Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Redirect w/ iexplore.exe audio


  • This topic is locked This topic is locked
16 replies to this topic

#1 jet526

jet526

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 15 June 2011 - 09:10 AM

Windows 7 Professional
Started off with a fake Windows Recovery window and fake hard drive corrupt pop-up.
After that the shortcuts in the the Start Menu where hidden and there was a shortcut on the desktop called "Windows Recovery" the short cut was to a 27582299.exe
McAfee On-Access Scanner detected three instances of FakeAlert!grb (Trojan), including 27582299.exe and deleted them.
Restored to that last restore point to recover the shortcuts.

That this point Google search results were being redirected to various unrelated websites. At random audio files would play in a hidden iexplore.exe instance. Occasionally IE will start with an ad and then close.

The Sys Admin had me run RKill and MalwareBytes
MalwareBytes detected three instances of Trojan.FakeAlert in AppData\Local\Temp

Ran McAfee Full Scan overnight with no detections.

The symptoms continue.

Thank you for the help.

DDS Report:

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_22
Run by treatj at 6:00:55 on 2011-06-15
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3024.1899 [GMT -7:00]
.
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_450b431403c091e3\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_450b431403c091e3\aestsrv.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\mfevtps.exe
c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\BuildNotification.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Microsoft Office\Office14\GROOVE.EXE
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\PdaNet for Android\PdaNetPC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = diversity
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [BuildNotification] c:\program files\microsoft visual studio 10.0\common7\ide\BuildNotification.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Broadcom Wireless Manager UI] c:\program files\dell\dw wlan card\WLTRAY.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\treatj\appdata\roaming\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office14\GROOVE.EXE
StartupFolder: c:\users\treatj\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\users\treatj\appdata\roaming\micros~1\windows\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for android\PdaNetPC.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.0.1.8 10.0.0.201
TCP: Interfaces\{16D54C87-FD8E-435F-A924-F7B40DCA9E0D}\160723E23747F636B6971627463786F64756C6E236F6D6 : DhcpNameServer = 216.136.95.2
TCP: Interfaces\{16D54C87-FD8E-435F-A924-F7B40DCA9E0D}\160733E23747F636B6971627463786F64756C6E236F6D6 : DhcpNameServer = 216.136.95.2
TCP: Interfaces\{C5A60E3E-C14D-40AC-90B3-3DCEDD6DDA96} : DhcpNameServer = 10.0.1.8 10.0.0.201
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\treatj\appdata\roaming\mozilla\firefox\profiles\16da1a87.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\treatj\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\users\treatj\appdata\roaming\mozilla\plugins\npatgpc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-26 343920]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_450b431403c091e3\AEstSrv.exe [2010-5-3 81920]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-4-26 70728]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2009-6-13 221912]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [2010-10-15 13312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-25 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-25 136176]
S3 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-3-25 22816]
S3 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-25 103744]
S3 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-3-25 147472]
S3 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-3-25 66880]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-26 91832]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-26 43288]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-26 66600]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-6-14 9472]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2010-5-4 114704]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-26 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-3 1343400]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2007-2-22 2808664]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10_50.sqlexpress\mssql\binn\SQLAGENT.EXE [2010-4-3 367456]
.
=============== Created Last 30 ================
.
2011-06-14 16:24:26 -------- d-sh--w- C:\$RECYCLE.BIN
2011-06-14 15:12:24 388096 ----a-r- c:\users\treatj\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-14 15:12:24 -------- d-----w- c:\program files\Trend Micro
2011-06-14 14:24:17 98816 ----a-w- c:\windows\sed.exe
2011-06-14 14:24:17 518144 ----a-w- c:\windows\SWREG.exe
2011-06-14 14:24:17 256512 ----a-w- c:\windows\PEV.exe
2011-06-14 14:24:17 208896 ----a-w- c:\windows\MBR.exe
2011-06-13 19:34:34 -------- d-----w- c:\users\treatj\appdata\roaming\Malwarebytes
2011-06-13 19:34:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-13 19:34:26 -------- d-----w- c:\programdata\Malwarebytes
2011-06-13 19:34:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-13 17:22:58 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b53d1def-8f44-4750-9f21-f1dd1b35146c}\mpengine.dll
2011-05-26 17:33:33 -------- d-----w- c:\users\treatj\appdata\local\Programs
2011-05-26 17:28:22 -------- d-----w- c:\program files\SAP BusinessObjects
2011-05-26 17:26:34 615928 ----a-w- c:\program files\mozilla firefox\crforvs_13_0_1\setup.exe
2011-05-26 16:08:32 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-26 15:30:21 -------- d-----w- c:\windows\system32\SPReview
2011-05-26 15:29:01 -------- d-----w- c:\windows\system32\EventProviders
2011-05-26 15:04:30 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-05-26 14:30:59 413696 ----a-w- c:\windows\system32\PhotoScreensaver.scr
2011-05-26 14:29:34 780288 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-05-26 14:29:34 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
2011-05-26 14:29:34 363008 ----a-w- c:\windows\system32\wbemcomn.dll
2011-05-26 14:29:34 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-05-26 14:29:17 697344 ----a-w- c:\windows\system32\SmiEngine.dll
2011-05-26 14:29:06 189952 ----a-w- c:\windows\system32\wdscore.dll
2011-05-26 14:29:05 209920 ----a-w- c:\windows\system32\PkgMgr.exe
2011-05-26 14:28:07 323072 ----a-w- c:\windows\system32\drvstore.dll
2011-05-26 14:28:06 257024 ----a-w- c:\windows\system32\dpx.dll
2011-05-26 13:07:46 219136 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-05-26 13:07:46 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-05-24 18:36:55 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-19 01:16:05 123904 ----a-w- c:\windows\system32\poqexec.exe
.
==================== Find3M ====================
.
2011-05-26 15:48:57 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-05-26 15:38:02 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-05-26 15:38:01 161792 ----a-w- c:\windows\system32\msls31.dll
2011-05-26 15:38:01 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-05-26 15:38:01 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-05-26 15:38:00 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-26 15:38:00 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-05-26 15:38:00 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-05-26 15:38:00 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-05-26 15:38:00 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-05-26 15:38:00 367104 ----a-w- c:\windows\system32\html.iec
2011-05-26 15:37:59 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-05-26 15:37:59 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-26 15:37:59 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-26 15:37:59 152064 ----a-w- c:\windows\system32\wextract.exe
2011-05-26 15:37:59 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-05-26 15:37:59 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-26 15:37:59 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-26 15:37:59 11776 ----a-w- c:\windows\system32\mshta.exe
2011-05-26 15:37:59 101888 ----a-w- c:\windows\system32\admparse.dll
2011-05-26 15:37:58 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-05-26 15:37:58 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-04-13 22:02:36 40984 ----a-w- c:\windows\system32\drivers\point32.sys
2011-04-09 06:02:25 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:02:25 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 06:02:04 390656 ----a-w- c:\windows\system32\ipcoin815.dll
2011-03-25 02:58:37 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-03-25 02:58:07 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-03-25 02:58:06 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-03-25 02:57:58 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-03-25 02:57:58 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-03-25 02:57:56 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-03-25 02:57:53 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
.
============= FINISH: 6:01:48.11 ===============

Attached File  Attach.txt   18.44KB   0 downloads
Attached File  ark.txt   12.05KB   1 downloads

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:08 PM

Posted 15 June 2011 - 09:32 AM

Hello jet526,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.


