Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Repair = Trouble


  • This topic is locked This topic is locked
2 replies to this topic

#1 splatooft

splatooft

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 01 July 2011 - 02:13 PM

Following the directions at http://www.bleepingcomputer.com/virus-removal/remove-windows-xp-recovery
I was unable to get TDSSKiller to run in any of its named iterations.
I was able to download and update Malware Bytes Anti-Malware Software. It occasionally pops-up warning of blocking outgoing traffic.
Still getting redirects and pop-ups.

I've followed the instructions of the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help.
So hereeeere's Loggy!!!

DDS:
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Bluegrass Kitchen at 9:01:02 on 2011-07-01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1408 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Bluegrass Kitchen\Desktop\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5825.1100\swg.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT

5.1; Trident/4.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

-"http://games.zeeks.com/snow-flake-1389/?page=play"
uRunOnce: [BrStsWnd.exe] c:\program files\brownie\BrStsWnd.exe WindowsStartUpModel
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hewlett-packard\digital imaging\smart web

printing\hpswp_BHO.dll
Trusted Zone: intuit.com\community
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://www.shockwave.com/content/sharkisland/sis/MysteryOfSharkIslandWeb.1.0.0.8.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160065772281
DPF: {6FE79ACA-A498-45E5-8BC4-1B9F380CE468} - hxxp://aolsvc.aol.com/onlinegames/ghadventureball/abxgh.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://www.shockwave.com/content/dreamchronicles/sis/dreamweb.1.0.0.10.cab
DPF: {7D492D61-303A-45C3-8A55-63449339943D} - hxxp://aolsvc.aol.com/onlinegames/free-trial-the-nightshift-code/NightShiftCodeWeb.1.0.0.5.cab
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/snailmail/sis/slgwebinstall.cab
DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} - hxxp://www.energames.com/download/online_games/big_city_adventure_sydney_australia/JBGamePlayer.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game04.zylom.com/activex/zylomgamesplayer.cab
DPF: {C0C0CB9B-BFEB-47C2-90FA-BE9692875ADB} - hxxp://www.shockwave.com/content/petshophop/sis/petshophopweb.1.0.0.17.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} - hxxp://www.shockwave.com/content/dreamchronicles2/sis/dream2web.1.0.0.13.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{931F76F3-7597-44C9-9EC9-9E7EFCEC246E} : DhcpNameServer = 192.168.1.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2006\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-4-29 352656]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-3-2 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-29 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-29 22712]
S1 MpKsl1500d4ba;MpKsl1500d4ba;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{61083592-56e9-4cbd-af5f-1edb1b591d4a}\mpksl1500d4ba.sys --> c:\documents and settings\all users\application data\microsoft\microsoft

antimalware\definition updates\{61083592-56e9-4cbd-af5f-1edb1b591d4a}\MpKsl1500d4ba.sys [?]
S1 MpKsl948b2368;MpKsl948b2368;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{fc787431-e70d-4db3-9031-014874986139}\mpksl948b2368.sys --> c:\documents and settings\all users\application data\microsoft\microsoft

antimalware\definition updates\{fc787431-e70d-4db3-9031-014874986139}\MpKsl948b2368.sys [?]
S1 MpKsld1ba6e0a;MpKsld1ba6e0a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{acd8592f-b3b7-4046-ba76-f2b101e006b6}\mpksld1ba6e0a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft

antimalware\definition updates\{acd8592f-b3b7-4046-ba76-f2b101e006b6}\MpKsld1ba6e0a.sys [?]
S3 TD3004F60v;TD3004F60v;c:\windows\system32\drivers\td3004f60v.sys --> c:\windows\system32\drivers\TD3004F60v.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-31 133104]
S4 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2010-4-14 78104]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 TwonkyVision_Media_Server;TwonkyVision MediaServer;c:\program files\twonkyvision\twonkymedia.exe -serviceversion --> c:\program

files\twonkyvision\TwonkyMedia.exe -serviceversion [?]
.
=============== Created Last 30 ================
.
2011-06-30 14:12:27 7074640 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition

updates\{5056dab0-aba3-4ac7-989d-ba04656a860b}\mpengine.dll
2011-06-29 20:21:28 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-29 20:21:23 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-17 07:20:36 105472 ------w- c:\windows\system32\dllcache\mup.sys
.
==================== Find3M ====================
.
2011-06-20 12:47:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-16 16:15:36 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-06-16 16:15:35 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-06-16 16:15:34 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-06-16 16:15:34 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-05-02 15:31:52 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ------w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 9:08:09.07 ===============





