Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Website Ad Redirecting


  • This topic is locked This topic is locked
16 replies to this topic

#1 RolandDT

RolandDT

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 28 April 2011 - 04:14 PM

When trying to search under Google and when simply typing links directly into the browser (Firefox) the page gets redirected to a seemingly random ad page. I've tried Malwarebytes and Hijack this with no success.

HijackThis Log File:
********************
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:16:47 PM, on 4/28/2011
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\EPC\Toolbar\EPSIBar.exe
C:\WINDOWS\System32\GRVSA.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: EPSI ToolBar.lnk = C:\EPC\Toolbar\EPSIBar.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - file://C:\Program Files\InterCAP\ActiveCGM\ActiveX\Acgm.cab
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 4215 bytes

Edited by RolandDT, 28 April 2011 - 04:18 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:27 AM

Posted 28 April 2011 - 08:44 PM

Hi,

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 RolandDT

RolandDT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 29 April 2011 - 09:42 AM

DDS Log:
********
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 9:24:56.01 on Fri 04/29/2011
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.504.134 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\EPC\Toolbar\EPSIBar.exe
C:\WINDOWS\System32\GRVSA.exe
C:\ALLDATAW\Ace.exe
C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\agent.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.com
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [wcmdmgr] c:\windows\wt\updater\wcmdmgrl.exe -launch
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsito~1.lnk - c:\epc\toolbar\EPSIBar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - file://c:\program files\intercap\activecgm\activex\Acgm.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\rcz40zwh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [2010-8-5 1714176]
S2 mrtRate;mrtRate; [x]
.
=============== Created Last 30 ================
.
2011-04-28 21:16:09 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-04-28 21:16:09 -------- d-----w- c:\documents and settings\owner\log
2011-04-28 19:08:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-28 19:08:30 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-28 18:57:49 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Sunbelt Software
2011-04-11 16:09:52 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-11 16:09:51 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-11 16:09:50 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-11 16:09:50 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-11 16:09:50 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-11 16:09:49 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-11 16:09:49 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-11 16:09:48 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3120025A rev.4.06 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x822424F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x822487d0]; MOV EAX, [0x8224884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804ED850] -> \Device\Harddisk0\DR0[0x82250B48]
3 CLASSPNP[0xF84C0022] -> nt!IofCallDriver[0x804ED850] -> \Device\00000055[0x822AEF18]
5 ACPI[0xF841812D] -> nt!IofCallDriver[0x804ED850] -> [0x82251B58]
\Driver\atapi[0x82258880] -> IRP_MJ_CREATE -> 0x822424F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; CLD ; REP MOVSB ; JMP FAR 0x7a0:0x52; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8224233B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:26:30.65 ===============

Gmer Log:
*********
GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-04-29 10:40:45
Windows 5.1.2600 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3120025A rev.4.06
Running: v2t8l4dc.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uwtiquoc.sys


---- System - GMER 1.0.15 ----

SSDT \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x804D4571]
SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D4571] ZwCreateKey [0x804D4571]
SSDT \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804D4576]
SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D4576] ZwOpenKey [0x804D4576]

INT 0x03 \WINDOWS\system32\ntoskrnl.exe[unknown section] 804D457B
INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EF6E416D
INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EF6E3FC2