1.
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

2.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.



Things to include in your next reply::
TDSSKILLER LOG
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 jet526

jet526
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 15 June 2011 - 10:23 AM

Thank you fireman4it.

I attempted to run TDSSKiller (2.5.4). The User Account Control opens and verifies that I want to allow it to make changes to the computer but the application never starts. Renaming did not help. I tried running it in Safe Mode, but still no joy. Would running it in Compatibility Mode work?

Ran ComboFix. Here is the log:

ComboFix 11-06-15.01 - treatj 06/15/2011 8:05.3.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3024.1928 [GMT -7:00]
Running from: c:\users\treatj\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-15 to 2011-06-15 )))))))))))))))))))))))))))))))
.
.
2011-06-15 15:10 . 2011-06-15 15:10 -------- d-----w- c:\users\phoenix\AppData\Local\temp
2011-06-15 15:10 . 2011-06-15 15:10 -------- d-----w- c:\users\mark\AppData\Local\temp
2011-06-15 15:10 . 2011-06-15 15:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-14 16:52 . 2011-06-14 16:52 -------- d-----w- c:\users\DefaultAppPool
2011-06-14 15:12 . 2011-06-14 15:12 388096 ----a-r- c:\users\treatj\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-14 15:12 . 2011-06-14 15:12 -------- d-----w- c:\program files\Trend Micro
2011-06-13 19:34 . 2011-06-13 19:34 -------- d-----w- c:\users\treatj\AppData\Roaming\Malwarebytes
2011-06-13 19:34 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-13 19:34 . 2011-06-13 19:34 -------- d-----w- c:\programdata\Malwarebytes
2011-06-13 19:34 . 2011-06-13 19:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-13 17:22 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B53D1DEF-8F44-4750-9F21-F1DD1B35146C}\mpengine.dll
2011-05-26 17:33 . 2011-05-26 17:33 -------- d-----w- c:\users\treatj\AppData\Local\Programs
2011-05-26 17:28 . 2011-05-26 17:31 -------- d-----w- c:\program files\SAP BusinessObjects
2011-05-26 17:28 . 2011-06-13 16:52 -------- d-----w- c:\programdata\Macrovision
2011-05-26 17:26 . 2011-03-03 20:20 615928 ----a-w- c:\program files\Mozilla Firefox\CRforVS_13_0_1\setup.exe
2011-05-26 16:08 . 2011-06-13 13:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-26 15:30 . 2011-05-26 15:30 -------- d-----w- c:\windows\system32\SPReview
2011-05-26 15:29 . 2011-05-26 15:29 -------- d-----w- c:\windows\system32\EventProviders
2011-05-26 15:04 . 2011-05-26 15:04 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-05-26 14:30 . 2010-11-20 12:30 173440 ----a-w- c:\windows\system32\drivers\rdyboost.sys
2011-05-26 14:29 . 2010-11-20 12:21 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-05-26 14:29 . 2010-11-20 12:21 780288 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-05-26 14:29 . 2010-11-20 12:21 363008 ----a-w- c:\windows\system32\wbemcomn.dll
2011-05-26 14:29 . 2010-11-20 12:19 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
2011-05-26 14:29 . 2010-11-20 12:21 697344 ----a-w- c:\windows\system32\SmiEngine.dll
2011-05-26 14:29 . 2010-11-20 12:21 189952 ----a-w- c:\windows\system32\wdscore.dll
2011-05-26 14:29 . 2010-11-20 12:17 209920 ----a-w- c:\windows\system32\PkgMgr.exe
2011-05-26 14:28 . 2010-11-20 12:18 323072 ----a-w- c:\windows\system32\drvstore.dll
2011-05-26 14:28 . 2010-11-20 12:18 257024 ----a-w- c:\windows\system32\dpx.dll
2011-05-26 13:07 . 2011-01-17 05:47 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-05-26 13:07 . 2010-11-20 12:18 219136 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-05-24 18:36 . 2011-04-22 19:14 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-19 01:16 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-26 17:37 . 2010-11-03 22:45 2418432 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-05-26 15:48 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-04-13 22:02 . 2011-04-13 22:02 40984 ----a-w- c:\windows\system32\drivers\point32.sys
2011-04-09 06:02 . 2011-05-11 06:10 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:02 . 2011-05-11 06:10 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 06:02 . 2011-04-09 06:02 390656 ----a-w- c:\windows\system32\ipcoin815.dll
2011-03-25 02:58 . 2011-05-11 06:10 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-03-25 02:58 . 2011-05-11 06:10 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-03-25 02:58 . 2011-05-11 06:10 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-03-25 02:57 . 2011-05-11 06:10 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-03-25 02:57 . 2011-05-11 06:10 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-03-25 02:57 . 2011-05-11 06:10 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-03-25 02:57 . 2011-05-11 06:10 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-05-13 18:26 . 2011-05-13 18:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]
"BuildNotification"="c:\program files\Microsoft Visual Studio 10.0\Common7\IDE\BuildNotification.exe" [2010-03-19 479072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-03-26 124224]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2009-10-02 4685824]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-07-31 458844]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-06-19 249856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-20 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-20 167960]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
.
c:\users\treatj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft SharePoint Workspace.lnk - c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2010-6-14 473616]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2010-5-4 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-25 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-25 136176]
R3 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2010-03-26 22816]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-03-26 66600]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2006-09-28 9472]
R3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\DRIVERS\PTDCWWAN.sys [2009-09-22 114704]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-05-25 32408]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-03 1343400]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2010-04-03 44896]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-02-23 2808664]
R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [2010-04-03 240608]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2010-04-03 367456]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_450b431403c091e3\aestsrv.exe [2009-03-02 81920]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-03-26 70728]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-13 221912]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
S3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [2010-09-03 13312]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-25 15:37]
.
2011-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-25 15:37]
.
2011-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1591362467-482177741-316617838-1192Core.job
- c:\users\treatj\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-13 13:00]
.
2011-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1591362467-482177741-316617838-1192UA.job
- c:\users\treatj\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-13 13:00]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = diversity
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 10.0.1.8 10.0.0.201
FF - ProfilePath - c:\users\treatj\AppData\Roaming\Mozilla\Firefox\Profiles\16da1a87.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(420)
c:\windows\system32\NetworkExplorer.dll
.
Completion time: 2011-06-15 08:12:38
ComboFix-quarantined-files.txt 2011-06-15 15:12
ComboFix2.txt 2011-06-14 16:25
ComboFix3.txt 2011-06-14 14:43
.
Pre-Run: 104,156,475,392 bytes free
Post-Run: 104,171,974,656 bytes free
.
- - End Of File - - 446BD9EF482DF3AA02A625B303D5138B

Still getting the search redirects and the hidden iexplore.exe instances.

