Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Total Security Firewall Alert (Malware)


  • This topic is locked This topic is locked
5 replies to this topic

#1 pilotg

pilotg

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 29 April 2011 - 09:39 AM

This malware program called XP Total Security has taken over the computer and of course wants me to buy there program to remove infections


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by bsearls at 9:51:28.40 on Fri 04/29/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.80 [GMT -4:00]
.
AV: eTrust ITM *Enabled/Outdated* {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Starfield\offSyncService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\TEMP\wng703.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\bsearls\Application Data\dwm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\bsearls\Application Data\Microsoft\conhost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\DOCUME~1\bsearls\LOCALS~1\Temp\tbu6k.exe
C:\DOCUME~1\bsearls\LOCALS~1\Temp\nnblfj.exe
C:\DOCUME~1\bsearls\LOCALS~1\Temp\hbnw.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\bsearls\LOCALS~1\Temp\lv2dhedf.exe
C:\DOCUME~1\bsearls\LOCALS~1\Temp\mbmrzk.exe
C:\DOCUME~1\bsearls\LOCALS~1\Temp\bw8zmm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe
C:\Program Files\Starfield\StarfieldUpdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\bsearls\LOCALS~1\Temp\lv2dhedf.exe
C:\DOCUME~1\bsearls\LOCALS~1\Temp\mbmrzk.exe
C:\DOCUME~1\bsearls\LOCALS~1\Temp\bw8zmm.exe
C:\Program Files\BigFix\bigfix.exe
C:\Documents and Settings\bsearls\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\nlvch.exe
C:\Documents and Settings\bsearls\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\bsearls\Local Settings\Application Data\moi.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sc.exe
C:\WINDOWS\Pgynab.exe
C:\DOCUME~1\bsearls\LOCALS~1\Temp\Pdf.exe
C:\Documents and Settings\bsearls\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\DOCUME~1\bsearls\LOCALS~1\Temp\hbnw.exe
C:\WINDOWS\TEMP\wng703.exe
C:\DOCUME~1\bsearls\LOCALS~1\Temp\tbu6k.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\sc.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\sc.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\sc.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\sc.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=GRxdm011YYUS&fl=0&ptb=0AS0ru1DHTojfC6c_meQSg&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=sb&searchfor={searchTerms}
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:55273
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\1.bin\MWSSRCAS.DLL
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uWinlogon: Shell=explorer.exe,c:\documents and settings\bsearls\application data\dwm.exe
uWindows: Load=c:\docume~1\bsearls\locals~1\temp\csrss.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: c:\windows\system32\m12dma5gy.dll: {e1b220c3-a500-99bd-a121-04b53a2c8952} - c:\windows\system32\m12dma5gy.dll
TB: IE Custom Tools: {efaf6ea3-615d-4f83-8748-2f7a576fcea6} - c:\program files\video add-on\ictmdl.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress] NA
uRun: [YouSendIt.exe] c:\program files\yousendit\express\YouSendIt.exe -ui none
uRun: [Google Update] "c:\documents and settings\bsearls\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
uRun: [gStart] c:\garmin\gStart.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\457\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [Starfield Updater] "c:\program files\starfield\StarfieldUpdate.exe"
uRun: [GHWAUC6NNZ] c:\docume~1\bsearls\locals~1\temp\Pdf.exe
uRun: [Dkubadebiritad] rundll32.exe "c:\windows\bduanm.dll",Startup
uRun: [506E7F4A_0] c:\docume~1\bsearls\locals~1\temp\iagu.exe
uRun: [PT25DHYRAW] c:\windows\Pgynab.exe
uRun: [HNUmrHTgrYX] c:\docume~1\bsearls\locals~1\temp\lv2dhedf.exe
uRun: [HNUmrHTgmxc] c:\docume~1\bsearls\locals~1\temp\mbmrzk.exe
