Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seriously Infected with Trojans, search Hijackers and more


  • This topic is locked This topic is locked
68 replies to this topic

#1 feellikehomer

feellikehomer

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:05:29 PM

Posted 24 April 2011 - 09:10 AM

Hello to any one out there who reads this! About three weeks ago I had the "rogue" voicemail left on my skype account, which opened itself and told me I had an infected machine. Around the same period my AVG free 2011 system notified me that a link in an email was infected, though I cannot remember what it was, but I know it was a trojan. So that was blocked. I deleted the email. I work/amuse myself on line promoting products and found that I had robots hitting my sites. I queried this with the company who is training me and they have said it's nothing to worry about as Robots hit sites all the time.

I kept getting Trojans picked up by AVG but it could not remove them. So I searched the net and I kept finding good reviews about STOPzilla. I bought the system and ran it along side the free AVG system. It is incredible slow at scanning and takes about two hours, I have been in touch with them, but it hasn't been resolved. They told me that AVG may be picking up on the quarantined infections in STOPzilla. (Of which I have over 100 infections in there!) Anyway, I have scanned with Kaspersky and they are trying to help, but I now cannot use avz-mini.exe to scan my machine as it goes un-responsive. They want that report to check my system! I'm waiting to here from them. My mouse at the moment has a mind of it's own and often goes where it wants to. I have trouble getting to pages on the net because I keep getting re-directed. Or i get script errors pop up. My task bar at the bottom of the screen switches from the normal blue to a white back ground every now an then and in fact is white at the moment! I have trouble doing scans because AVG only allow you to turn off there system for 15 minutes and by the time I've set up a scan the timer has nearly run out. I have to keep going back to AVG to add more time which must interfere with the scan results! So I'm going to remove the AVG completely and just use STOPzilla and see what happens. But every time I disable my anti virus systems, to scan with HiJack this (as required by Kaspersky) I get hit big time when I turn them/it back on and more infections have come in. I also get firefox going un-responsive a lot, which is highly annoying to say the least! Espeacially, when on bleeping computer or other anti virus sites! Feels like some one or thing doesn't want me to sort this out!

Sorry for the long post, but this is the basic version of whats happening. It probably makes no sense, but it's really getting bad on my computer and I really don't know what to do or how to go about putting anything right.

Regards

feellikehomer

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:29 PM

Posted 24 April 2011 - 12:25 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

I would uninstall StopZilla as it has been known to give a lot of false positives.

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Note:
If you are unable to run a Gmer scan due the fact you are running a64bit machine please run the following tool and post its log.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.



Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 feellikehomer

feellikehomer
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:05:29 PM

Posted 24 April 2011 - 01:52 PM

Firstly, thank you so much for getting back to me. I cannot thank you enough! I have been struggling with this since 14th April which is when it all appeared to kick off.
Right I hope I've got this right for you. The version of XP professional is 5.1.2600 Service pack 3 Build 2600. As far as I know it's 32 bit, but no I do not have any installation disc's.

I have included the scan results for dds and the MBR check. I hope I got this right. Well here goes;-

Attached File  DDS.txt   15.34KB   3 downloads
Attached File  MBRCheck_04.24.11_19.39.23.txt   8.94KB   5 downloads
Attached File  Attach.zip   1.69KB   4 downloads

Have fun with my data

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:29 PM

Posted 24 April 2011 - 07:11 PM

Hello feellikehomer,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
We need to remove AVG Antivirus from your system. We will reinstall when finished. Avg Interferes with some of the tools we need to run. Please use AppRemover and remove AVG from your machine.


