Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Managee.exe & Alureon.A - IE fails to run -Cannot remove


  • This topic is locked This topic is locked
10 replies to this topic

#1 steveeeee5

steveeeee5

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 30 April 2011 - 04:51 AM

Hi , hope you can help. Luckily laptop is running at the moment

If I boot with "safe mode" It gets as far as mup.sys then I get blue screen "problem detected INVALID_WORK_QUEUE_ITEM" and it stops.

I find I can only get the system to boot with "last known good configuration"
After logging in I get a "install failed" small window appear twice which I guess is the damn virus
Then I delete 2 Managee.exe process' I see running
Then Microsoft Security Essentials warns me it has found a virus and I need to reboot. Which on examination of the log is "TROJAN:DOS/Alureon.A"

Would really appreciate any help as I can't seem to get any further.
Thanks
Steve.

...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:51, on 30/04/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\system32\vmnat.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Server\vmware-hostd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\firefox\firefox.exe
C:\Program Files\firefox\plugin-container.exe
C:\WINDOWS\TEMP\qpqu\setup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=il&l=he&s=bsd
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=il&l=he&s=bsd
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: PPVADownloader - {A986E409-30CC-4185-89BB-AB212C104524} - C:\Program Files\PPLiveVA\DownloaderManager.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKLM\..\Policies\Explorer\Run: [Manager] "C:\WINDOWS\Temp\Managee.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware server\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware server\vsocklib.dll
O16 - DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574} (VMware Remote Console Plug-in 2.5.0.00000) -
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: AMService - Jcncxli Software - C:\WINDOWS\TEMP\qpqu\setup.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MouseDriver - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MouseDriver.bat (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Plug Manager - Unknown owner - C:\WINDOWS\temp\Plug.bat
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VMware Host Agent (VMwareHostd) - Unknown owner - C:\Program Files\VMware\VMware Server\vmware-hostd.exe
O23 - Service: VMware Server Web Access (VMwareServerWebAccess) - Apache Software Foundation - C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe
O23 - Service: VMware VSS Writer (vmwriter) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmVssWriter.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10611 bytes

*******************************************
UPDATE - Malwarebytes hung when trying to upgrade it. system started to run slow - decided to reboot.

This time the normal boot worked and no warning about Alureon.A

So finished the Mbam instal and ran it ans it found quite a few virus in registry . see below.

But I still keep getting "generic host process for win32 services has encountered a problem and needs to close"

********************************************
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6477

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

30/04/2011 11:27:59
mbam-log-2011-04-30 (11-27-59).txt

Scan type: Quick scan
Objects scanned: 174048
Time elapsed: 10 minute(s), 11 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
c:\WINDOWS\Temp\qpqu\setup.exe (Spyware.Passwords.XGen) -> 1132 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AMService (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\MOUSEDRIVER (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\PLUG MANAGER (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Manager (Backdoor.Bot) -> Value: Manager -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MouseDriver\ImagePath (Trojan.Agent) -> Value: ImagePath -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Plug Manager\ImagePath (Trojan.Agent) -> Value: ImagePath -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\qpqu\setup.exe (Spyware.Passwords.XGen) -> Delete on reboot.
c:\WINDOWS\Temp\Managee.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\senawcmxor.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Plug.bat (Trojan.Agent) -> Quarantined and deleted successfully.

******************************
ANOTHER UPDATE
I ran MBAM again and now it is clean BUT I still get the Alureon.A warning from Microsoft Security Essentials
asking me to restart.

I am running Spybot as well but do not expect it to get ALureon.A , How do I get rid of Alureon.A ?

*******************************

Edited by hamluis, 30 April 2011 - 08:00 AM.
Moved from XP to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 steveeeee5

steveeeee5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 30 April 2011 - 09:23 AM