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [06]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 3 Bytes [71, 45, 4D] {JNO 0x47; DEC EBP}
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 2E8 80502764 3 Bytes [76, 45, 4D] {JBE 0x47; DEC EBP}
? wtfil.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0xB586E000, 0x48011, 0xE0000020]
.init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0xB58C3224]
.init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0xB58C3000, 0x4000, 0xE20000E0]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB57DD400, 0x6E1B2, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB5867220] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB5867220]
.protect˙˙˙˙hardlockunknown last code section [0xB5867000, 0x50EA, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB5867000, 0x50EA, 0xE0000020]
? C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[172] ntdll.dll!NtProtectVirtualMemory 77F75F36 5 Bytes JMP 0099000A
.text C:\WINDOWS\Explorer.EXE[172] ntdll.dll!NtWriteVirtualMemory 77F76768 5 Bytes JMP 009A000A
.text C:\WINDOWS\Explorer.EXE[172] ntdll.dll!KiUserExceptionDispatcher 77FB4DAF 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[888] ntdll.dll!NtProtectVirtualMemory 77F75F36 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[888] ntdll.dll!NtWriteVirtualMemory 77F76768 5 Bytes JMP 0080000A
.text C:\WINDOWS\System32\svchost.exe[888] ntdll.dll!KiUserExceptionDispatcher 77FB4DAF 5 Bytes JMP 007E000C
.text C:\WINDOWS\System32\svchost.exe[888] ole32.dll!CoCreateInstance 771C2087 5 Bytes JMP 0090000B
.text C:\WINDOWS\System32\svchost.exe[888] USER32.dll!GetCursorPos 77D441C0 5 Bytes JMP 0331000B
.text C:\WINDOWS\System32\svchost.exe[888] USER32.dll!WindowFromPoint 77D4466B 5 Bytes JMP 0332000A
.text C:\WINDOWS\System32\svchost.exe[888] USER32.dll!GetForegroundWindow 77D4686F 5 Bytes JMP 0333000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2628] USER32.dll!GetWindowInfo 77D4A937 5 Bytes JMP 104C7C37 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2628] USER32.dll!TrackPopupMenu 77D8DFE6 5 Bytes JMP 104C823A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2656] ntdll.dll!NtProtectVirtualMemory 77F75F36 5 Bytes JMP 01C9000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2656] ntdll.dll!NtWriteVirtualMemory 77F76768 5 Bytes JMP 01CA000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2656] ntdll.dll!KiUserExceptionDispatcher 77FB4DAF 5 Bytes JMP 01C8000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3396] ntdll.dll!LdrLoadDll 77F55669 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 8224233B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8224233B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8224233B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8224233B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 8224233B
Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk1\DR3 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+4 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@InstallService 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8355T2II\CA2A7F1S.php 0 bytes
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8355T2II\spc.ceickgjggfadafkengfhafbe.carousel.telemetryverification[1].xml 2367 bytes
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8355T2II\tpl_player[1] 0 bytes
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8355T2II\CAP33XVX.y%3D12 28 bytes
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8355T2II\january-jones-fell[1].jpeg 2817 bytes
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8355T2II\january-jones-fell[2].jpeg 36504 bytes
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8355T2II\glamadapt_jsrv[5] 2496 bytes
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8355T2II\viewChannelModule[1].act 14019 bytes
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MLNT2SHM\CA2C1J76.html 11 bytes
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UZN8KCDN\newgc[1].css 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:27 AM

Posted 29 April 2011 - 09:52 AM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.



Note: If Combofix fails to run the first time > delete the copy you have on your desktop and download a fresh copy but rename it to iexplore before saving it to your desktop, run the renamed ComboFix, if it still wont run, try running it in safe mode.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 RolandDT

RolandDT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 29 April 2011 - 12:47 PM

