Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Windows Repair + Browser redirect problem


  • This topic is locked This topic is locked
5 replies to this topic

#1 kodar

kodar

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 29 March 2011 - 06:00 PM

Dear Malware debuggers,

My system (Windows XP machine) came under attack by Window Repair malware on 27march , 2011.
I tried my best to thrash it out from my laptop but only have been partially successful so far.
I have listed down my current problems below:

-- Browser redirect problem.
-- Plays system alert sound every minute.
-- I might not be aware of any more hidden problems.

If you can help me in getting my machine back into healthy state that would be grand. Moreover, any suggestions to
save my computer from future attacks are most welcome.

I have attached all the logs which are of your interest.

NB: running gmer.exe on my m/c crashed every single time, though i somehow managed to save the logs and not sure if they
solve the purpose.

Many Thanks,
XXX

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:54 PM

Posted 29 March 2011 - 06:48 PM

Hello kodar,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDSSKIller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 kodar

kodar
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 01 April 2011 - 06:26 PM

Hi Mate,

Thanks alot for your help , my machine seems to be running fine but still occasional browser redirects are occuring.
TDSSKiller didn't do any operation when i tried running it , though comboFix performed pretty well.
Please find attached comboFix log along with this reply.

ComboFix 11-04-01.01 - amisin 02/04/2011 0:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2937.2403 [GMT 1:00]
Running from: c:\documents and settings\amisin.CHRONOS\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
.
.
2011-03-29 21:07 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-29 21:07 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-29 21:07 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-29 21:07 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-29 21:07 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-29 21:07 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-29 21:07 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-29 21:07 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-29 21:01 . 2011-03-29 21:01 -------- d-----w- C:\5b03ed425fde27eda49a1144
2011-03-27 16:22 . 2011-03-27 16:22 -------- d-----w- c:\documents and settings\amisin.CHRONOS\Application Data\Malwarebytes
2011-03-27 16:22 . 2011-03-27 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-27 16:22 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-27 16:22 . 2011-03-27 16:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-27 13:37 . 2011-03-27 13:37 -------- d-----w- c:\documents and settings\amisin.CHRONOS\Local Settings\Application Data\Threat Expert
2011-03-27 13:27 . 2011-01-07 13:54 767952 ----a-w- c:\windows\BDTSupport.dll
2011-03-27 13:27 . 2011-01-07 13:54 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-03-27 13:27 . 2011-01-07 13:54 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-03-27 13:27 . 2011-01-07 13:54 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-03-27 13:25 . 2011-01-17 08:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-03-27 13:25 . 2010-07-16 13:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-03-27 13:25 . 2010-07-16 13:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-03-27 13:25 . 2010-12-10 12:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-03-27 13:25 . 2010-12-10 15:57 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-03-27 13:25 . 2010-12-16 07:46 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-03-27 13:25 . 2011-03-27 16:37 -------- d-----w- c:\program files\PC Tools Security
2011-03-27 13:25 . 2011-03-27 13:25 -------- d-----w- c:\program files\Common Files\PC Tools
2011-03-27 13:25 . 2011-03-27 13:25 -------- d-----w- c:\documents and settings\amisin.CHRONOS\Application Data\PC Tools
2011-03-27 13:25 . 2011-03-27 16:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-03-27 13:23 . 2011-03-27 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-03-26 19:03 . 2011-03-29 21:01 -------- d-----w- c:\documents and settings\amisin.CHRONOS\Application Data\Zaon
2011-03-26 19:03 . 2011-03-27 15:09 -------- d-----w- c:\documents and settings\amisin.CHRONOS\Application Data\Unrore
2011-03-21 20:31 . 2011-03-21 20:31 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-03-21 13:44 . 2011-03-25 10:53 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2011-03-20 10:54 . 2011-03-20 10:54 -------- d-----w- c:\documents and settings\amisin.CHRONOS\Application Data\CommitMonitor
2011-03-20 09:25 . 2011-03-20 10:53 -------- d-----w- c:\program files\3GPplayer2010
2011-03-20 09:24 . 2011-03-21 20:31 -------- d-----w- c:\documents and settings\amisin.CHRONOS\Local Settings\Application Data\Conduit
2011-03-20 09:24 . 2011-03-20 09:24 -------- d-----w- c:\program files\Conduit
