Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Interent Explorer popup in background and wave volume control mute


  • This topic is locked This topic is locked
4 replies to this topic

#1 kgene

kgene

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 07 July 2011 - 03:21 PM

Hi,

I am running windows XP on a Dell Inspiron Mini and have internet explorer popups coming up in the background. Sometimes there are ads with audio messages. Sometimes the sound mutes (wave volume mutes). I tried reinstalling the operating system, which did not work multiple times, until it finally succeeded (I am not sure why it finally succeeded). Even after this reinstallation (which seemed to delete most files from the hard drive) the popups and other antics continued. Malwarebytes' Anti-Malware and Norton Antivirus aren't detecting anything. I ran DDS and GMER as per instructions prior to posting. GMER generated a message after completing scan that said rootkit detected. I clicked OK and haven't done anything with regards to that message. I have included all the log files requested. Thank you for your help!

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Run by Personal at 11:45:09 on 2011-07-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.227 [GMT -7:00]
.
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
svchost.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe 4
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\OA012Mon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\WSED\WSED.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\CapsLKNotify\CapsLKNotify.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Connection Wizard,ShellNext = hxxp://www.streetracekingz.com/banner3.php?q=5112.5112.2000.0.0.6d8200e3d911cd8977d632a8e675c7c81756d3956a37b589b8a296821d2f5bd4.1.55687.4
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {F0626A63-410B-45E2-99A1-3F2475B2D695} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [OA012Mon] c:\windows\OA012Mon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [WSED] c:\program files\wsed\WSED.exe
mRun: [<NO NAME>]
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [CapsLKNotify] c:\program files\capslknotify\CapsLKNotify.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: DhcpNameServer = 68.87.76.182 68.87.78.134
TCP: Interfaces\{0E1FFF21-7209-4D5A-BADB-2FFCE2D98A82} : DhcpNameServer = 68.87.76.182 68.87.78.134
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\personal\application data\mozilla\firefox\profiles\jo3bbfq8.default\
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-9-21 14248]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-6-29 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-6-29 744568]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2011-7-6 3968]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20110701.001\BHDrvx86.sys [2011-7-6 810616]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-21 214664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-6-29 136312]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-6 366640]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.1.0.29\ccsvchst.exe [2011-6-29 130008]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-9-21 143840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-6-29 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20110706.051\IDSXpx86.sys [2011-7-6 355256]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-6 22712]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110707.003\NAVENG.SYS [2011-7-7 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110707.003\NAVEX15.SYS [2011-7-7 1542392]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-9-21 135168]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-9-21 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-9-21 272032]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-9-21 162816]
S0 cerc6;cerc6; [x]
S0 iutxyce;iutxyce;c:\windows\system32\drivers\iohjahsk.sys --> c:\windows\system32\drivers\iohjahsk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-15 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-21 1684736]
S3 BONKMJKV;BONKMJKV;c:\docume~1\personal\locals~1\temp\bonkmjkv.exe --> c:\docume~1\personal\locals~1\temp\BONKMJKV.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1e.tmp --> c:\windows\system32\1E.tmp [?]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-21 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-21 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-21 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-21 40552]
.
=============== Created Last 30 ================
.
2011-07-06 21:13:53 -------- d-----w- C:\MGtools
2011-07-06 20:06:50 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2011-07-06 18:56:32 -------- d-----w- c:\program files\Sophos