2.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDDSkiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 feellikehomer

feellikehomer
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:05:29 PM

Posted 25 April 2011 - 07:03 AM

Hi fireman4it. Wow this can all seem a bit overwhelming! I'm just so grateful you are guiding me, so thank you for your time.
I did the TDSSkiller scan and it came up with nothing.
I have completed the ComboFix scan and that is copied and pasted below. You ask how my computer is running now, well, I have already had one redirect to ebay, plus my task bar at the bottom of the screen has now gone from blue to white, but nothing else apart from that. As this is the only place I've come to so far since doing the fix, I can't really say. The ComboFix did have to reboot during the scan as it found a Rootkit problem, yet the TDSSkiller found nothing. I look forward to your comments;-

ComboFix 11-04-24.06 - My Computer 04/25/2011 12:34:51.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.285 [GMT 1:00]
Running from: c:\documents and settings\My Computer\My Documents\Downloads\Programs\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\My Computer\Templates\jcl665ep0rnlp562hps
c:\program files\Toolbar
c:\windows\system32\a
.
.
((((((((((((((((((((((((( Files Created from 2011-03-25 to 2011-04-25 )))))))))))))))))))))))))))))))
.
.
2011-04-22 14:46 . 2011-04-22 14:46 388096 ----a-r- c:\documents and settings\My Computer\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-22 14:46 . 2011-04-22 14:46 -------- d-----w- c:\program files\Trend Micro
2011-04-21 15:06 . 2009-10-22 12:54 37392 ----a-w- c:\windows\system32\drivers\93632872.sys
2011-04-21 15:06 . 2009-10-09 22:31 315408 ----a-w- c:\windows\system32\drivers\9363287.sys
2011-04-21 15:06 . 2009-09-25 16:59 128016 ----a-w- c:\windows\system32\drivers\93632871.sys
2011-04-21 14:50 . 2011-04-21 23:22 -------- d-----w- c:\documents and settings\Administrator
2011-04-21 14:36 . 2009-10-22 12:54 37392 ----a-w- c:\windows\system32\drivers\14244162.sys
2011-04-21 14:36 . 2009-09-25 16:59 128016 ----a-w- c:\windows\system32\drivers\14244161.sys
2011-04-21 14:36 . 2009-10-09 22:31 315408 ----a-w- c:\windows\system32\drivers\1424416.sys
2011-04-21 10:53 . 2011-04-21 10:53 76696 ----a-w- c:\windows\system32\drivers\pxrts.sys
2011-04-21 10:53 . 2011-04-21 10:53 -------- d-----w- c:\program files\Prevx
2011-04-21 10:51 . 2011-04-21 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2011-04-18 22:51 . 2011-04-19 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-04-18 22:44 . 2011-04-18 22:48 -------- d-----w- c:\documents and settings\My Computer\Application Data\GetRightToGo
2011-04-18 22:26 . 2011-04-18 22:26 -------- d-----w- c:\program files\Common Files\XoftSpySE
2011-04-18 22:26 . 2011-04-18 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2011-04-18 22:25 . 2011-04-18 23:42 -------- d-----w- c:\program files\XoftSpySE6
2011-04-18 20:30 . 2011-04-18 20:30 -------- d-----w- c:\documents and settings\My Computer\Local Settings\Application Data\PCHealth
2011-04-18 13:11 . 2011-02-02 17:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-17 21:14 . 2011-04-17 21:14 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-17 14:55 . 2011-04-17 14:55 -------- d-----w- c:\program files\Tizerô Rootkit Razor
2011-04-17 13:37 . 2011-04-17 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spotmau
2011-04-17 13:37 . 2011-04-17 13:37 -------- d-----w- c:\documents and settings\My Computer\Application Data\spotmau
2011-04-17 13:37 . 2011-04-17 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\pc health check
2011-04-17 13:36 . 2011-04-17 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp360
2011-04-17 13:36 . 2010-11-23 15:44 380224 ----a-w- c:\windows\system32\TuneUp360.ocx
2011-04-17 13:36 . 2011-04-17 13:51 -------- d-----w- c:\program files\TuneUp360
2011-04-17 12:56 . 2011-04-17 12:56 -------- d-----w- c:\documents and settings\My Computer\Local Settings\Application Data\PackageAware
2011-04-17 12:50 . 2011-04-18 12:24 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-17 12:50 . 2011-04-17 12:50 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-17 12:49 . 2011-04-17 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-16 18:28 . 2011-04-16 18:28 -------- d-----w- c:\documents and settings\My Computer\Application Data\DriverCure
2011-04-16 18:28 . 2011-04-16 18:28 -------- d-----w- c:\documents and settings\My Computer\Application Data\ParetoLogic
2011-04-16 18:27 . 2011-04-18 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2011-04-16 18:27 . 2011-04-16 18:27 -------- d-----w- c:\program files\ParetoLogic
2011-04-15 23:15 . 2011-04-15 23:15 -------- d-----w- c:\documents and settings\My Computer\Application Data\Edpe