2011-03-20 09:24 . 2011-03-30 08:02 -------- d-----w- c:\documents and settings\amisin.CHRONOS\Local Settings\Application Data\Reganam
2011-03-20 09:24 . 2011-03-21 20:31 -------- d-----w- c:\program files\Reganam
2011-03-05 13:39 . 2011-03-05 13:39 323624 ----a-w- c:\windows\system32\wiaaut.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-07-17 10:14 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-07-17 10:14 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2008-07-17 11:18 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-07-17 11:18 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-07-17 10:14 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-07-17 10:14 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-06 10:54 . 2011-03-27 13:27 2125 ----a-w- c:\windows\UDB.zip
2011-03-18 17:53 . 2011-03-29 21:07 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-01_22.40.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-17 10:14 . 2011-04-01 22:33 72766 c:\windows\system32\perfc009.dat
+ 2008-07-17 10:14 . 2011-04-01 22:43 72766 c:\windows\system32\perfc009.dat
+ 2008-07-17 10:14 . 2011-04-01 22:43 445032 c:\windows\system32\perfh009.dat
- 2008-07-17 10:14 . 2011-04-01 22:33 445032 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{db9d7a78-a76c-4bf2-97c6-258925ee1542}"= "c:\program files\Reganam\prxtbReg0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]
2011-01-17 14:54 175912 ----a-w- c:\program files\Reganam\prxtbReg0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{db9d7a78-a76c-4bf2-97c6-258925ee1542}"= "c:\program files\Reganam\prxtbReg0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{DB9D7A78-A76C-4BF2-97C6-258925EE1542}"= "c:\program files\Reganam\prxtbReg0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 08:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 08:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 08:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 08:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 08:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 08:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 08:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 08:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 08:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"Google Update"="c:\documents and settings\amisin.CHRONOS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-12-31 136176]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
"SmartVoip"="c:\program files\SmartVoip.com\SmartVoip\SmartVoip.exe" [2010-12-15 12909872]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2010-12-25 2356088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 16860672]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-08-07 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-09 344144]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
"TPSODDCtl"="TPSODDCtl.exe" [2007-11-15 118784]
"TPSMain"="TPSMain.exe" [2007-11-15 299008]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2008-05-19 86016]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2006-03-06 114688]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2007-10-05 172032]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"DpUtil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-08-05 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-04 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-04 141848]
"TFNF5"="TFNF5.exe" [2006-04-10 622592]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-04-29 367128]
"TOSHIBA_3G_UTY"="c:\program files\Toshiba\3GUty\TW3GCTRL.exe" [2008-07-17 1581056]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-18 115560]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-01-07 108496]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\amisin.CHRONOS\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-4-14 2979144]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)
"ConnectHomeDirToRoot"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-21 17:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-03-23 21:40 196608 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartVoip]
2010-12-15 09:17 12909872 ----a-w- c:\program files\SmartVoip.com\SmartVoip\SmartVoip.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\SmartVoip.com\\SmartVoip\\SmartVoip.exe"=
"c:\\Documents and Settings\\amisin.CHRONOS\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [27/03/2011 14:25 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [27/03/2011 14:25 338880]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [11/01/2008 23:58 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [04/09/2007 11:14 6528]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [15/02/2007 17:00 26624]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [17/07/2008 13:29 5888]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [28/12/2010 09:48 158736]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [28/12/2010 09:46 42960]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [17/07/2008 13:29 114688]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]
