbu08803\TbCommonUtils.dll
c:\program files\IEToolbar\Google Toolbar\tbu08803\tbhelper.dll
c:\program files\IEToolbar\Google Toolbar\tbu08803\TbHelper2.exe
c:\program files\IEToolbar\Google Toolbar\tbu08803\tbs_include_script_024945.js
c:\program files\IEToolbar\Google Toolbar\tbu08803\tbs_include_script_029031.js
c:\program files\IEToolbar\Google Toolbar\tbu08803\uninstall.exe
c:\program files\IEToolbar\Google Toolbar\tbu08803\update.exe
c:\program files\IEToolbar\Google Toolbar\tbu08803\version.txt
c:\program files\IEToolbar\Google Toolbar\tbu08803\your_logo.png
c:\program files\IEToolbar\Google Toolbar\uninstall.exe
c:\program files\IEToolbar\Google Toolbar\update.exe
c:\program files\IEToolbar\Google Toolbar\version.txt
c:\program files\IEToolbar\Google Toolbar\your_logo.png
c:\program files\Netcom3 Cleaner
c:\windows\system32\config\systemprofile\Application Data\OfferBox
c:\windows\system32\config\systemprofile\Application Data\OfferBox\config.xml
c:\windows\system32\spool\prtprocs\w32x86\x1793y7.dll
c:\windows\system32\spool\prtprocs\w32x86\x179c1s.dll
c:\windows\system32\spool\prtprocs\w32x86\xg317k31g9.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SSHNAS
.
.
((((((((((((((((((((((((( Files Created from 2011-02-19 to 2011-03-19 )))))))))))))))))))))))))))))))
.
.
2011-03-15 09:37 . 2011-03-15 09:37 -------- d-----w- c:\documents and settings\Administrator.SEXY-TONY.000
2011-03-08 04:22 . 2011-03-08 04:22 -------- d-----w- c:\documents and settings\tony.SEXY-TONY\Application Data\Malwarebytes
2011-03-08 04:22 . 2011-03-08 04:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-03-08 04:22 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-08 04:22 . 2011-03-08 04:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-08 04:22 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-01 11:28 . 2011-03-15 06:42 -------- d-----w- c:\documents and settings\tony.SEXY-TONY\Local Settings\Application Data\LogMeIn Hamachi
2011-02-28 13:16 . 2011-03-08 05:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\bGlOkAn08514
2011-02-24 03:53 . 2011-02-24 03:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\MFAData
2011-02-24 03:42 . 2011-02-24 03:42 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\Application Data\Apple Computer
2011-02-24 03:42 . 2011-02-24 03:42 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Application Data\Apple Computer
2011-02-24 03:40 . 2011-02-24 03:42 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Apple Computer
2011-02-24 02:31 . 2011-02-24 02:31 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\Application Data\vlc
2011-02-23 22:46 . 2011-02-23 22:46 135168 --sha-r- c:\windows\system32\normnfkdd.dll
2011-02-18 04:34 . 2011-02-18 04:35 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Adobe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 09:31 . 2009-06-28 02:12 16608 ----a-w- c:\windows\gdrv.sys
2008-10-21 18:45 . 2008-10-21 18:45 19645 ----a-w- c:\program files\Common Files\okisy.bat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
"F.lux"="c:\documents and settings\tony.SEXY-TONY\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-06-28 288048]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"kctmpjispcfftumgxlrnTaskMgr"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
m|\ [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ------r- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 08:42 2808832 ------r- c:\windows\alcwzrd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-12-15 01:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2010-03-04 21:31 311296 ----a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-02-13 11:04 136176 ----atw- c:\documents and settings\tony.SEXY-TONY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-14 01:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2010-12-06 16:31 1910152 ----a-w- c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 06:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-17 10:54 1242448 ----a-w- c:\program files\Steam\steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-06-28 06:35 288048 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gupdate"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"GEST Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ASKUpgrade"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"ATI Smart"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\magic the gathering - duels of the planeswalkers\\DotP.exe"=
"c:\\Program Files\\GRETECH\\GomTVStreamer\\GomTVStreamerLive.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization v\\Launcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1760:TCP"= 1760:TCP:ipcrmnp
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/19/2009 1:39 AM 691696]
S2 tzxryro;Center Boot;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 4:56 PM 14336]
S2 xhqnvu;mulqdcse;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 4:56 PM 14336]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\documents and settings\tony.SEXY-TONY\Desktop\realtemp\WinRing0.sys [8/18/2010 6:42 AM 14416]
S4 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [6/27/2009 7:13 PM 68136]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xhqnvu
tzxryro
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-2049760794-839522115-1003Core.job
- c:\documents and settings\tony.SEXY-TONY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-13 11:04]
.
2011-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-2049760794-839522115-1003UA.job
- c:\documents and settings\tony.SEXY-TONY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-13 11:04]
.
2011-02-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-02-22 23:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel
FF - ProfilePath - c:\documents and settings\tony.SEXY-TONY\Application Data\Mozilla\Firefox\Profiles\7enrfdqd.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
BHO-{4F4693CD-2B4D-42BD-B512-D2AB0F74D30C} - c:\program files\IEToolbar\Google Toolbar\frame_search.dll
Toolbar-{5DE50A7B-9B62-DDBE-1BA3-C385294E418F} - c:\program files\IEToolbar\Google Toolbar\frame_search.dll
WebBrowser-{5DE50A7B-9B62-DDBE-1BA3-C385294E418F} - c:\program files\IEToolbar\Google Toolbar\frame_search.dll
HKCU-Run-SecurityCenter - c:\documents and settings\tony.SEXY-TONY\Application Data\Desktop Security\securitycenter.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-19 07:20
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tzxryro]
"ServiceDll"="c:\windows\system32\ekxjcbev.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xhqnvu]
"ServiceDll"="c:\windows\system32\ekxjcbev.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3848)
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\browselc.dll
c:\program files\Microsoft Silverlight\xapauthenticodesip.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\SOUNDMAN.EXE
c:\windows\RTHDCPL.EXE
c:\documents and settings\tony.SEXY-TONY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\documents and settings\tony.SEXY-TONY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\documents and settings\tony.SEXY-TONY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\documents and settings\tony.SEXY-TONY\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
**************************************************************************
.
Completion time: 2011-03-19 07:26:15 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-19 14:25
.
Pre-Run: 6,266,200,064 bytes free
Post-Run: 16,172,548,096 bytes free
.
- - End Of File - - EBF6871B97C20673D6C5C83F1C1EBB3E

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:51 PM

Posted 19 March 2011 - 08:58 AM

Hi

Please do the following:

NOTE: Please allow ComboFix to install the Recovery Console


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic385278.html/page__view__findpost__p__2174980

Collect::
c:\program files\Common Files\okisy.bat
c:\windows\system32\ekxjcbev.dll
c:\windows\system32\normnfkdd.dll

Folder::
c:\documents and settings\All Users.WINDOWS\Application Data\bGlOkAn08514

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"kctmpjispcfftumgxlrnTaskMgr"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1760:TCP"=-

Driver::
tzxryro
xhqnvu

NetSvc::
xhqnvu
tzxryro

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:51 PM

Posted 25 March 2011 - 05:33 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users