OK Now I have run DDS.
And my 2 problems remaining are ..
1. Still have Alureon.A appearing
2. svchost is using mostly 50% cpu when I am doing nothing.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 15:18:01.28 on 30/04/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.816 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Server\vmware-hostd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\firefox\firefox.exe
C:\Program Files\firefox\plugin-container.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
mDefault_Page_URL = hxxp://www1.euro.dell.com/content/default.aspx?c=il&l=he&s=bsd
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=il&l=he&s=bsd
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Download_Bho Class: {a986e409-30cc-4185-89bb-ab212c104524} - c:\program files\ppliveva\DownloaderManager.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\vmware\vmware server\vsocklib.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\tp3368ub.default\
FF - prefs.js: browser.search.selectedEngine - Search Defender
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.search-results.com/web?o=15868&l=dis&prt=PRT&chn=UN&geo=GB&ver=UN&q=
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\tp3368ub.default\extensions\2020player@2020technologies.com\plugins\NP2020Player.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\tp3368ub.default\extensions\vmwarevmrc@vmware.com\plugins\np-vmware-vmrc-2.5.0-122581.dll
FF - plugin: c:\program files\firefox\plugins\npicaN.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: VMware Remote Console Plug-in: VMwareVMRC@vmware.com - %profile%\extensions\VMwareVMRC@vmware.com
FF - Ext: 20-20 3D Viewer: 2020Player@2020Technologies.com - %profile%\extensions\2020Player@2020Technologies.com
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl3e76e647;MpKsl3e76e647;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKsl3e76e647.sys [2011-4-30 28752]
R1 MpKsl4763bf79;MpKsl4763bf79;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKsl4763bf79.sys [2011-4-30 28752]
R1 MpKsl6fa96e8d;MpKsl6fa96e8d;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKsl6fa96e8d.sys [2011-4-30 28752]
R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\26169\RapportCerberus_26169.sys [2011-4-24 57144]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2009-12-16 65856]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-4-8 870200]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-10-20 54960]
R2 VMwareHostd;VMware Host Agent;c:\program files\vmware\vmware server\vmware-hostd.exe [2009-10-20 322096]
R2 VMwareServerWebAccess;VMware Server Web Access;c:\program files\vmware\vmware server\tomcat\bin\tomcat6.exe [2009-10-20 57344]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-9-30 11001]
S1 MpKsl43b543b8;MpKsl43b543b8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\mpksl43b543b8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKsl43b543b8.sys [?]
S1 MpKsl6674905f;MpKsl6674905f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4a2f65bb-0736-4b2e-92f4-03e963175880}\mpksl6674905f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4a2f65bb-0736-4b2e-92f4-03e963175880}\MpKsl6674905f.sys [?]
S1 MpKsl82b80abe;MpKsl82b80abe;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\mpksl82b80abe.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKsl82b80abe.sys [?]
S1 MpKslb5c2de82;MpKslb5c2de82;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\mpkslb5c2de82.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKslb5c2de82.sys [?]
S1 MpKslcb70c6a3;MpKslcb70c6a3;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKslcb70c6a3.sys [2011-4-29 28752]
S1 MpKsld2e5f32c;MpKsld2e5f32c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\mpksld2e5f32c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKsld2e5f32c.sys [?]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-9-30 148688]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-8 53816]
S3 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-8 158904]
S3 TSWLAN;TsWlan Packet Driver;c:\windows\system32\drivers\TsWlan.sys [2007-6-29 33664]
S3 vmwriter;VMware VSS Writer;c:\program files\vmware\vmware server\vmVssWriter.exe [2009-10-20 29744]
.
=============== Created Last 30 ================
.
2011-04-30 13:27:44 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKsl6fa96e8d.sys
2011-04-30 12:14:43 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKsl4763bf79.sys
2011-04-30 10:09:52 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKsl3e76e647.sys
2011-04-30 09:06:46 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKsl73c730b3.sys
2011-04-29 22:06:48 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKslcb70c6a3.sys
2011-04-29 19:12:48 -------- d-----w- c:\windows\system32\MpEngineStore
2011-04-29 18:38:22 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Trusteer
2011-04-29 10:05:33 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\MpKsl57fc5c1c.sys
2011-04-28 10:55:16 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4c9537e3-36df-4446-8ff4-1e8ff94dc40b}\mpengine.dll
2011-04-08 16:16:53 -------- d-----w- c:\docume~1\admini~1\applic~1\Ibasg
2011-04-08 16:16:53 -------- d-----w- c:\docume~1\admini~1\applic~1\Anev
2011-04-08 09:17:38 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-04-04 19:31:46 -------- d-----w- c:\docume~1\admini~1\applic~1\Udab
2011-04-04 19:31:46 -------- d-----w- c:\docume~1\admini~1\applic~1\Aqwof
.
==================== Find3M ====================
.
2011-04-29 17:19:38 90112 ----a-w- c:\windows\DUMP4ae3.tmp
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9120823ASG rev.3.ADD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AD09730]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ad0fa10]; MOV EAX, [0x8ad0fa8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AC9BAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AC61ED8]
\Driver\atapi[0x8ACA9F38] -> IRP_MJ_CREATE -> 0x8AD09730
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AD0957B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:19:31.50 ===============



****************************
UPDATE

OK so now it looks like an MBR TDL$ infection as i have run gmer
Do I have to restore my MBR caerfully now. ?