2011-04-15 22:14 . 2011-04-24 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-04-15 20:09 . 2011-04-25 10:58 -------- d-----w- c:\documents and settings\My Computer\Application Data\Malwarebytes
2011-04-15 18:08 . 2011-04-15 18:08 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-14 19:10 . 2011-04-14 19:10 -------- d-----w- c:\documents and settings\My Computer\Local Settings\Application Data\AVG Security Toolbar
2011-04-12 08:19 . 2011-04-12 08:19 172344 ----a-w- c:\program files\Mozilla Firefox\plugins\npatgpc.dll
2011-04-11 13:14 . 2011-04-17 20:04 -------- d-----w- c:\documents and settings\My Computer\Application Data\Siozem
2011-04-06 09:19 . 2011-04-06 09:19 -------- d-----w- c:\program files\Magical Jelly Bean
2011-04-05 11:05 . 2011-04-05 11:05 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-04 20:04 . 2011-04-04 20:04 -------- d-----w- c:\documents and settings\My Computer\Local Settings\Application Data\Identities
2011-04-03 11:03 . 2011-04-03 11:03 -------- d-----w- c:\documents and settings\My Computer\Local Settings\Application Data\Help
2011-04-02 21:37 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-03-29 21:46 . 2011-03-29 21:46 -------- d-----w- c:\windows\Sun
2011-03-29 17:24 . 2001-08-17 12:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-03-29 17:24 . 2008-04-13 23:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-03-29 11:52 . 2011-03-29 11:52 -------- d-----w- c:\documents and settings\My Computer\Application Data\PromoBuddy
2011-03-29 11:52 . 2011-03-29 11:52 -------- d-----w- c:\documents and settings\My Computer\Local Settings\Application Data\FileMaker
2011-03-29 11:51 . 2011-04-01 18:00 -------- d-----w- c:\program files\Promo Buddy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-11 10:23 . 2011-03-11 10:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-11 10:23 . 2011-03-11 10:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-11 10:23 . 2011-03-11 10:23 436792 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
.
.
------- Sigcheck -------
.
[-] 2010-10-13 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2010-09-29 21:53 72336 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-02-27 1368064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 15360]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-09-29 3249504]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R0 14244162;14244162 Boot Guard Driver;c:\windows\system32\drivers\14244162.sys [4/21/2011 3:36 PM 37392]
R0 93632872;93632872 Boot Guard Driver;c:\windows\system32\drivers\93632872.sys [4/21/2011 4:06 PM 37392]
R1 14244161;14244161;c:\windows\system32\drivers\14244161.sys [4/21/2011 3:36 PM 128016]
R1 1UnHooker;1UnHooker;c:\windows\system32\drivers\1UnHooker.sys [3/2/2010 10:15 PM 22016]
R1 93632871;93632871;c:\windows\system32\drivers\93632871.sys [4/21/2011 4:06 PM 128016]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [3/11/2011 11:17 AM 78328]
R1 setup_9.0.0.722_21.04.2011_14-54drv;setup_9.0.0.722_21.04.2011_14-54drv;c:\windows\system32\drivers\9363287.sys [4/21/2011 4:06 PM 315408]
R2 KillTheHooker;KillTheHooker;c:\documents and settings\My Computer\Desktop\TDL3 Razor\TizerBruteForceEx.sys [4/17/2011 3:45 PM 22320]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]
S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [9/29/2010 7:43 PM 582424]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/11/2011 11:23 AM 436792]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-24 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2011-03-11 09:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\documents and settings\My Computer\Application Data\Mozilla\Firefox\Profiles\rouzcjct.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4da7374a&v=6.103.018.001&i=23&tp=ab&iy=&ychte=uk&lng=en-US&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\documents and settings\My Computer\Application Data\IDM\idmmzcc3
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-TPSvc - TPSvc.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-25 12:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\docume~1\MYCOMP~1\LOCALS~1\Temp\RGI1.tmp 7075 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHT2040AH rev.006C -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82323332
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"=multi:"system32\drivers\iaStor.sys\00system32\drivers\atapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"=multi:"system32\drivers\iaStor.sys\00system32\drivers\atapi.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'lsass.exe'(928)
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-25 12:50:28
ComboFix-quarantined-files.txt 2011-04-25 11:50
.
Pre-Run: 33,330,155,520 bytes free
Post-Run: 33,402,159,104 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff
.
- - End Of File - - 4849ACA99AF3C0F57C3AE1913C0C163E