uRun: [HNUmrHTgpjc] c:\docume~1\bsearls\locals~1\temp\bw8zmm.exe
uRun: [HNUmrHTgpjc] c:\docume~1\bsearls\locals~1\temp\bw8zmm.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
mRun: [<NO NAME>]
mRun: [Gateway Extended Warranty] "c:\program files\gateway\gwcares\GWCares.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [VirusProtect 3.8] "c:\program files\virusprotect 3.8\VirusProtect 3.8.exe" /h
mRun: [Realtime Monitor] "c:\program files\ca\etrustitm\realmon.exe" -s
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [MyWebSearch Plugin] rundll32 c:\progra~1\mywebs~1\bar\1.bin\M3PLUGIN.DLL,UPF
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [cftmon] c:\windows\system32\nlvch.exe
mRun: [Xkuloqoziyij] rundll32.exe "c:\windows\ibinonulurupohof.dll",Startup
mRun: [HNUmrHTgrYX] c:\docume~1\bsearls\locals~1\temp\lv2dhedf.exe
mRun: [HNUmrHTgmxc] c:\docume~1\bsearls\locals~1\temp\mbmrzk.exe
mRun: [HNUmrHTgpjc] c:\docume~1\bsearls\locals~1\temp\bw8zmm.exe
mRun: [conhost] c:\documents and settings\bsearls\application data\microsoft\conhost.exe
mExplorerRun: [some] c:\program files\video add-on\icthis.exe
mExplorerRun: [start] c:\program files\video add-on\isfmntr.exe
mExplorerRun: [wg7txmb] c:\windows\temp\wng703.exe
mExplorerRun: [z125] c:\docume~1\bsearls\locals~1\temp\tbu6k.exe
mExplorerRun: [ng26c36] c:\docume~1\bsearls\locals~1\temp\nnblfj.exe
mExplorerRun: [zyrk] c:\docume~1\bsearls\locals~1\temp\hbnw.exe
StartupFolder: c:\docume~1\bsearls\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\bsearls\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=GRxdm011YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://ssc0001.specialservicescorp.office:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - hxxps://ssc0001.specialservicescorp.office:4343/officescan/console/ClientInstall/setupini.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://ssc0001.specialservicescorp.office:4343/officescan/console/ClientInstall/setup.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-5/myWebFaceInitialSetup1.0.1.2.cab
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {317D68ED-6970-4BCB-9A79-B1B36B1BEDB7} - hxxp://www.jetnet.com/jetnetweb/JetnetRegisterControl.CAB
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://ssc0001.specialservicescorp.office:4343/officescan/console/ClientInstall/RemoveCtrl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171938371482
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {AB73C4A6-5859-42F5-8968-D61E1E86F1A9} - hxxp://www.jetnet.com/jetnetweb/ReportViewer.CAB
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://systemrequirementslab.com.s3.amazonaws.com/isiu/bin/srldetect_50.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.165.171,93.188.160.231
TCP: {0432B88A-559A-49FB-86E5-6F080AD55758} = 93.188.165.171,93.188.160.231
TCP: {AF750856-150A-40C7-9E30-80EFB7AF3C85} = 93.188.165.171,93.188.160.231
Handler: asp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: hsp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: x-asp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: x-cnote - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: x-hsp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: x-zip - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: zip - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\m12dma5gy.dll: {e1b220c3-a500-99bd-a121-04b53a2c8952} - c:\windows\system32\m12dma5gy.dll
LSA: Authentication Packages = msv1_0 nwprovau
Hosts: 173.192.170.88 drghwaweg45j4i6u3q32fg2h.com
.
============= SERVICES / DRIVERS ===============
.
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2007-2-12 24736]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;c:\windows\system32\drivers\mstabbtn.sys [2007-2-12 10496]
S3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2005-2-2 9344]
.
=============== Created Last 30 ================
.
2011-04-29 13:53:42 137 ----a-w- c:\docume~1\bsearls\applic~1\microsoft\gb_65828937.bat