GMER:
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-01 14:56:11
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2500AAJB-00J3A0 rev.01.03E01
Running: gmer.exe; Driver: C:\DOCUME~1\BLUEGR~1\LOCALS~1\Temp\pxtdypoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text KDCOM.DLL!KdSendPacket F7987345 6 Bytes [FA, 8D, 46, 01, 25, FF]
.text KDCOM.DLL!KdSendPacket F798734D 5 Bytes [80, 79, 07, 48, 0D]
.text KDCOM.DLL!KdSendPacket F7987353 29 Bytes [FF, FF, FF, 40, 0F, B6, F0, ...]
.text KDCOM.DLL!KdSendPacket F7987371 28 Bytes [FF, FF, FF, 42, 0F, B6, FA, ...]
.text KDCOM.DLL!KdD0Transition + 8 F798738E 17 Bytes [08, 03, 55, F8, 03, D8, 81, ...]
.text KDCOM.DLL!KdD0Transition + 1A F79873A0 42 Bytes [FF, FF, FF, 43, 0F, B6, C3, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 25 F79873CB 6 Bytes [00, C9, C2, 08, 00, 55] {ADD CL, CL; RET 0x8; PUSH EBP}
.text KDCOM.DLL!KdDebuggerInitialize0 + 2C F79873D2 23 Bytes [EC, 83, C8, FF, 83, 7D, 08, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 44 F79873EA 162 Bytes [42, 5E, F6, C1, 01, 74, 0A, ...]
.text KDCOM.DLL!KdRestore + 2D F798748D 1 Byte [43]
.text KDCOM.DLL!KdRestore + 2D F798748D 77 Bytes [43, 08, 89, 45, FC, 8B, 55, ...]
.text KDCOM.DLL!KdRestore + 7C F79874DC 25 Bytes [C9, C2, 08, 00, 55, 8B, EC, ...]
.text KDCOM.DLL!KdRestore + 97 F79874F7 21 Bytes [89, 06, 89, 46, 08, 89, 46, ...]
.text KDCOM.DLL!KdRestore + AD F798750D 241 Bytes CALL F798746D \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
.text ...
PAGEKD KDCOM.DLL!KdReceivePacket + 2 F7987F4E 205 Bytes [F0, 8D, 45, FC, 50, 53, 56, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + D0 F798801C 2 Bytes [75, 0E] {JNZ 0x10}
PAGEKD KDCOM.DLL!KdReceivePacket + D3 F798801F 1 Byte [C0]
PAGEKD KDCOM.DLL!KdReceivePacket + D3 F798801F 103 Bytes [C0, 02, 83, C2, 02, 84, DB, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + 13B F7988087 131 Bytes [7D, 0C, B8, 4D, 5A, 00, 00, ...]
PAGEKD ...
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9584F80]
? C:\DOCUME~1\BLUEGR~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A91 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0CD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB60 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5691 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00DD000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DA000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00D9000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DB000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00DC000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D8000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B368C7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1112] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B36AD2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3656] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3656] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3656] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3656] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3656] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3656] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3656] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3656] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3656] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3656] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B368C7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3656] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B36AD2

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A5C88D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.15 ----

Thread System [4:280] 8A32E0B3
Thread System [4:292] 8A32F7FB

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

anybody?

EDIT: Please be patient. There are over 340 unanswered topics in this forum at present and the current average wait time to receive help is 12 days. ~Budapest

Attached Files


Edited by Budapest, 05 July 2011 - 04:59 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 AM

Posted 10 July 2011 - 07:06 AM

Hello and welcome to Bleeping Computer

My name is etavares and I will be working with you to fix your computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting. If you will be unable to respond (e.g. vacation, travel, etc.), please let me know ahead of time.
  • Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • If you have already posted a log, please do so again as instructed below, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.


Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log. Thanks and again sorry for the delay.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 AM

Posted 15 July 2011 - 03:31 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users