ComboFix 11-04-28.03 - Owner 04/29/2011 13:19:47.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.504.193 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
D:\Autorun.inf
.
c:\windows\system32\qmgr.dll . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-29 )))))))))))))))))))))))))))))))
.
.
2011-04-29 17:59 . 2011-04-29 17:59 -------- d-----w- c:\documents and settings\Administrator
2011-04-29 14:28 . 2011-04-29 14:29 -------- d-----w- c:\program files\7-Zip
2011-04-28 21:16 . 2011-04-28 21:16 -------- d-----w- c:\documents and settings\Owner\log
2011-04-28 21:16 . 2011-04-28 21:16 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-04-28 19:08 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-28 19:08 . 2010-12-20 23:08 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-28 19:01 . 2011-04-28 19:41 -------- dc----w- c:\windows\system32\DRVSTORE
2011-04-28 18:57 . 2011-04-28 18:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2011-04-11 16:09 . 2011-04-11 16:09 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-11 16:09 . 2011-04-11 16:09 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-11 16:09 . 2011-04-11 16:09 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-11 16:09 . 2011-04-11 16:09 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-11 16:09 . 2011-04-11 16:09 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-11 16:09 . 2011-04-11 16:09 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-11 16:09 . 2011-04-11 16:09 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-11 16:09 . 2011-04-11 16:09 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 16:09 . 2011-04-11 16:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
.
.
[-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
.
[-] 2002-12-12 14:14 . E5F6CF1886B4F103AC6C1728394523E5 . 1634304 . . [5.3.0000000.901 built by: DIRECTX] . . c:\windows\system32\d3d9.dll
.
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-05-03 835654]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-03 4640768]
"nwiz"="nwiz.exe" [2003-05-03 323584]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 50176]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2002-09-27 20480]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-09-18 880640]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSI ToolBar.lnk - c:\epc\Toolbar\EPSIBar.exe [2004-3-1 196608]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll
.
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [8/5/2010 4:57 PM 1714176]
S2 mrtRate;mrtRate; [x]
S3 Normandy;Normandy SR2; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rcz40zwh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-29 13:35
Windows 5.1.2600 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3120025A rev.4.06 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x822A033B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(636)
c:\windows\System32\ODBC32.dll
c:\program files\Softex\OmniPass\opxpgina.dll
.
- - - - - - - > 'lsass.exe'(692)
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(952)
c:\progra~1\WINDOW~2\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\hasplms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Softex\OmniPass\Omniserv.exe
c:\windows\System32\HPZipm12.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\wt\updater\wcmdmgr.exe
c:\windows\System32\GRVSA.exe
.
**************************************************************************
.
Completion time: 2011-04-29 13:44:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-29 18:44
.
Pre-Run: 24,677,568,512 bytes free
Post-Run: 24,940,564,480 bytes free
.
- - End Of File - - 0296BE34451E1D5DBA1DED13075EFAAF

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:27 AM

Posted 29 April 2011 - 03:04 PM

Hi

Please do the following:

Earlier on ComboFix installed the Recovery Console. We're going to use that now.
  • Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
    (you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

    Posted Image


    Posted Image

  • When you get to the above screen, take note of the number that references your operating system.
  • If it's '1' like the picture above, type 1 and press Enter
  • It will then prompt you for the Administrator's password. If there is no password, simply press enter.
    Otherwise type in the password and then press enter.

    Posted Image

  • Next type FIXMBR

    Posted Image

  • If it asks if you're sure you want to write a new MBR, answer 'Y'
  • Then type EXIT to reboot the machine.



NEXT


Once that is completed, please rerun Combofix and post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 RolandDT

RolandDT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 29 April 2011 - 03:27 PM

Before I proceed with this, how likely am I to lose the MBR and end up wiping the drive? This is a work computer, and I'm not 100% confident about the ability to restore the system given its age. I have the critical files on backup, but the rest of the system is another issue. I just don't want to be left stuck with a brick at the end of this.

Damn these fly-by malware programs. Not even sure how I got this one, but it seems it happened 2 days ago. Only odd thing I remember is the computer spontaneously rebooting on me, and ever since that I've had this problem. 24 years of working with computers, and this is the first serious malware I can ever remember contracting. Had to clean more than a few off other people's, though! First bootkit-based malware I've ever encountered. Wonderful stuff. Thanks for all your rapidly-supplied help thus far. I wasn't getting very far on my own, despite many hours and many tools.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:27 AM

Posted 29 April 2011 - 06:48 PM

well, there are no guarantees with this unfortunately, the MBR you have is infected, your information on the computer may already have been compromised, there is no way of knowing. I have used this method to clean this new variant all week long and haven't lost one yet, but I can't guarantee it of course. It may be wiser for you to backup the documents you absolutely must have, then reformat and reinstall given that it is a work computer.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 RolandDT

RolandDT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 02 May 2011 - 08:52 AM

I understand. Just wanted your experience on how often things go to hell. ;) I'll give it a shot tonight after work - no sense trying to do it while I need the computer, just in case anything goes wrong. I can keep it disconnected from the network so as to not risk any further issues.