*****************************





GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-04-30 15:51:08
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 ST9120823ASG rev.3.ADD
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fxldapog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwCreateThread [0xB919CDB6]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwDeleteFile [0xB919BE12]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwSetInformationFile [0xB919BE86]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwSetValueKey [0xB919CC92]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwTerminateProcess [0xB919BD98]

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwQueryValueKey + 349 8062265D 7 Bytes JMP A24481F0
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Edited by steveeeee5, 30 April 2011 - 09:56 AM.


#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:37 AM

Posted 30 April 2011 - 09:31 AM

Hello steveeeee5 ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



IMPORTANT NOTE: One or more of the identified infections is related to the rootkit TDL4. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:





Please download ComboFix from the link below:


Link 2


Save it to your Desktop <-- Important!!!


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.


When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply



Regards,
Georgi

cXfZ4wS.png


#4 steveeeee5

steveeeee5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 01 May 2011 - 03:09 AM

Hi Georgi,
I am learning just how serious this is from your documentation. This the first major upset I have had on this laptop and I am considering what to do next . Here is the log below. After it finished it hung on shutdown

ComboFix 11-04-29.04 - Administrator 30/04/2011 17:15:30.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1360 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\asfd23f.BIN
c:\asfd23f.bin\asfd23f.BIN.exe
c:\asfd23f.bin\config.bin
c:\documents and settings\Administrator\Application Data\Anev
c:\documents and settings\Administrator\Application Data\Anev\uqgay.gyx
c:\documents and settings\Administrator\Application Data\Aqwof
c:\documents and settings\Administrator\Application Data\Aqwof\kogas.ezl
c:\documents and settings\Administrator\Application Data\Ibasg
c:\documents and settings\Administrator\Application Data\Ibasg\gevo.exe
c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\Administrator\Application Data\Lyapy
c:\documents and settings\Administrator\Application Data\Lyapy\wyvi.wue
c:\documents and settings\Administrator\Application Data\Udab
c:\documents and settings\Administrator\Application Data\Udab\viit.exe
C:\winntse.bin
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MOUSEDRIVER
-------\Legacy_PLUG_MANAGER
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-30 )))))))))))))))))))))))))))))))
.
.
2011-04-30 16:29 . 2011-04-30 16:29 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl6d5675c2.sys
2011-04-30 15:41 . 2011-04-30 16:09 -------- d-----w- C:\32788R22FWJFW
2011-04-30 09:06 . 2011-04-30 09:06 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl73c730b3.sys
2011-04-29 22:06 . 2011-04-29 22:06 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKslcb70c6a3.sys
2011-04-29 19:12 . 2011-04-30 10:07 -------- d-----w- c:\windows\system32\MpEngineStore
2011-04-29 18:38 . 2011-04-29 18:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Trusteer
2011-04-29 11:01 . 2011-04-29 11:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-04-29 10:05 . 2011-04-29 10:05 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl57fc5c1c.sys
2011-04-29 10:01 . 2011-04-29 10:01 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Trusteer
2011-04-28 10:55 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\mpengine.dll
2011-04-08 09:17 . 2011-04-08 09:17 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-29 17:19 . 2008-03-25 23:33 90112 ----a-w- c:\windows\DUMP4ae3.tmp
2011-04-11 07:04 . 2010-11-10 11:38 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2004-08-11 17:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-11 17:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-11 17:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51 . 2004-08-11 17:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2004-08-11 17:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:51 . 2004-08-11 17:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:18 . 2004-08-11 17:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-11 17:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2004-08-11 17:00 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-04-14 21:38 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-11 17:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-11 17:11 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2004-08-11 17:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-11 17:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-11 17:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-11 17:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2004-08-11 17:11 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-19 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-08-30 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-26 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 15:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-299502267-1767777339-1801674531-1582\Scripts\Logon\0\0]
"Script"=\\scopus.net\SysVol\scopus.net\scripts\Ocs Run.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-299502267-1767777339-1801674531-1582\Scripts\Logon\1\0]
"Script"=\\atlas\NETLOGON\Office\Outlook.Bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-299502267-1767777339-1801674531-1582\Scripts\Logon\2\0]
"Script"=\\scopus.net\SysVol\scopus.net\scripts\Scan.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Seagate 2GE6KN1T Product Registration.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Seagate 2GE6KN1T Product Registration.lnk
backup=c:\windows\pss\Seagate 2GE6KN1T Product Registration.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PPLive.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PPLive.lnk
backup=c:\windows\pss\PPLive.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-03-12 12:49 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserChoice]
2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-09 18:53 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2Start]