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:29 PM

Posted 25 April 2011 - 12:18 PM

Hello,

Well there is still some signs of infection in your logs. I also see you have multiple Antivirus and antispy stuff on your machine having that many could result in them using all your resources and thinking each of them are there own virus. Please uninstall the following if it still exists.

Hitmanpro 3.5
XoftSpySE6
Tizerô Rootkit Razor
Prevx
PrevxCSI
PC Tools Antivirus



1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Killall::

File::
c:\docume~1\MYCOMP~1\LOCALS~1\Temp\RGI1.tmp
c:\windows\system32\drivers\14244162.sys 
c:\windows\system32\drivers\93632872.sys
c:\windows\system32\drivers\14244161.sys
c:\windows\system32\drivers\93632871.sys 
c:\windows\system32\drivers\9363287.sys 

Folder::
c:\documents and settings\My Computer\Application Data\Edpe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-
"DisableUnicastResponsesToMulticastBroadcast"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=-
"NoRecentDocsNetHood"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=-
"NoResolveTrack"=-
"NoRecentDocsNetHood"=-

Reglockdel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

Driver::
14244162
93632872
14244161
93632871
setup_9.0.0.722_21.04.2011_14-54drv
is3srv
szkg5
szkgfs
TfFsMon
TfSysMon
TfNetMon


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2.
  • Go to Start -> Control Panel -> Network and Internet Connection ->Network Connections.
  • Right-click your default connection, usually Local Area Connection or Dial-up Connection (if you are using dial-up), and left-click on the Properties option.
  • Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says "Obtain DNS servers automatically".
  • Click OK twice.
    spacer.gif
  • Go to Start -> Run...
  • In the Open: field type cmd and click OK or hit Enter.
    This will open a Command Prompt.
  • At the DOS prompt screen, type in ipconfig /flushdns and then press Enter (notice the space between "ipconfig" and "/flushdns").
  • Exit the Command Prompt.
  • Reboot your PC and try to open any website.


3.
Please download SystemLook from jpshortstuff and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    tcpip.sys
    wscntfy.exe
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

4.
Are you connected to the internet through a Router? If so we need to reset that router.
How to Reset my Router.

Things to include in your next reply::
Combofix.txt
SystemLookup.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 feellikehomer

feellikehomer
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:05:29 PM

Posted 25 April 2011 - 01:12 PM

Thanks for getting back to me. You mention I have multiple anti virus systems on my machine. I have taken Tizer Rootkit off, but I dn't know what XoftSpySE6 or Prevx
PrevxCSI. Also when you mention PC Tools, I know I have Registry Mechanic, is that the one you are referring to? I'm searching for Hit man Pro


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:29 PM

Posted 25 April 2011 - 01:18 PM

Alot of those are showing in your log, Alot of them maybe leftover files. Once I know you have removed them I can go ahead and delete those files and folders.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 feellikehomer

feellikehomer
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:05:29 PM

Posted 25 April 2011 - 01:53 PM

Ok, as far as I can make out I have removed all the requested anti virus/malware programs. Do you want me to proceed with doing the CFCScript now?

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:29 PM

Posted 25 April 2011 - 03:01 PM

Hello,

Yes please proceed onto the next step which is Combofix.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 feellikehomer

feellikehomer
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:05:29 PM

Posted 25 April 2011 - 03:59 PM

Hi there. Firstly the when Combofix started it updated to a newer version. I hope this doesn't change anything for you!