2011-04-27 20:03:55 434176 ----a-w- c:\windows\system32\nlvch.exe
2011-04-27 18:36:06 434176 ----a-w- c:\windows\system32\bfaqm.exe
2011-04-27 18:10:33 176128 --sha-w- c:\windows\system32\8ue05.dll
2011-04-27 18:10:32 390342 --sha-w- c:\docume~1\bsearls\locals~1\applic~1\moi.exe
2011-04-27 17:44:08 159744 ----a-w- c:\windows\Pgynab.exe
2011-04-27 16:29:11 197632 ----a-w- c:\docume~1\bsearls\applic~1\dwm.exe
2011-04-27 16:24:00 0 ----a-w- c:\windows\Gsaxanesumid.bin
2011-04-27 16:23:58 -------- d-----w- c:\docume~1\bsearls\locals~1\applic~1\{958CA61E-0ABF-4EFE-82A5-64115BEFEC7B}
2011-04-27 16:23:43 274432 ----a-w- c:\windows\ibinonulurupohof.dll
2011-04-27 16:23:38 50000 ----a-w- c:\windows\system32\xksg22jk.dll
2011-04-27 16:23:38 50000 ----a-w- c:\windows\system32\qni97.dll
2011-04-27 16:23:38 50000 ----a-w- c:\windows\system32\m12dma5gy.dll
2011-04-27 16:23:09 186368 ----a-w- c:\docume~1\bsearls\applic~1\microsoft\conhost.exe
2011-04-27 16:23:02 214 ----a-w- c:\documents and settings\bsearls\delme.bat
2011-04-27 16:22:59 434176 ----a-w- c:\windows\system32\qedhj.exe
2011-04-27 16:21:01 159744 ----a-w- c:\windows\Pgynaa.exe
2011-04-27 16:20:59 157184 --sha-r- c:\windows\system32\c_10082I.dll
2011-04-14 07:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2005-08-31 12:38:12 1613847 ----a-w- c:\program files\demo.exe
2005-05-18 16:31:30 462848 ----a-w- c:\program files\FlashUpdate.exe
2004-08-31 15:38:38 2668908 ----a-w- c:\program files\CATS.exe
2004-08-19 14:43:58 24576 ----a-w- c:\program files\cpf.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS72108 rev.MC4O -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865DA439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x865e07d0]; MOV EAX, [0x865e084c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x865EAAB8]
3 CLASSPNP[0xF769EFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\000000a7[0x86F47700]
5 ACPI[0xF7495620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86FC6030]
\Driver\iaStor[0x86F13330] -> IRP_MJ_CREATE -> 0x865DA439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskHTS721080G9SA00_________________________MC4OC10V#4&2777f00b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 9:58:27.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:51 PM

Posted 29 April 2011 - 04:30 PM

Good evening. :)

This machine has got so much slime onboard you wouldn't believe, far more than I would expect with proper security programs installed on it.
According to the DDS log your AV is eTrust ITM and although it's enabled, it's also outdated. How long has it been since your anti-virus program has been updated?
Also, is this a business machine, as the video conferencing software suggests?

So long, and thanks for all the fish.

 

 


#3 pilotg

pilotg
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 02 May 2011 - 01:30 PM

This is a business machine that I am trying to fix. It does have eTrust as the AV program and was set to be updated on a nightly basis. Obviously that didn't happen. Do you have any suggestions as to how to fix the problems? Thanks!

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:51 PM

Posted 02 May 2011 - 01:57 PM

Good evening. :)

Unfortunately there are concerns with business machines that don't exist with personal ones - data security being the primary one. Given that possibilities for data corruption and theft that go hand in hand with infections and business machines, I recommend that you get somebody in to check your system(s) and deal with the issue.
The short term costs are far outweighed by the possible long term consequences if something goes wrong.

So long, and thanks for all the fish.

 

 


#5 pilotg

pilotg
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 02 May 2011 - 02:16 PM

Thank You!!

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:51 PM

Posted 02 May 2011 - 03:29 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users