2008-10-10 17:23 2662400 ----a-w- c:\program files\O2CM-CE\O2 Connection Manager\tscui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 17:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-08-30 10:04 413696 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 09:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureUpgrade]
2007-09-14 10:53 218424 ----a-w- c:\program files\Wave Systems Corp\SecureUpgrade.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WavXMgr]
2007-09-10 09:55 92160 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\PPLiveVA\\PPLiveVA.exe"=
"c:\\Program Files\\PPLiveVA\\CrashUpload.exe"=
"c:\\Program Files\\PPLiveVA\\Download.exe"=
"c:\\Program Files\\PPLiveVA\\DownloadProgress.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\PPLiveVA\\Application\\pplap.exe"=
"c:\\Program Files\\VMware\\VMware Server\\vmware-authd.exe"=
"c:\\Program Files\\VMware\\VMware Server\\vmware-hostd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\Program Files\\sopcast\\adv\\SopAdver.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R1 MpKsl6d5675c2;MpKsl6d5675c2;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl6d5675c2.sys [30/04/2011 17:29 28752]
R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys [24/04/2011 09:51 57144]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [19/12/2006 15:21 79432]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [16/12/2009 11:11 65856]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [08/04/2011 10:17 870200]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [20/10/2009 16:22 54960]
R2 VMwareHostd;VMware Host Agent;c:\program files\VMware\VMware Server\vmware-hostd.exe [20/10/2009 16:21 322096]
R2 VMwareServerWebAccess;VMware Server Web Access;c:\program files\VMware\VMware Server\tomcat\bin\tomcat6.exe [20/10/2009 22:27 57344]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [11/08/2004 18:00 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [02/11/2006 13:32 97536]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [30/09/2008 00:08 11001]
S1 MpKsl3e76e647;MpKsl3e76e647;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl3e76e647.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl3e76e647.sys [?]
S1 MpKsl43b543b8;MpKsl43b543b8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl43b543b8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl43b543b8.sys [?]
S1 MpKsl4763bf79;MpKsl4763bf79;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl4763bf79.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl4763bf79.sys [?]
S1 MpKsl6674905f;MpKsl6674905f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A2F65BB-0736-4B2E-92F4-03E963175880}\MpKsl6674905f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A2F65BB-0736-4B2E-92F4-03E963175880}\MpKsl6674905f.sys [?]
S1 MpKsl6fa96e8d;MpKsl6fa96e8d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl6fa96e8d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl6fa96e8d.sys [?]
S1 MpKsl82b80abe;MpKsl82b80abe;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl82b80abe.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsl82b80abe.sys [?]
S1 MpKslb5c2de82;MpKslb5c2de82;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKslb5c2de82.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKslb5c2de82.sys [?]
S1 MpKslcb70c6a3;MpKslcb70c6a3;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKslcb70c6a3.sys [29/04/2011 23:06 28752]
S1 MpKsld2e5f32c;MpKsld2e5f32c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsld2e5f32c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C9537E3-36DF-4446-8FF4-1E8FF94DC40B}\MpKsld2e5f32c.sys [?]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [30/09/2008 00:08 148688]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [08/04/2011 10:17 53816]
S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [08/04/2011 10:17 158904]
S3 TSWLAN;TsWlan Packet Driver;c:\windows\system32\drivers\TsWlan.sys [29/06/2007 10:25 33664]
S3 vmwriter;VMware VSS Writer;c:\program files\VMware\VMware Server\vmVssWriter.exe [20/10/2009 16:22 29744]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL6D5675C2
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 12:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=il&l=he&s=bsd
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Server\vsocklib.dll
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tp3368ub.default\
FF - prefs.js: browser.search.selectedEngine - Search Defender
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.search-results.com/web?o=15868&l=dis&prt=PRT&chn=UN&geo=GB&ver=UN&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: VMware Remote Console Plug-in: VMwareVMRC@vmware.com - %profile%\extensions\VMwareVMRC@vmware.com
FF - Ext: 20-20 3D Viewer: 2020Player@2020Technologies.com - %profile%\extensions\2020Player@2020Technologies.com
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
HKLM-Run-COMODO Firewall Pro - c:\program files\COMODO\Firewall\cfp.exe
Notify-ckpNotify - (no file)
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-COMODO Internet Security - c:\program files\COMODO\Firewall\cfp.exe
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-OfficeScanNT Monitor - c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe
MSConfigStartUp-PPLive - c:\program files\PPLive\PPLive.exe
AddRemove-CutePDF Writer Installation - c:\program files\Acro Software\CutePDF Writer\uninscpw.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-30 17:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9120823ASG rev.3.ADD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AE2057B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-236893275-208906129-2437280959-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*%m*e*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-236893275-208906129-2437280959-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*%m*e*\OpenWithList]
@Class="Shell"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1812)
c:\windows\system32\VMGINA.DLL
.
- - - - - - - > 'lsass.exe'(1868)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\StacSV.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\windows\system32\vmnat.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\VMware\VMware Server\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\msdtc.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
.
**************************************************************************
.
Completion time: 2011-04-30 17:36:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-30 16:36
.
Pre-Run: 27,667,365,888 bytes free
Post-Run: 27,793,547,264 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 6084DA8832FFD151609886BAD7D8EE8A