Edited by jet526, 15 June 2011 - 10:27 AM.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:08 PM

Posted 15 June 2011 - 02:55 PM

Hello,


1.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

2.
Can you burn CD's and have access to a Usb Flash Drive?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 jet526

jet526
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 15 June 2011 - 03:11 PM

I can burn CD and have a USB drive.

Here is the aswMBR log.

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-15 13:05:58
-----------------------------
13:05:58.046 OS Version: Windows 6.1.7601 Service Pack 1
13:05:58.046 Number of processors: 2 586 0x170A
13:05:58.046 ComputerName: PHXLTDHPCHK1 UserName: treatj
13:05:59.676 Initialize success
13:06:33.618 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:06:33.623 Disk 0 Vendor: ST916041 DEC7 Size: 152627MB BusType: 3
13:06:33.635 Disk 0 MBR read successfully
13:06:33.640 Disk 0 MBR scan
13:06:33.643 Disk 0 Windows 7 default MBR code
13:06:33.650 Disk 0 scanning sectors +312578048
13:06:33.690 Disk 0 scanning C:\Windows\system32\drivers
13:06:40.866 Service scanning
13:06:41.768 Disk 0 trace - called modules:
13:06:41.778 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86ef81ed]<<
13:06:41.786 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ec5030]
13:06:41.791 3 CLASSPNP.SYS[8b80459e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8606f028]
13:06:41.796 \Driver\iaStor[0x8645d030] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x86ef81ed
13:06:41.803 Scan finished successfully
13:07:31.681 Disk 0 MBR has been saved successfully to "C:\Users\treatj\Desktop\Malware\MBR.dat"
13:07:31.691 The log file has been saved successfully to "C:\Users\treatj\Desktop\Malware\aswMBR.txt"

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:08 PM

Posted 15 June 2011 - 03:30 PM

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 jet526

jet526
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 15 June 2011 - 04:43 PM

Here is the report from driver.sh

Wed Jun 15 14:33:22 UTC 2011
Driver report for /mnt/sda2/Qoobox/Quarantine/C/Windows/System32/drivers

Driver report for /mnt/sda2/Windows/System32/drivers
ab6532bf1c2519efcec5b8c04d8dc407 volsnap.sys has NO Company Name!

fbce2f43185104ae8bf4d32571b19203 1394bus.sys
Microsoft Corporation

1b133875b8aa8ac48969bd3458afe9f5 1394ohci.sys
Microsoft Corporation

1efbc664abff416d1d07db115dcb264f acpipmi.sys
Microsoft Corporation

cea80c80bed809aa0da6febc04733349 acpi.sys
Microsoft Corporation

21e785ebd7dc90a06391141aac7892fb adp94xx.sys
Adaptec

0c676bc278d5b59ff5abd57bbe9123f2 adpahci.sys
Adaptec

7c7b5ee4b7b822ec85321fe23a27db33 adpu320.sys
Adaptec

1151fd4fb0216cfed887bfde29ebd516 afd.sys
Microsoft Corporation

57ec4aef73660166074d8f7f31c0d4fd agilevpn.sys
Microsoft Corporation

507812c3054c21cef746b6ee3d04dd6e AGP440.sys
Microsoft Corporation

0d40bcf52ea90fc7df2aeab6503dea44 aliide.sys
Acer Laboratories

3c6600a0696e90a463771c7422e23ab5 AMDAGP.SYS
Microsoft Corporation

cd5914170297126b6266860198d1d4f0 amdide.sys
Microsoft Corporation

00dda200d71bac534bf56a9db5dfd666 amdk8.sys
Microsoft Corporation

3cbf30f5370fda40dd3e87df38ea53b6 amdppm.sys
Microsoft Corporation

d320bf87125326f996d4904fe24300fc amdsata.sys
Advanced Micro Devices

ea43af0c423ff267355f74e7a53bdaba amdsbs.sys
AMD Technologies

46387fb17b086d16dea267d5be23a2f2 amdxata.sys
Advanced Micro Devices

c51ec0615ef781b00b7389521f397132 Apfiltr.sys
Alps Electric

aea177f783e20150ace5383ee368da19 appid.sys
Microsoft Corporation

5d6f36c46fd283ae1b57bd2e9feb0bc7 arcsas.sys
Adaptec

2932004f49677bd84dbc72edb754ffb3 arc.sys
Adaptec

add2ade1c2b285ab8378d2daaf991481 asyncmac.sys
Microsoft Corporation

338c86357871c167a96ab976519bf59e atapi.sys
Microsoft Corporation

4b55c9f9a93b3bfd01ed7366eb0b9d2e ataport.sys
Microsoft Corporation

bd8869eb9cde6bbe4508d869929869ee b57nd60x.sys
Broadcom Corporation

2b8ee031fd700ab942ebe60665440e83 battc.sys
Microsoft Corporation

57a52ee74fd55c590f209925088cb68b bcm42rly.sys
Broadcom Corporation

de6ee34eaddc1add4cac6cf508fbaea7 BCMWL6.SYS
Broadcom Corporation

505506526a9d467307b3c393dedaf858 beep.sys
Microsoft Corporation

2287078ed48fcfc477b05b20cf38f36f blbdrive.sys
Microsoft Corporation

8f2da3028d5fcbd1a060a3de64cd6506 bowser.sys
Microsoft Corporation

9f9acc7f7ccde8a15c282d3f88b43309 BrFiltLo.sys
Brother Industries

56801ad62213a41f6497f96dee83755a BrFiltUp.sys
Brother Industries

77361d72a04f18809d0efb6cceb74d4b bridge.sys
Microsoft Corporation

845b8ce732e67f3b4133164868c666ea BrSerId.sys
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries

203f0b1e73adadbbb7b7b1fabd901f6b BrSerWdm.sys
Brother Industries

bd456606156ba17e60a04e18016ae54b BrUsbMdm.sys
Brother Industries

af72ed54503f717a43268b3cc5faec2e BrUsbSer.sys
Brother Industries

ed3df7c56ce0084eb2034432fc56565a bthmodem.sys
Microsoft Corporation

1a231abec60fd316ec54c66715543cec bxvbdx.sys
Broadcom Corporation

77ea11b065e0a8ab902d78145ca51e10 cdfs.sys
Microsoft Corporation

be167ed0fdb9c1fa1133953c18d5a6c9 cdrom.sys
Microsoft Corporation

3fe3fe94a34df6fb06e6418d0f6a0060 circlass.sys
Microsoft Corporation

a6388a5abf92c7927c085db0a958125f Classpnp.sys
Microsoft Corporation

dea805815e587dad1dd2c502220b5616 CmBatt.sys
Microsoft Corporation

c537b1db64d495b9b4717b4d6d9edbf2 cmdide.sys
CMD Technology

1b675691ed940766149c93e8f4488d68 cng.sys
Microsoft Corporation

a6023d3823c37043986713f118a89bee compbatt.sys
Microsoft Corporation

cbe8c58a8579cfe5fccf809e6f114e89 CompositeBus.sys
Microsoft Corporation

b7efef22ff426ec4158a177cb3b558d3 crashdmp.sys
Microsoft Corporation

2c4ebcfc84a9b44f209dff6c6e6c61d1 crcdisk.sys
Microsoft Corporation

3c2177a897b4ca2788c6fb0c3fd81d4b csc.sys
Microsoft Corporation

b5ecadf7708960f1818c7fa015f4c239 CVirtA.sys
Cisco Systems

26deef07394624247d1f549bd94f0b15 CVPNDRVA.sys
Cisco Systems

f024449c97ec1e464aaffda18593db88 dfsc.sys
Microsoft Corporation

1a050b0274bfb3890703d490f330c0da discache.sys
Microsoft Corporation

d0f0d7a97c90fe72a79732812e65f822 Diskdump.sys
Microsoft Corporation

565003f326f99802e68ca78f2a68e9ff disk.sys
Microsoft Corporation

8b30250d573a8f6b4bd23195160d8707 djsvs.sys
Adaptec

7b4fdfbe97c047175e613aa96f3de987 dne2000.sys
tH`VS_VERSION_INFO>>?bStringFileInfo>bZCompanyNameDeterministicNetworks,Inc.fFileDescriptionDeterministicNetworkEnhancer:rFileVersion...(InternalNameDNETLegalCopyrightCopyright©-@bOriginalFilenameDNE.SYS,BuildNumber>rProductVersion...DVarFileInfo$Translationt|