Before I do step 2, I have a question please. I've got to the stage of "Obtain DNS Server address automatically" BUT "Obtain ip address Automatically" is also checked. Do I leave it checked or uncheck it?


Here's the CombFix.txt;-

ComboFix 11-04-25.01 - My Computer 04/25/2011 21:23:27.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.283 [GMT 1:00]
Running from: c:\documents and settings\My Computer\My Documents\Downloads\Programs\ComboFix.exe
Command switches used :: c:\documents and settings\My Computer\Desktop\CFScript.txt
.
FILE ::
"c:\docume~1\MYCOMP~1\LOCALS~1\Temp\RGI1.tmp"
"c:\windows\system32\drivers\14244161.sys"
"c:\windows\system32\drivers\14244162.sys"
"c:\windows\system32\drivers\9363287.sys"
"c:\windows\system32\drivers\93632871.sys"
"c:\windows\system32\drivers\93632872.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\eBXuxwSu.exe
c:\documents and settings\My Computer\Application Data\Edpe
c:\documents and settings\My Computer\Application Data\Edpe\muump.aqa
c:\windows\system32\drivers\14244161.sys
c:\windows\system32\drivers\14244162.sys
c:\windows\system32\drivers\9363287.sys
c:\windows\system32\drivers\93632871.sys
c:\windows\system32\drivers\93632872.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_14244161
-------\Legacy_14244162
-------\Legacy_93632871
-------\Legacy_93632872
-------\Legacy_SETUP_9.0.0.722_21.04.2011_14-54DRV
-------\Legacy_SZKG5
-------\Legacy_SZKGFS
-------\Legacy_TFFSMON
-------\Legacy_TFNETMON
-------\Legacy_TFSYSMON
-------\Service_14244161
-------\Service_14244162
-------\Service_93632871
-------\Service_93632872
-------\Service_is3srv
-------\Service_setup_9.0.0.722_21.04.2011_14-54drv
-------\Service_szkg5
-------\Service_szkgfs
-------\Service_TfFsMon
-------\Service_TfNetMon
-------\Service_TfSysMon
.
.
((((((((((((((((((((((((( Files Created from 2011-03-25 to 2011-04-25 )))))))))))))))))))))))))))))))
.
.
2011-04-25 18:35 . 2011-04-25 18:35 -------- d-----w- c:\windows\system32\wbem\snmp
2011-04-25 18:35 . 2011-04-25 18:35 -------- d-----w- c:\windows\system32\xircom
2011-04-25 18:35 . 2011-04-25 18:35 -------- d-----w- c:\windows\srchasst
2011-04-25 18:35 . 2011-04-25 18:35 -------- d-----w- c:\program files\microsoft frontpage
2011-04-22 14:46 . 2011-04-22 14:46 388096 ----a-r- c:\documents and settings\My Computer\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-22 14:46 . 2011-04-22 14:46 -------- d-----w- c:\program files\Trend Micro
2011-04-21 14:50 . 2011-04-21 23:22 -------- d-----w- c:\documents and settings\Administrator
2011-04-21 14:36 . 2009-10-09 22:31 315408 ----a-w- c:\windows\system32\drivers\1424416.sys
2011-04-21 10:53 . 2011-04-21 10:53 76696 ----a-w- c:\windows\system32\drivers\pxrts.sys
2011-04-21 10:53 . 2011-04-21 10:53 -------- d-----w- c:\program files\Prevx
2011-04-21 10:51 . 2011-04-21 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2011-04-18 22:51 . 2011-04-19 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-04-18 22:44 . 2011-04-25 18:16 -------- d-----w- c:\documents and settings\My Computer\Application Data\GetRightToGo
2011-04-18 22:26 . 2011-04-18 22:26 -------- d-----w- c:\program files\Common Files\XoftSpySE
2011-04-18 22:26 . 2011-04-18 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2011-04-18 22:25 . 2011-04-18 23:42 -------- d-----w- c:\program files\XoftSpySE6
2011-04-18 20:30 . 2011-04-18 20:30 -------- d-----w- c:\documents and settings\My Computer\Local Settings\Application Data\PCHealth
2011-04-18 13:11 . 2011-02-02 17:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-17 21:14 . 2011-04-17 21:14 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-17 14:55 . 2011-04-25 17:52 -------- d-----w- c:\program files\Tizerô Rootkit Razor
2011-04-17 13:37 . 2011-04-17 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spotmau
2011-04-17 13:37 . 2011-04-17 13:37 -------- d-----w- c:\documents and settings\My Computer\Application Data\spotmau
2011-04-17 13:37 . 2011-04-17 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\pc health check
2011-04-17 13:36 . 2011-04-17 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp360
2011-04-17 13:36 . 2010-11-23 15:44 380224 ----a-w- c:\windows\system32\TuneUp360.ocx
2011-04-17 13:36 . 2011-04-17 13:51 -------- d-----w- c:\program files\TuneUp360
2011-04-17 12:56 . 2011-04-17 12:56 -------- d-----w- c:\documents and settings\My Computer\Local Settings\Application Data\PackageAware
2011-04-17 12:50 . 2011-04-18 12:24 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-17 12:50 . 2011-04-17 12:50 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-17 12:49 . 2011-04-17 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-16 18:28 . 2011-04-16 18:28 -------- d-----w- c:\documents and settings\My Computer\Application Data\DriverCure