I'll cross my fingers and post the results / logs that you requested tonight, sometime around 6:30ish EDT.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:27 AM

Posted 02 May 2011 - 09:10 AM

Hi we have a tool at our disposal developed by GMER, that has been updated over the weekend to deal with this variant, give this a try first if you are uncomfortable with the Recovery Console method:

I need a scan first before I give instructions for removal

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


It will place a copy of the MBR on your desktop > zip it up and attach it to your next reply as well as post the log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 RolandDT

RolandDT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 02 May 2011 - 03:22 PM

Ha! Already did the Recovery Console bit to fix the MBR, and it went off without a hitch. Thanks for the offer, though! Glad to hear people are on top of this thing. Here's the resultant ComboFix log (BTW - it prompted me to update it; I declined, because I didn't want to take the risk of it being a trick by the virus / trojan / whatever, so if I have to re-run ComboFix with the new version let me know).

ComboFix 11-04-28.03 - Owner 05/02/2011 15:58:13.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.504.315 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\qmgr.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-02 to 2011-05-02 )))))))))))))))))))))))))))))))
.
.
2011-04-29 19:24 . 2011-04-29 19:24 -------- d-----w- c:\program files\Common Files\Java
2011-04-29 19:23 . 2011-04-29 19:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-29 17:59 . 2011-04-29 17:59 -------- d-----w- c:\documents and settings\Administrator
2011-04-29 14:28 . 2011-04-29 14:29 -------- d-----w- c:\program files\7-Zip
2011-04-28 21:16 . 2011-04-28 21:16 -------- d-----w- c:\documents and settings\Owner\log
2011-04-28 21:16 . 2011-04-28 21:16 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-04-28 19:08 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-28 19:08 . 2010-12-20 23:08 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-28 19:01 . 2011-04-28 19:41 -------- dc----w- c:\windows\system32\DRVSTORE
2011-04-28 18:57 . 2011-04-28 18:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2011-04-11 16:09 . 2011-04-11 16:09 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-11 16:09 . 2011-04-11 16:09 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-11 16:09 . 2011-04-11 16:09 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-11 16:09 . 2011-04-11 16:09 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-11 16:09 . 2011-04-11 16:09 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-11 16:09 . 2011-04-11 16:09 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-11 16:09 . 2011-04-11 16:09 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-11 16:09 . 2011-04-11 16:09 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-29 19:22 . 2010-12-02 20:09 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-11 16:09 . 2011-04-11 16:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
.
.
[-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
.
[-] 2002-12-12 14:14 . E5F6CF1886B4F103AC6C1728394523E5 . 1634304 . . [5.3.0000000.901 built by: DIRECTX] . . c:\windows\system32\d3d9.dll
.
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-05-03 835654]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-03 4640768]
"nwiz"="nwiz.exe" [2003-05-03 323584]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 50176]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2002-09-27 20480]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-09-18 880640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSI ToolBar.lnk - c:\epc\Toolbar\EPSIBar.exe [2004-3-1 196608]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll
.
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [8/5/2010 4:57 PM 1714176]
S2 mrtRate;mrtRate; [x]
S3 Normandy;Normandy SR2; [x]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rcz40zwh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-02 16:08
Windows 5.1.2600 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\System32\ODBC32.dll
c:\program files\Softex\OmniPass\opxpgina.dll
.
- - - - - - - > 'lsass.exe'(688)
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(168)
c:\progra~1\WINDOW~2\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\hasplms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Softex\OmniPass\Omniserv.exe
c:\windows\System32\HPZipm12.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\wt\updater\wcmdmgr.exe
c:\windows\System32\GRVSA.exe
.
**************************************************************************
.
Completion time: 2011-05-02 16:16:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-02 21:16
ComboFix2.txt 2011-04-29 18:44
.
Pre-Run: 24,930,148,352 bytes free
Post-Run: 24,979,226,624 bytes free
.
- - End Of File - - DD06A07089881834A807417188125BA6

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:27 AM

Posted 02 May 2011 - 03:33 PM

Hi,

You can go ahead and let ComboFix update is it asks to do so.