b918e7c5f9bf77202f89e1a9539f2eb4 drmkaud.sys
Microsoft Corporation

27f9288af019e6daca281ede51ff5928 drmk.sys
Microsoft Corporation

5428227d4730ebdfc842e9fb593f8c8a Dumpata.sys
Microsoft Corporation

62a63ef2f3053b461cb327e4d69aaa74 dumpfve.sys
Microsoft Corporation

5fcd3320aae71506b43f9e12e4e72172 dxapi.sys
Microsoft Corporation

23f5d28378a160352ba8f817bd8c71cb dxgkrnl.sys
Microsoft Corporation

d458d1c7f1d49869000668e3c3bb0d4d dxgmms1.sys
Microsoft Corporation

1b6242b20cb56f85a158e67f09ee84fe dxg.sys
Microsoft Corporation

8eef52ad831471e323ee7364a8656d35 e1y6032.sys
Intel Corporation

44a91d98d6719b49bcd649a863225b5c e1y6232.sys
Intel Corporation

0ed67910c8c326796faa00b2bf6d9d3c elxstor.sys
Emulex

8fc3208352dd3912c94367a206ab3f11 errdev.sys
Microsoft Corporation

024e1b5cac09731e4d868e64dbfb4ab0 evbdx.sys
Broadcom Corporation

2dc9108d74081149cc8b651d3a26207f exfat.sys
Microsoft Corporation

7e0ab74553476622fb6ae36f73d97d35 fastfat.sys
Microsoft Corporation

e817a017f82df2a1f8cfdbda29388b29 fdc.sys
Microsoft Corporation

6cf00369c97f3cf563be99be983d13d8 fileinfo.sys
Microsoft Corporation

42c51dc94c91da21cb9196eb64c45db9 filetrace.sys
Microsoft Corporation

87907aa70cb3c56600f1c2fb8841579b flpydisk.sys
Microsoft Corporation

7520ec808e0c35e0ee6f841294316653 fltMgr.sys
Microsoft Corporation

1a16b57943853e598cff37fe2b8cbf1d fsdepends.sys
Microsoft Corporation

a574b4360e438977038aae4bf60d79a2 fs_rec.sys
Microsoft Corporation

8a73e79089b282100b9393b644cb853b fvevol.sys
Microsoft Corporation

56e5c9b62bad9ec85bc76940d28b6c11 FWPKCLNT.SYS
Microsoft Corporation

65ee0c7a58b65e74ae05637418153938 GAGP30KX.SYS
Microsoft Corporation

c44e3c2bab6837db337ddee7544736db hcw85cir.sys
Hauppauge Computer Works

9036377b8a6c15dc2eec53e489d159b5 hdaudbus.sys
Microsoft Corporation

a5ef29d5315111c80a5c1abad14c8972 HdAudio.sys
Microsoft Corporation

1d58a7f3e11a9731d0eaaaa8405acc36 hidbatt.sys
Microsoft Corporation

89448f40e6df260c206a193a4683ba78 hidbth.sys
Microsoft Corporation

931a1df1520abc6e84ba4a75e6957025 hidclass.sys
Microsoft Corporation

cf50b4cf4a4f229b9f3c08351f99ca5e hidir.sys
Microsoft Corporation

6c26122f1931d4d7810240f32ddce890 hidparse.sys
Microsoft Corporation

10c19f8290891af023eaec0832e1eb4d hidusb.sys
Microsoft Corporation

295fdc419039090eb8b49ffdbb374549 HpSAMD.sys
Hewlett-Packard

8b976d4ca270110111df4f313da0e6e8 HSX_CNXT.sys
Conexant

227c3ba25012752bb7450235392c719f HSX_DPV.sys
Conexant

4df5c76302dc2f8f3465966c8426a292 HSXHWAZL.sys
Conexant

871917b07a141bff43d76d8844d48106 http.sys
Microsoft Corporation

0c4e035c7f105f1299258c90886c64c5 hwpolicy.sys
Microsoft Corporation

f151f0bdc47f4a28b1b20a0818ea36d6 i8042prt.sys
Microsoft Corporation

01446278d4563b3013c92830ae6cbb26 iaStor.sys
Intel Corporation

934af4d7c5f457b9f0743f4299b77b67 iaStorV.sys
Intel Corporation

b3a313080b0f73f4c8292290606fc15d igdkmd32.sys
Intel Corporation

4173ff5708f3236cf25195fecd742915 iirsp.sys
Intel Corp

a0f12f2c9ba6c72f3987ce780e77c130 intelide.sys
Microsoft Corporation

3b514d27bfc4accb4037bc6685f766e0 intelppm.sys
Microsoft Corporation

709d1761d3b19a932ff0238ea6d50200 ipfltdrv.sys
Microsoft Corporation

4bd7134618c1d2a27466a099062547bf IPMIDrv.sys
Microsoft Corporation

a5fa468d67abcdaa36264e463a7bb0cd ipnat.sys
Microsoft Corporation

1d99ac4ce3abbd96a8c0d77ff104096d iqvw32.sys
Intel Corporation

9f7e491fb0ba0f9e370163834fc1fe31 irda.sys
Microsoft Corporation

42996cff20a3084a56017b7902307e9f irenum.sys
Microsoft Corporation

1f32bb6b38f62f7df1a7ab7292638a35 isapnp.sys
Microsoft Corporation

adef52ca1aeae82b50df86b56413107e kbdclass.sys
Microsoft Corporation

9e3ced91863e6ee98c24794d05e27a71 kbdhid.sys
Microsoft Corporation

412cea1aa78cc02a447f5c9e62b32ff1 ksecdd.sys
Microsoft Corporation

26c046977e85b95036453d7b88ba1820 ksecpkg.sys
Microsoft Corporation

5dcef0c32be0f33277326586fa503689 ks.sys
Microsoft Corporation

f7611ec07349979da9b0ae1f18ccc7a6 lltdio.sys
Microsoft Corporation

eb119a53ccf2acc000ac71b065b78fef lsi_fc.sys
LSI Corporation

dc9dc3d3daa0e276fd2ec262e38b11e9 lsi_sas2.sys
LSI Corporation

8ade1c877256a22e49b75d1cc9161f9c lsi_sas.sys
LSI Corporation

0a036c7d7cab643a7f07135ac47e0524 lsi_scsi.sys
LSI Corporation

6703e366cc18d3b6e534f5cf7df39cee luafv.sys
Microsoft Corporation

d68e165c3123aba3b1282eddb4213bd8 mbamswissarmy.sys
Malwarebytes Corporation

ef08d2ebe3eabba43cc57eee001027b6 mcd.sys
Microsoft Corporation

0cea2d0d3fa284b85ed5b68365114f76 mdmxsdk.sys
Conexant

0fff5b045293002ab38eb1fd1fc2fb74 megasas.sys
LSI Corporation

dcbab2920c75f390caf1d29f675d03d6 MegaSR.sys
LSI Corporation

5cbf9d2fab2abc461b2f67c802f52543 mfeapfk.sys
McAfee

10718b3eeb9e98c5b4aad7c0a23a9efa mfeavfk.sys
McAfee

e665cff48e376b48d2cc84be1559f131 mfebopk.sys
McAfee

e2f200d38b72e47b88489e2c97dfd6d8 mfehidk.sys
McAfee

ef04236d1a4f9f672b5258de83e2ee35 mferkdet.sys
McAfee

d5a4b1ae4958ccfc66c1d17c1f42ba08 mfetdik.sys
McAfee

f001861e5700ee84e2d4e52c712f4964 modem.sys
Microsoft Corporation

79d10964de86b292320e9dfe02282a23 monitor.sys
Microsoft Corporation

fb18cc1d4c2e716b6b903b0ac0cc0609 mouclass.sys
Microsoft Corporation

2c388d2cd01c9042596cf3c8f3c7b24d mouhid.sys
Microsoft Corporation

fc8771f45ecccfd89684e38842539b9b mountmgr.sys
Microsoft Corporation

2d699fb6e89ce0d8da14ecc03b3edfe0 mpio.sys
Microsoft Corporation

ad2723a7b53dd1aacae6ad8c0bfbf4d0 mpsdrv.sys
Microsoft Corporation

ceb46ab7c01c9f825f8cc6babc18166a mrxdav.sys
Microsoft Corporation

dc914446049169a964e27fd8888ffaee mrxsmb10.sys
Microsoft Corporation

e7d90388d14fae057c166c1801e0bf94 mrxsmb20.sys
Microsoft Corporation

ed3d3419b064f28d812995ed8cadc541 mrxsmb.sys
Microsoft Corporation

4326d168944123f38dd3b2d9c37a0b12 msahci.sys
Microsoft Corporation

455029c7174a2dbb03dba8a0d8bddd9a msdsm.sys
Microsoft Corporation

daefb28e3af5a76abcc2c3078c07327f msfs.sys
Microsoft Corporation

3e1e5767043c5af9367f0056295e9f84 mshidkmdf.sys
Microsoft Corporation

0a4e5757ae09fa9622e3158cc1aef114 msisadrv.sys
Microsoft Corporation

cb7a9abb12b8415bce5d74994c7ba3ae msiscsi.sys
Microsoft Corporation

8c0860d6366aaffb6c5bb9df9448e631 mskssrv.sys
Microsoft Corporation

3ea8b949f963562cedbb549eac0c11ce mspclock.sys
Microsoft Corporation

f456e973590d663b1073e9c463b40932 mspqm.sys
Microsoft Corporation

0e008fc4819d238c51d7c93e7b41e560 msrpc.sys
Microsoft Corporation

fc6b9ff600cc585ea38b12589bd4e246 mssmbios.sys