R2 TW3GSVC;3G RF Power Control Utility;c:\program files\Toshiba\3GUty\tw3gsvc.exe [17/12/2010 10:35 110592]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [17/12/2010 10:33 2058776]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [07/02/2007 17:00 2944]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [17/07/2008 11:14 244368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [17/12/2010 16:03 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [17/07/2008 12:36 41216]
R3 Sony_EricssonWWSC;Toshiba F3507g Mobile Broadband USIM Port;c:\windows\system32\drivers\toshscard.sys [19/08/2008 03:14 24232]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [17/07/2008 13:18 435072]
R3 toshbus;Toshiba F3507g Mobile Broadband Device driver (WDM);c:\windows\system32\drivers\toshbus.sys [19/08/2008 03:14 300544]
R3 toshcard;Toshiba F3507g Mobile Broadband Device Management;c:\windows\system32\drivers\toshcard.sys [19/08/2008 03:14 376960]
R3 toshgps;Toshiba F3507g Mobile Broadband GPS Port;c:\windows\system32\drivers\toshgps.sys [19/08/2008 03:14 72232]
R3 toshmdfl;Toshiba F3507g Mobile Broadband Modem Filter;c:\windows\system32\drivers\toshmdfl.sys [19/08/2008 03:14 14976]
R3 toshmdfl2;Toshiba F3507g Mobile Broadband Data Modem Filter;c:\windows\system32\drivers\toshmdfl2.sys [19/08/2008 03:14 14976]
R3 toshmdm;Toshiba F3507g Mobile Broadband Modem Driver;c:\windows\system32\drivers\toshmdm.sys [19/08/2008 03:14 385536]
R3 toshmdm2;Toshiba F3507g Mobile Broadband Data Modem Driver;c:\windows\system32\drivers\toshmdm2.sys [19/08/2008 03:14 430080]
R3 toshnd5;Toshiba F3507g Mobile Broadband Network Adapter (NDIS);c:\windows\system32\drivers\toshnd5.sys [19/08/2008 03:14 25856]
R3 toshunic;Toshiba F3507g Mobile Broadband Network Adapter (WDM);c:\windows\system32\drivers\toshunic.sys [19/08/2008 03:14 402816]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [22/12/2010 16:31 109328]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [22/12/2010 16:31 120208]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [31/12/2010 23:46 136176]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [18/11/2008 19:17 23888]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [28/12/2010 19:53 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [28/12/2010 19:53 8456]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 11:25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 22:37 4640000]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [27/03/2011 14:25 366840]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-31 22:46]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-31 22:46]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-308236825-682003330-1540Core.job
- c:\documents and settings\amisin.CHRONOS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-28 22:46]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-308236825-682003330-1540UA.job
- c:\documents and settings\amisin.CHRONOS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-28 22:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.uk.maxiwe.com
mStart Page = hxxp://www.uk.maxiwe.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: {20146262-B365-4864-930B-AE736AB5B97D} = 172.31.1.1,195.40.1.36
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\amisin.CHRONOS\Application Data\Mozilla\Firefox\Profiles\h64g30sm.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-02 00:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2116)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
.
Completion time: 2011-04-02 00:09:44
ComboFix-quarantined-files.txt 2011-04-01 23:09
ComboFix2.txt 2011-04-01 22:41
.
Pre-Run: 222,163,894,272 bytes free
Post-Run: 222,145,568,768 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg
.
- - End Of File - - 19C0DF9DB2759C0833E89F813D4911C4


Best Regards,
XXX

Edited by kodar, 01 April 2011 - 06:29 PM.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:54 PM

Posted 01 April 2011 - 09:41 PM

Hello,

I see no signs of malware in your log. Let's try a couple other things.

1.
Do you connect to the internet through a router? If so we need to reset that router.
How to Reset your Router.
This may not be your exact router but the way you reset it will still apply to yours.

2.
Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image
Click the "Scan" button to start scan


Posted Image
On completion of the scan click save log, save it to your desktop and post in your next reply


3.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

4.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

5.
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



Things to include in your next reply::
aswMBr log
MBRCHECK log
MBAM log
RkuUnhooker log
A new DDS log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:54 PM

Posted 03 April 2011 - 12:13 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:54 PM

Posted 07 April 2011 - 05:01 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users