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FireFox::
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rcz40zwh.default\
FF - prefs.js: network.proxy.http_port - 50370

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 RolandDT

RolandDT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 03 May 2011 - 07:13 AM

ComboFix 11-05-02.03 - Owner 05/02/2011 17:37:44.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.504.372 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\qmgr.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-02 to 2011-05-02 )))))))))))))))))))))))))))))))
.
.
2011-04-29 19:24 . 2011-04-29 19:24 -------- d-----w- c:\program files\Common Files\Java
2011-04-29 19:23 . 2011-04-29 19:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-29 17:59 . 2011-04-29 17:59 -------- d-----w- c:\documents and settings\Administrator
2011-04-29 14:28 . 2011-04-29 14:29 -------- d-----w- c:\program files\7-Zip
2011-04-28 21:16 . 2011-04-28 21:16 -------- d-----w- c:\documents and settings\Owner\log
2011-04-28 21:16 . 2011-04-28 21:16 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-04-28 19:08 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-28 19:08 . 2010-12-20 23:08 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-28 19:01 . 2011-04-28 19:41 -------- dc----w- c:\windows\system32\DRVSTORE
2011-04-28 18:57 . 2011-04-28 18:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2011-04-11 16:09 . 2011-04-11 16:09 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-11 16:09 . 2011-04-11 16:09 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-11 16:09 . 2011-04-11 16:09 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-11 16:09 . 2011-04-11 16:09 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-11 16:09 . 2011-04-11 16:09 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-11 16:09 . 2011-04-11 16:09 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-11 16:09 . 2011-04-11 16:09 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-11 16:09 . 2011-04-11 16:09 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-29 19:22 . 2010-12-02 20:09 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-11 16:09 . 2011-04-11 16:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
.
.
[-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
.
[-] 2002-12-12 14:14 . E5F6CF1886B4F103AC6C1728394523E5 . 1634304 . . [5.3.0000000.901 built by: DIRECTX] . . c:\windows\system32\d3d9.dll
.
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-05-03 835654]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-03 4640768]
"nwiz"="nwiz.exe" [2003-05-03 323584]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 50176]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2002-09-27 20480]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-09-18 880640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSI ToolBar.lnk - c:\epc\Toolbar\EPSIBar.exe [2004-3-1 196608]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll
.
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [8/5/2010 4:57 PM 1714176]
S2 mrtRate;mrtRate; [x]
S3 Normandy;Normandy SR2; [x]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rcz40zwh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-02 17:46
Windows 5.1.2600 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\System32\ODBC32.dll
c:\program files\Softex\OmniPass\opxpgina.dll
.
- - - - - - - > 'lsass.exe'(688)
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(3624)
c:\progra~1\WINDOW~2\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\hasplms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Softex\OmniPass\Omniserv.exe
c:\windows\System32\HPZipm12.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\wt\updater\wcmdmgr.exe
c:\windows\System32\GRVSA.exe
.
**************************************************************************
.
Completion time: 2011-05-02 17:54:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-02 22:54
ComboFix2.txt 2011-05-02 21:16
ComboFix3.txt 2011-04-29 18:44
.
Pre-Run: 24,960,905,216 bytes free
Post-Run: 24,954,445,824 bytes free
.
- - End Of File - - 0C9D329487D47A54F963C8F992C00D45

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6493

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

5/2/2011 6:06:03 PM
mbam-log-2011-05-02 (18-06-03).txt

Scan type: Quick scan
Objects scanned: 146478
Time elapsed: 9 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

C:\Documents and Settings\Owner\My Documents\Downloads\SmitfraudFix.exe multiple threats
C:\Program Files\BackWeb\BackWeb Client\6.2.3.66L\Program\runner.exe probably a variant of Win32/Agent.CBFNBEO trojan
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe probably a variant of Win32/Agent.CBFNBEO trojan
C:\WINDOWS\wt\backup\1.6.0.037\wcmdmgrl.exe Win32/Adware.WildTangent application
C:\WINDOWS\wt\updater\wcmdmgrl.exe Win32/Adware.WildTangent application

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:27 AM

Posted 03 May 2011 - 06:58 PM

Hi

Please do the following:

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 25 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 25 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u25 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT




ComboFix is reporting a few files missing and/or failing signature check, do you have access to an installation disk or another computer with the exact same operating system where we can copy them from?

c:\windows\system32\mspmsnsv.dll
c:\windows\system32\d3d9.dll
c:\windows\System32\wscntfy.exe
c:\windows\System32\xmlprov.dll

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 RolandDT

RolandDT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 03 May 2011 - 08:06 PM

Updated Java on Friday. I'll check for an XP installation disk to find the missing files. Anything else you notice that I should be aware of? Truly appreciate all the wonderful help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users