Microsoft Corporation

b42c6b921f61a6e55159b8be6cd54a36 mstee.sys
Microsoft Corporation

33599130f44e1f34631cea241de8ac84 MTConfig.sys
Microsoft Corporation

159fad02f64e6381758c990f753bcc80 mup.sys
Microsoft Corporation

0e1787aa6c9191d3d319e8bafe86f80c ndiscap.sys
Microsoft Corporation

e7c54812a2aaf43316eb6930c1ffa108 ndis.sys
Microsoft Corporation

e4a8aec125a2e43a9e32afeea7c9c888 ndistapi.sys
Microsoft Corporation

d8a65dafb3eb41cbb622745676fcd072 ndisuio.sys
Microsoft Corporation

38fbe267e7e6983311179230facb1017 ndiswan.sys
Microsoft Corporation

a4bdc541e69674fbff1a8ff00be913f2 ndproxy.sys
Microsoft Corporation

80b275b1ce3b0e79909db7b39af74d51 netbios.sys
Microsoft Corporation

280122ddcf04b378edd1ad54d71c1e54 netbt.sys
Microsoft Corporation

2899ef7aeef6913ed4fcb0e8a7a04f46 netio.sys
Microsoft Corporation

1d85c4b390b0ee09c7a46b91efb2c097 nfrd960.sys
IBM Corp

1db262a9f8c087e8153d89bef3d2235f npfs.sys
Microsoft Corporation

e9a0a4d07e53d8fea2bb8387a3293c58 nsiproxy.sys
Microsoft Corporation

81189c3d7763838e55c397759d49007a ntfs.sys
Microsoft Corporation

f9756a98d69098dca8945d62858a812c null.sys
Microsoft Corporation

5a0983915f02bae73267cc2a041f717d NV_AGP.SYS
Microsoft Corporation

b3e25ee28883877076e0e1ff877d02e0 nvraid.sys
NVIDIA Corporation

4380e59a170d88c4f1022eff6719a8a4 nvstor.sys
NVIDIA Corporation

26384429fcd85d83746f63e798ab1480 nwifi.sys
Microsoft Corporation

08a70a1f2cdde9bb49b885cb817a66eb ohci1394.sys
Microsoft Corporation

6270ccae2a86de6d146529fe55b3246a pacer.sys
Microsoft Corporation

2ea877ed5dd9713c5ac74e8ea7348d14 parport.sys
Microsoft Corporation

bf8f6af06da75b336f07e23aef97d93b partmgr.sys
Microsoft Corporation

eb0a59f29c19b86479d36b35983daadc parvdm.sys
Microsoft Corporation

afe86f419014db4e5593f69ffe26ce0a pciide.sys
Microsoft Corporation

ede040d666ff81bf1978d0f19f799e7a pciidex.sys
Microsoft Corporation

673e55c3498eb970088e812ea820aa8f pci.sys
Microsoft Corporation

f396431b31693e71e8a80687ef523506 pcmcia.sys
Microsoft Corporation

250f6b43d2b613172035c6747aeeb19f pcw.sys
Microsoft Corporation

9e0104ba49f4e6973749a02bf41344ed PEAuth.sys
Microsoft Corporation

088335b06f75adbcbb81575c7cae6c43 pneteth.sys
tH,VS_VERSION_INFO?baStringFileInfoBZCompanyNameJuneFabricsTechnologyInc.hFileDescriptionPdaNetBroadbandAdapterDriverFileVersion...builtby:WinDDKbInternalNamepneteth.sysLegalCopyrightCopyright©JuneFabricsTechnologyInc.@bOriginalFilenamepneteth.sysRProductNamePdaNetBroadbandAdapter>rProductVersion...DVarFileInfo$Translation@r

da19e3401f39c10df193be029c7e7bba pnetmdm.sys
tH`VS_VERSION_INFO?nStringFileInfobPCompanyNameJuneFabricsTechnologyDFileDescriptionPdaNetDriverbFileVersion,,,bInternalNamepnetmdm.sysr'LegalCopyrightCopyrightJuneFabricsTechnology@bOriginalFilenamepnetmdm.sys<ProductNamePdaNetDriverbProductVersion,,,DVarFileInfo$Translationt*

7d7a9c17d5455203dea11e5ef886cc59 point32.sys
Microsoft Corporation

d72708c9f49500c13d7d067e169b7715 portcls.sys
Microsoft Corporation

85b1e3a0c7585bc4aae6899ec6fcf011 processr.sys
Microsoft Corporation

ff4fae9011b6bdab5baf0624aaeaa8c4 PTDCBus.sys
?abStringFileInfobDCompanyNameDEVGURUCo.,LTD.x(FileDescriptionUSBCompositeDeviceDriver(MSSVer.)@FileVersion,,,NInternalNamePTDCBus.sys(xFree)LegalCopyrightCopyright©DEVGURU-.(www.devguru.co.kr)@bOriginalFilenamePTDCBus.sysp(ProductNameUSBCompositeDeviceDriver(MSSVer.)DProductVersion,,,DVarFileInfo$Translationt*

cd034a84b9bb5651fb4953e4efc3ccb6 PTDCMdm.sys
?a$StringFileInfobj%CompanyNameDEVGURUCo.,LTD.(www.devguru.co.kr)p$FileDescriptionUSBModemDeviceDriver(MSSVer.)@FileVersion,,,NInternalNamePTDCMdm.sys(xFree)LegalCopyrightCopyright©DEVGURU-.(www.devguru.co.kr)@bOriginalFilenamePTDCMdm.sysh$ProductNameUSBModemDeviceDriver(MSSVer.)DProductVersion,,,DVarFileInfo$Translationt*

4edcb30ac3fac2893b92f03544a81d0a PTDCVsp.sys
?a<StringFileInfobj%CompanyNameDEVGURUCo.,LTD.(www.devguru.co.kr)|*FileDescriptionUSBSerialPortDeviceDriver(MSSVer.)@FileVersion,,,NInternalNamePTDCVsp.sys(xFree)LegalCopyrightCopyright©DEVGURU-.(www.devguru.co.kr)@bOriginalFilenamePTDCVsp.syst*ProductNameUSBSerialPortDeviceDriver(MSSVer.)DProductVersion,,,DVarFileInfo$Translationt*

cd7a0dd832e4090125d08fcdaf82a558 PTDCWWAN.sys
?aPStringFileInfo,bDCompanyNameDEVGURUCo.,LTD.FileDescriptionUSBWirelessNetworkAdapterDeviceDriver(MSSVer.)@FileVersion,,,PInternalNamePTDCWWAN.sys(xFree)LegalCopyrightCopyright©DEVGURU-.(www.devguru.co.kr)BrOriginalFilenamePTDCWWAN.sysProductNameUSBWirelessNetworkAdapterDeviceDriver(MSSVer.)DProductVersion,,,DVarFileInfo$Translationt

ab95ecf1f6659a60ddc166d8315b0751 ql2300.sys
QLogic Corporation

b4dd51dd25182244b86737dc51af2270 ql40xx.sys
QLogic Corporation

584078ca1b95ca72df2a27c336f9719d qwavedrv.sys
Microsoft Corporation

30a81b53c766d0133bb86d234e5556ab rasacd.sys
Microsoft Corporation

d9f91eafec2815365cbe6d167e4e332a rasl2tp.sys
Microsoft Corporation

0fe8b15916307a6ac12bfb6a63e45507 raspppoe.sys
Microsoft Corporation

631e3e205ad6d86f2aed6a4a8e69f2db raspptp.sys
Microsoft Corporation

44101f495a83ea6401d886e7fd70096b rassstp.sys
Microsoft Corporation

d528bc58a489409ba40334ebf96a311b rdbss.sys
Microsoft Corporation

0d8f05481cb76e70e1da06ee9f0da9df rdpbus.sys
Microsoft Corporation

23dae03f29d253ae74c44f99e515f9a1 RDPCDD.sys
Microsoft Corporation

b973fcfc50dc1434e1970a146f7e3885 rdpdr.sys
Microsoft Corporation

5a53ca1598dd4156d44196d200c94b8a RDPENCDD.sys
Microsoft Corporation

44b0a53cd4f27d50ed461dae0c0b4e1f RDPREFMP.sys
Microsoft Corporation

288b06960d78428ff89e811632684e20 rdpwd.sys
Microsoft Corporation

518395321dc96fe2c9f0e96ac743b656 rdyboost.sys
Microsoft Corporation

df672613fbbcd58c38bb0bc2694bcfb0 rimmptsk.sys
Ricoh Company

906dcfc5ebf4ec0433f8d4fffb0ba334 rmcast.sys
Microsoft Corporation

7400cfab5cf36f2294e80b3f3bda3ebc RNDISMP.sys
Microsoft Corporation

564297827d213f52c7a3a2ff749568ca rootmdm.sys
Microsoft Corporation

a95840a95a9ff74b0009e5d848cddb39 RsFx0150.sys
Microsoft Corporation

032b0d36ad92b582d869879f5af5b928 rspndr.sys
Microsoft Corporation

05d860da1040f111503ac416ccef2bca sbp2port.sys
Microsoft Corporation

0693b5ec673e34dc147e195779a4dcf6 scfilter.sys
Microsoft Corporation

099972e1faf4950d3994fbab9dd21253 scsiport.sys
Microsoft Corporation

0328be1c7f1cba23848179f8762e391c sdbus.sys
Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys
Macrovision Corporation