*********************
AND I have just run GMER and it shows the rootkit still present


**************************************************************

GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-05-01 09:08:00
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 ST9120823ASG rev.3.ADD
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fxldapog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwCreateThread [0xB55F8DB6]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwDeleteFile [0xB55F7E12]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwSetInformationFile [0xB55F7E86]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwSetValueKey [0xB55F8C92]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwTerminateProcess [0xB55F7D98]

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwQueryValueKey + 349 8062265D 7 Bytes JMP BA754D98

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[564] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 016F000A
.text C:\WINDOWS\Explorer.EXE[564] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0170000A
.text C:\WINDOWS\Explorer.EXE[564] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 016E000C
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1176] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00414130 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A70001
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1176] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71A10022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1176] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71AE0022
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DA000A
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DB000A
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D9000C
.text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 025C000A
.text C:\WINDOWS\System32\svchost.exe[1264] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E3000A
.text C:\Program Files\firefox\firefox.exe[3940] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0104000A
.text C:\Program Files\firefox\firefox.exe[3940] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0106000A
.text C:\Program Files\firefox\firefox.exe[3940] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0103000C
.text C:\Program Files\firefox\firefox.exe[3940] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[5568] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\wuauclt.exe[5568] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\system32\wuauclt.exe[5568] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B4000C
.text C:\Program Files\firefox\plugin-container.exe[5620] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1040C334 C:\Program Files\firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8AC8457B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8AC8457B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8AC8457B

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

#5 steveeeee5

steveeeee5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 01 May 2011 - 03:13 AM

Slightly off topic can you recommend what process I should follow in the future to keep safe. ?
I am running
Microsoft Security Essentials
Windows Firewall

should I use MalwareBytes and GMER regularly .? How about Spybot ?
FYI - I have a router for my ADSL connection

#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:37 AM

Posted 01 May 2011 - 06:46 AM

Hi steveeeee5,



Yes, the rootkit is still active.
Let's play safe...please do this for now:



Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    Posted Image
  • If an malicious object is detected, the default action will be Cure, click on Continue.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • Select Skip to the sptd.sys.

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



If TDSSKiller wouldn't run, please let me know and we will try something else.