2011-04-16 18:28 . 2011-04-16 18:28 -------- d-----w- c:\documents and settings\My Computer\Application Data\ParetoLogic
2011-04-16 18:27 . 2011-04-18 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2011-04-16 18:27 . 2011-04-16 18:27 -------- d-----w- c:\program files\ParetoLogic
2011-04-15 22:14 . 2011-04-24 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-04-15 20:09 . 2011-04-25 10:58 -------- d-----w- c:\documents and settings\My Computer\Application Data\Malwarebytes
2011-04-15 18:08 . 2011-04-15 18:08 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-14 19:10 . 2011-04-14 19:10 -------- d-----w- c:\documents and settings\My Computer\Local Settings\Application Data\AVG Security Toolbar
2011-04-12 08:19 . 2011-04-12 08:19 172344 ----a-w- c:\program files\Mozilla Firefox\plugins\npatgpc.dll
2011-04-11 13:14 . 2011-04-17 20:04 -------- d-----w- c:\documents and settings\My Computer\Application Data\Siozem
2011-04-06 09:19 . 2011-04-06 09:19 -------- d-----w- c:\program files\Magical Jelly Bean
2011-04-05 11:05 . 2011-04-05 11:05 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-04 20:04 . 2011-04-04 20:04 -------- d-----w- c:\documents and settings\My Computer\Local Settings\Application Data\Identities
2011-04-03 11:03 . 2011-04-03 11:03 -------- d-----w- c:\documents and settings\My Computer\Local Settings\Application Data\Help
2011-04-02 21:37 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-03-29 21:46 . 2011-03-29 21:46 -------- d-----w- c:\windows\Sun
2011-03-29 17:24 . 2001-08-17 12:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-03-29 17:24 . 2008-04-13 23:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-03-29 11:52 . 2011-03-29 11:52 -------- d-----w- c:\documents and settings\My Computer\Application Data\PromoBuddy
2011-03-29 11:52 . 2011-03-29 11:52 -------- d-----w- c:\documents and settings\My Computer\Local Settings\Application Data\FileMaker
2011-03-29 11:51 . 2011-04-01 18:00 -------- d-----w- c:\program files\Promo Buddy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-11 10:23 . 2011-03-11 10:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-11 10:23 . 2011-03-11 10:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-11 10:23 . 2011-03-11 10:23 436792 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
.
.
------- Sigcheck -------
.
[-] 2010-10-13 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2010-09-29 21:53 72336 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-02-27 1368064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 15360]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-09-29 3249504]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R1 1UnHooker;1UnHooker;c:\windows\system32\drivers\1UnHooker.sys [3/2/2010 10:15 PM 22016]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [3/11/2011 11:17 AM 78328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 KillTheHooker;KillTheHooker;\??\c:\documents and settings\My Computer\Desktop\TDL3 Razor\TizerBruteForceEx.sys --> c:\documents and settings\My Computer\Desktop\TDL3 Razor\TizerBruteForceEx.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [9/29/2010 7:43 PM 582424]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/11/2011 11:23 AM 436792]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\documents and settings\My Computer\Application Data\Mozilla\Firefox\Profiles\rouzcjct.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4da7374a&v=6.103.018.001&i=23&tp=ab&iy=&ychte=uk&lng=en-US&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\documents and settings\My Computer\Application Data\IDM\idmmzcc3
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-25 21:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHT2040AH rev.006C -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82366332
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"=multi:"system32\drivers\iaStor.sys\00system32\drivers\atapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"=multi:"system32\drivers\iaStor.sys\00system32\drivers\atapi.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(4016)
c:\windows\system32\WININET.dll
c:\program files\Internet Download Manager\IDMShellExt.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\O2Micro Flash Memory Card Driver\o2flash.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-04-25 21:40:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-25 20:40
ComboFix2.txt 2011-04-25 11:50
.
Pre-Run: 33,583,321,088 bytes free
Post-Run: 33,532,514,304 bytes free
.
- - End Of File - - AA514A365987BA72F8B69DAC5482B35C