9ad8b8b515e3df6acd4212ef465de2d1 serenum.sys
Microsoft Corporation

5fb7fcea0490d821f26f39cc5ea3d1e2 serial.sys
Microsoft Corporation

79bffb520327ff916a582dfea17aa813 sermouse.sys
Microsoft Corporation

9f976e1eb233df46fce808d9dea3eb9c sffdisk.sys
Microsoft Corporation

932a68ee27833cfd57c1639d375f2731 sffp_mmc.sys
Microsoft Corporation

6d4ccaedc018f1cf52866bbbaa235982 sffp_sd.sys
Microsoft Corporation

db96666cc8312ebc45032f30b007a547 sfloppy.sys
Microsoft Corporation

2565cac0dc9fe0371bdce60832582b2e SISAGP.SYS
Microsoft Corporation

a9f0486851becb6dda1d89d381e71055 sisraid2.sys
Silicon Integrated Systems

3727097b55738e2f554972c3be5bc1aa sisraid4.sys
Silicon Integrated Systems

3e21c083b8a01cb70ba1f09303010fce smb.sys
Microsoft Corporation

2e467e6ca8e0a140c08011844c0d3936 smclib.sys
Microsoft Corporation

95cf1ae7527fb70f7816563cbc09d942 spldr.sys
Microsoft Corporation

d16d818e9930a6e5b4f6476dd0998d1a spsys.sys
Microsoft Corporation

4e4e17a3865f650ee8c67726872d9431 srv2.sys
Microsoft Corporation

1346dff5be932939997d373d61a35626 srvnet.sys
Microsoft Corporation

4e636465a8653ba3bf29f929aa578e6f srv.sys
Microsoft Corporation

db32d325c192b801df274bfd12a7e72b stexstor.sys
Promise Technology

ef3d32464ebbb10449465c8cab57ca19 storport.sys
Microsoft Corporation

dcaffd62259e0bdb433dd67b5bb37619 storvsc.sys
Microsoft Corporation

45b44fc9e5ac0db02b19d515ee809de5 stream.sys
Microsoft Corporation

674be634b14a6c773d2f4f46b7a1628b stwrt.sys
nS?btStringFileInfoBnCompanyNameIDT,Inc.BrFileDescriptionIDTPCAudiobFileVersion...bInternalNameIDTPCAh"LegalCopyrightCopyright-IDT,Inc.<nOriginalFilenamestwrt.sys:rProductNameIDTPCAudio<bProductVersion...BrLegalTrademarksIDTPCAudiol*CommentsAllRightsReserved-IDT,Inc.DVarFileInfo$Translationt