Regards,
Georgi

cXfZ4wS.png


#7 steveeeee5

steveeeee5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 03 May 2011 - 12:33 PM

HI Georgi,
Tks for help so far but I had real trouble with the system and decided to wipe it. Only way to be sure.
SO now I have a brand new install of XP Pro SP2 and just getting the latest updates from MS now.
So what processs should i follow to protect myself.?
ie. Only use Administrator account for system mods.!
Can you direct me to general practices to keep my new install safe. ?

Tks
Steve

#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:37 AM

Posted 04 May 2011 - 02:33 AM

Hi,


I'll be able to reply later today as I must go to work now.
Stay tuned and sorry for the inconvenience.


Regards,
Georgi

Edited by B-boy/StyLe/, 04 May 2011 - 02:34 AM.
typo.

cXfZ4wS.png


#9 steveeeee5

steveeeee5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 04 May 2011 - 01:20 PM

OK tks,

I have upgraded to XP SP3 , installed all critical updates and am thinking of installing/running the following.

Microsoft Security Essentials
Malware Bytes
GMER
Windows Firewall

And logging on only under an account using Administrator only for installing etc.)

Are these the essential strategies ?

Tks
Again
Steve

#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:37 AM

Posted 04 May 2011 - 07:24 PM

Hi Steve, :)





:step1:


Microsoft Security Essentials is a very good software. However MSE is slow at scanning and cleaning of threats. Also when you open a directory with a lot of files the appearance of the icons might be delayed a bit. Some features may not be available when MSE is used on Windows XP, so that's why I definitely would stick with avast 6 or Avira 10.


Avira has one of the best detection rates out there. However the interface is unintuitive and can be difficult to use for beginners.

Avast offer more features for its resources like boot-time scan - delete stubborn files on reboot, before windows starts, sandbox - this is a special security feature which allows potentially suspicious applications to be automatically run in a completely isolated environment to protect your computer, Webrep - that provides safety rankings for sites you visit or sites that appear in search engine results and many more, etc.



Keep your antivirus software turned on and up-to-date


  • Make sure your antivirus software is turned on and up-to-date.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note:
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


Please do not run GMER on your own. This tool is not a toy and not for everyday use. You can easily misunderstand the results of the scan that can cause you to make mistakes that could render your PC unusable.



:step2:



Install an AntiSpyware Program


An effective scanner that should be part of your toolkit is Malwarebytes Anti-Malware.

Other highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version or the Pro version for a 15 day trial period.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software. Be sure to check for and download any definition updates prior to performing a scan.





:step3:



Use a Firewall


I noticed that you use Windows XP.

The Windows Firewall in Windows XP provides one-way network protection only.

It blocks incoming traffic as configured, but it will not block any outgoing traffic.

Firewall with outgoing protection may warn you about malware file wishing access.

That's why I recommend you to install a 3rd party firewall like PCtools Firewall. (only if you don't use a router !!!).

It's very light and simple to use.

Simply using it in its default configuration can increase the security of your system greatly.

For more information => please take a look here => http://www.pctools.com/firewall/

However it can be a bit complicated if you are newbie in firewall configuration...if you encounter any troubles with PC Tools Firewall, please uninstall it and stick with Windows Firewall.


Another great alternatives are:


Online Armor Firewall 5.0.0.1097
Outpost Security Suite Free 7.1.1
Privatefirewall 7.0.23.4

etc.





:step4:



Visit Microsoft's Windows Update Site Frequently


It is important that you visit Windows Update regularly.

This will ensure your computer has always the latest security updates available installed on your computer.

If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.

Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.

You can check these by scanning with Secunia Software Inspector.





:step5:



Practice Safe Internet



One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:


  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.

  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.

  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.

  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:

    Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites

  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.

  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.

  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.

  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.

  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.

  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.




:step6:



Don't use pirated software !!!



Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications.

Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems.

So my advice is - stay away from them!





:step7:



Create an image of your system



It is always a good idea to do a backup of all important files just in case something happens it.

Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.

The download link is here => http://www.macrium.com/reflectfree.asp

The tutorials can be found here => http://www.macrium.com/tutorial.asp

Be sure to read the tutorial first. :thumbup2:





And logging on only under an account using Administrator only for installing etc.)




That should be nice !



Follow this list and your potential for being infected again will reduce dramatically.



Safe Surfing ! :wink:



Regards,
Georgi

cXfZ4wS.png


#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:37 AM

Posted 09 May 2011 - 10:18 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users