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:29 PM

Posted 25 April 2011 - 07:08 PM

Hello,

Before I do step 2, I have a question please. I've got to the stage of "Obtain DNS Server address automatically" BUT "Obtain ip address Automatically" is also checked. Do I leave it checked or uncheck it?

Yes, leave it checked.

Can you burn CD's and have access to a USB Flash Drive?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 feellikehomer

feellikehomer
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:05:29 PM

Posted 26 April 2011 - 05:23 AM

Ok I'll leave it checked. Yes I do have a flash drive, but I'm not sure if it hasn't been infected with my computer problem. Can I scan that before it's used? Though as I now haven't got any virus system attached how could I do that?

I do have CD burn, but never used it! I'll take a look at how that works in the mean time. But I have no sound as it's disappeared! Well, intermittent is more accurate. Sometimes it works: depends on what I'm listening too. I can hear video's played on the net, but cannot hear if I play a cd! Hmmm... isn't technology a wonderful thing? Actually it is...... I'd love to be able to understand the in's and out's of how it all works. Any way, I digress....sorry.

Please let me know what you want me to do with the CD burn and flash drive scan for problems, as I am totally in your hands at the moment. When it comes to the router in stage 4 "resetting the router", does it matter what router you have? Might sound a strange question, just worried I might mess it up. I'll get on with stage two etc. Many thanks

#14 feellikehomer

feellikehomer
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:05:29 PM

Posted 26 April 2011 - 06:05 AM

It's pain again! On stage 3, I have got to "Obtain DNS Servers Automatically" as I messaged you earlier and I've left the "Obtain ip address Automatically" checked as well..

But when I try to click twice on "Ok" I can only click once, the pop up closes, and it takes me back to local area connection properties. If I click it again (making that twice) nothing happens? It just closes the pop up again back to the properties pop up box. You mention "spacer.gif? What is suppose to happen? Although it appears nothing has happened, has it? Do I carry on with stage 3 and do the cmd part or not?

I've just checked my router and there is no reset button. I have a router by a company called "Orange" as they run my package for the phone and Internet. Does this mean stage four is not for me? I have read the "How to reset your router" but I don't think that's the one for my live box. I have included a link to "LiveBox - factory reset" for you to see if that's what you want to happen

http://help.orange.co.uk/orangeuk/support/personal/232435

I hope that's it's ok to send the link although you will have to copy and paste, I think to get to it. (As if I need to tell you how to suck eggs : ).. )

Look forward to hearing from you, thank you

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:29 PM

Posted 26 April 2011 - 06:29 AM

Hello,

Glad you asked first. :crazy: That is not a router. That would be a modem. So no need to reset it. Im not worried about the flash drive being affected. Could you also post the Sytemlook.txt? Are your still getting redirected?

Edited by fireman4it, 26 April 2011 - 06:30 AM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users