e58c78a848add9610a4db6d214af5224 swenum.sys
Microsoft Corporation

949c35bf4ae6c110a924ab5e2175dda7 tape.sys
Microsoft Corporation

cca24162e055c3714ce5a88b100c64ed tcpipreg.sys
Microsoft Corporation

37e8fa3779668837ca9e2c36d2415949 tcpip.sys
Microsoft Corporation

2f885864d5bc8a16c86bee595969a48a tdi.sys
Microsoft Corporation

1cb91b2bd8f6dd367dfc2ef26fd751b2 tdpipe.sys
Microsoft Corporation

2c10395baa4847f83042813c515cc289 tdtcp.sys
Microsoft Corporation

b459575348c20e8121d6039da063c704 tdx.sys
Microsoft Corporation

04dbf4b01ea4bf25a9a3e84affac9b20 termdd.sys
Microsoft Corporation

254bb140eee3c59d6114c1a86b636877 tssecsrv.sys
Microsoft Corporation

fd1d6c73e6333be727cbcc6054247654 TsUsbFlt.sys
Microsoft Corporation

b2fa25d9b17a68bb93d58b0556e8c90d tunnel.sys
Microsoft Corporation

750fbcb269f4d7dd2e420c56b795db6d UAGP35.SYS
Microsoft Corporation

ee43346c7e4b5e63e54f927babbb32ff udfs.sys
Microsoft Corporation

44e8048ace47befbfdc2e9be4cbc8880 ULIAGPKX.SYS
Microsoft Corporation

d295bed4b898f0fd999fcfa9b32b071b umbus.sys
Microsoft Corporation

7550ad0c6998ba1cb4843e920ee0feac umpass.sys
Microsoft Corporation

b71da871254d96d0349639d03e4c1cc1 usb8023.sys
Microsoft Corporation

e071e5be621fec4590117c488a78ae32 USBCAMD2.sys
Microsoft Corporation

fd82d2b38c465a55c527e339ba1201b1 USBCAMD.sys
Microsoft Corporation

bd9c55d7023c5de374507acc7a14e2ac usbccgp.sys
Microsoft Corporation

04ec7cec62ec3b6d9354eee93327fc82 usbcir.sys
Microsoft Corporation

5787196f32d043572ec6565c0ef1b8e0 usbd.sys
Microsoft Corporation

f92de757e4b7ce9c07c5e65423f3ae3b usbehci.sys
Microsoft Corporation

8dc94aec6a7e644a06135ae7506dc2e9 usbhub.sys
Microsoft Corporation

e185d44fac515a18d9deddc23c2cdf44 usbohci.sys
Microsoft Corporation

3aa940aa9ac3055fe32ff2d3d20ccd28 usbport.sys
Microsoft Corporation

797d862fe0875e75c7cc4c1ad7b30252 usbprint.sys
Microsoft Corporation

1a078c3fe1c1f9c8561cd600c69ad300 usbrpm.sys
Microsoft Corporation

f991ab9cc6b908db552166768176896a USBSTOR.SYS
Microsoft Corporation

68df884cf41cdada664beb01daf67e3d usbuhci.sys
Microsoft Corporation

a059c4c3edb09e07d21a8e5c0aabd3cb vdrvroot.sys
Microsoft Corporation

17c408214ea61696cec9c66e388b14f3 vgapnp.sys
Microsoft Corporation

8e38096ad5c8570a6f1570a61e251561 vga.sys
Microsoft Corporation

5461686cca2fda57b024547733ab42e3 vhdmp.sys
Microsoft Corporation

c829317a37b4bea8f39735d4b076e923 VIAAGP.SYS
Microsoft Corporation

e02f079a6aa107f06b16549c6e5c7b74 viac7.sys
Microsoft Corporation

e43574f6a56a0ee11809b48c09e4fd3c viaide.sys
VIA Technologies

15c126d1b55814b9e5cab10a9c1f4c67 videoprt.sys
Microsoft Corporation

d4d77455211e204f370d08f4963063ce VMBusHID.sys
Microsoft Corporation

c2f2911156fdc7817c52829c86da494e vmbus.sys
Microsoft Corporation

7fa7f2e249a5dcbb7970630e15e1f482 vms3cap.sys
Microsoft Corporation

472af0311073dceceaa8fa18ba2bdf89 vmstorfl.sys
Microsoft Corporation

4c63e00f2f4b5f86ab48a58cd990f212 volmgr.sys
Microsoft Corporation

b5bb72067ddddbbfb04b2f89ff8c3c87 volmgrx.sys
Microsoft Corporation

ab6532bf1c2519efcec5b8c04d8dc407 volsnap.sys

9dfa0cc2f8855a04816729651175b631 vsmraid.sys
VIA Technologies

e00fdfaff025e94f9821153750c35a6d VSTAZL3.SYS
Conexant

bc0c7ea89194c299f051c24119000e17 VSTCNXT3.SYS
Conexant

ceb4e3b6890e1e42dca6694d9e59e1a0 VSTDPV3.SYS
Conexant

90567b1e658001e79d7c8bbd3dde5aa6 vwifibus.sys
Microsoft Corporation

7090d3436eeb4e7da3373090a23448f7 vwififlt.sys
Microsoft Corporation

a3f04cbea6c2a10e6cb01f8b47611882 vwifimp.sys
Microsoft Corporation

de3721e89c653aa281428c8a69745d90 wacompen.sys
Microsoft Corporation

3c3c78515f5ab448b022bdf5b8ffdd2e wanarp.sys
Microsoft Corporation

cb45a417c8ef7ba6bac67edcdded8700 watchdog.sys
Microsoft Corporation

9950e3d0f08141c7e89e64456ae7dc73 Wdf01000.sys
Microsoft Corporation

fe7a7675c26fe936226641ef32ae9bb5 WdfLdr.sys
Microsoft Corporation

1112a9badacb47b7c0bb0392e3158dff wd.sys
Microsoft Corporation

8b9a943f3b53861f2bfaf6c186168f79 wfplwf.sys
Microsoft Corporation

5cf95b35e59e2a38023836fff31be64c wimmount.sys
Microsoft Corporation

62ba4fdca65bdb69695e0d1157c57717 winhv.sys
Microsoft Corporation

a67e5f9a400f3bd1be3d80613b45f708 winusb.sys
Microsoft Corporation

0217679b8fca58714c3bf2726d2ca84e wmiacpi.sys
Microsoft Corporation

9a5b1059fe015db5269fbb25acbf841d wmilib.sys
Microsoft Corporation

6db3276587b853bf886b69528fdb048c ws2ifsl.sys
Microsoft Corporation

e714a1c0354636837e20ccbf00888ee7 WUDFPf.sys
Microsoft Corporation

1023ee888c9b47178c5293ed5336ab69 WUDFRd.sys
Microsoft Corporation

894f963be999ba9db5aac3aed55b115d XAudio32.sys
Conexant

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:08 PM

Posted 15 June 2011 - 07:34 PM

Try this please. You will need a USB drive.

  • Boot the Sick computer with the GETxPUD CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Click on File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see driver.sh.
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    volsnap.sys

  • Press Enter
  • If succesful, the script will search this file.
  • After it has finished a report will be located in the USB drive as filefind.txt

Please note - all text entries are case sensitive

Copy and paste the filefind.txt for my review

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 jet526

jet526
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 June 2011 - 08:02 AM

Here is the text of findfile.txt:

Search results for volsnap.sys

ab6532bf1c2519efcec5b8c04d8dc407 /mnt/sda2/Windows/System32/drivers/volsnap.sys
239.9K Nov 20 2010

f497f67932c6fa693d7de2780631cfe7 /mnt/sda2/Windows/System32/DriverStore/FileRepository/volume.inf_x86_neutral_6dee0205881d1a1d/volsnap.sys
239.9K Nov 20 2010

58df9d2481a56edde167e51b334d44fd /mnt/sda2/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e/volsnap.sys
239.6K Jul 14 2009

f497f67932c6fa693d7de2780631cfe7 /mnt/sda2/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_17be216c5a5713d8/volsnap.sys
239.9K Nov 20 2010

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:08 PM

Posted 16 June 2011 - 07:08 PM

Please do the following:

Boot into xPUD as you did before and navigate to the following file:

/mnt/sda2/Windows/System32/DriverStore/FileRepository/volume.inf_x86_neutral_6dee0205881d1a1d/volsnap.sys

right click on the file and choose COPY


now navigate to

/mnt/sda2/WINDOWS/systeme32/drivers/volsnap.sys


right click on volsnap.sys > choose to RENAME it and rename it to volsnap.sys.vir


now right click anywhere in that same "drivers" folder and choose PASTE

The patched volsnap.sys should now be replaced with the copy from the FileRepository folder.

Exit out of xPUD and reboot normally.

Let me know exactly what happens And how your machine is running now? Still getting redirected?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 jet526

jet526
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 17 June 2011 - 07:51 AM

For some reason booting to the cd is not working. xPUD language screen appears then after a bit the following is displayed:

giving up
xinit: No such file or directory (errno 2): unable to connect to X server
xinit: No such process (errno 3): server error
xauth: (argv):1: bad display name "(none):0" in "remove" command
sh: no job control in this shell
sh-4.0#

It looks like the shell just failed to load but the terminal is available. I don't know Linux commands well enough to do this on my own, but I can type what you write.

I am off today and will not be back until Monday. Have a good weekend. Maybe the shell will start then.

#12 jet526

jet526
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 20 June 2011 - 08:49 AM

I was able to boot to xPUD today with the shell running and made the file change.

So far I've not been redirected and the hidden audio is not playing.

I was able to run TDSSKiller. It did not detect any objects.

Thank you.

What is next?

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:08 PM

Posted 20 June 2011 - 11:01 AM

Hello,

Glad that worked. That is a very nasty infection. Replacing that infected file has done it.
Lets scan to make sure nothing else is there.


1.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

2.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 jet526

jet526
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 20 June 2011 - 04:05 PM

MalwareBytes came up empty. Here is the log:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6904

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

6/20/2011 10:55:49 AM
mbam-log-2011-06-20 (10-55-49).txt

Scan type: Quick scan
Objects scanned: 65918
Time elapsed: 3 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET found two. Here is the log:
C:\Users\treatj\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PHIT6Q4Y\Notes1[1].pdf JS/Exploit.Pdfka.OAY trojan cleaned by deleting - quarantined
C:\Windows\System32\drivers\volsnap.sys.vir Win32/Olmasco.E trojan deleted (after the next restart) - quarantined

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:08 PM

Posted 20 June 2011 - 06:07 PM

Hello, jet526.
Congratulations! You now appear clean! :cool:


Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users