2011-07-06 16:18:01 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-07-06 16:15:04 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2011-07-06 16:12:46 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2011-07-06 16:11:55 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-07-06 16:10:08 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2011-07-06 16:10:08 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2011-07-06 16:08:22 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-07-06 16:08:22 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-07-06 16:08:22 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-07-06 16:08:22 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-07-06 14:45:33 -------- d-----w- c:\documents and settings\personal\application data\Windows Search
2011-07-06 14:23:37 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 14:23:32 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 14:23:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-06 13:56:07 -------- d-----w- c:\program files\iPod
2011-07-06 13:55:51 -------- d-----w- c:\program files\iTunes
2011-07-06 13:47:27 -------- d-----w- c:\program files\Bonjour
2011-07-06 13:21:33 -------- d-----w- c:\documents and settings\personal\application data\WinPatrol
2011-07-06 13:21:07 -------- d-----w- c:\program files\BillP Studios
2011-07-06 13:21:07 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2011-07-06 13:11:02 -------- d-----w- c:\documents and settings\personal\local settings\application data\Google
2011-07-06 13:08:31 -------- d-----w- c:\documents and settings\personal\local settings\application data\Apple
2011-07-06 12:38:54 -------- d-----w- c:\documents and settings\personal\application data\Malwarebytes
2011-07-06 12:34:57 -------- d-s---w- c:\documents and settings\personal\UserData
2011-07-06 12:30:13 -------- d-----w- c:\documents and settings\personal\application data\Dell
2011-07-06 12:27:10 -------- d-----w- c:\program files\Dell Support Center
2011-07-06 12:16:03 -------- d-----w- c:\documents and settings\personal\application data\PCDr
2011-07-06 12:06:37 172032 ----a-w- c:\windows\system32\igfxres.dll
2011-07-06 11:32:59 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-07-06 11:31:58 65536 -c--a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2011-07-06 11:30:50 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe
2011-07-06 11:29:57 598071 -c--a-w- c:\windows\system32\dllcache\fpmmc.dll
2011-07-06 11:13:19 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-07-06 11:13:19 13312 ----a-w- c:\windows\system32\irclass.dll
2011-07-06 11:13:18 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-07-06 11:13:18 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-07-06 11:12:57 16535 ----a-r- c:\windows\SET5A.tmp
2011-07-06 11:12:52 1088840 ----a-r- c:\windows\SET46.tmp
2011-07-06 11:12:48 1296669 ----a-r- c:\windows\SET43.tmp
2011-07-04 23:50:23 16535 ----a-r- c:\windows\SET59.tmp
2011-07-04 23:50:18 1088840 ----a-r- c:\windows\SET4D.tmp
2011-07-04 23:50:15 1296669 ----a-r- c:\windows\SET4A.tmp
2011-07-04 10:28:07 16535 ----a-r- c:\windows\SET58.tmp
2011-07-04 10:28:02 1088840 ----a-r- c:\windows\SET4C.tmp
2011-07-04 10:27:59 1296669 ----a-r- c:\windows\SET49.tmp
2011-07-04 09:36:26 16535 ----a-r- c:\windows\SET57.tmp
2011-07-04 09:36:21 1088840 ----a-r- c:\windows\SET4B.tmp
2011-07-04 09:36:18 1296669 ----a-r- c:\windows\SET48.tmp
2011-07-04 07:47:13 -------- d-----w- c:\documents and settings\personal\local settings\application data\Mozilla
2011-07-04 07:45:37 -------- d-----w- c:\documents and settings\personal\local settings\application data\Apple Computer
2011-07-04 06:54:31 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-07-04 06:54:31 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2011-07-04 06:38:42 16535 ----a-r- c:\windows\SET114.tmp
2011-07-04 06:38:37 1088840 ----a-r- c:\windows\SET108.tmp
2011-07-04 06:38:33 1296669 ----a-r- c:\windows\SET105.tmp
2011-07-04 06:14:29 -------- d-----w- c:\windows\setup.pss
2011-07-04 01:03:56 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2011-07-04 01:03:56 -------- d-----w- c:\program files\Belarc
2011-07-03 23:25:55 -------- d-----w- c:\windows\Dell
2011-07-02 12:10:55 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-07-02 12:10:55 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-07-02 12:10:55 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-07-02 12:10:55 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-07-02 12:10:55 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-07-02 12:10:55 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-07-02 12:10:55 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-07-02 12:10:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-07-02 11:47:55 -------- d-----w- c:\documents and settings\all users\application data\SecTaskMan
2011-07-02 11:47:49 -------- d-----w- c:\program files\Security Task Manager
2011-06-30 04:20:58 -------- d-----w- c:\windows\pss
2011-06-30 04:14:37 -------- d-----w- c:\program files\CCleaner
2011-06-29 20:41:52 369784 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdi.sys
2011-06-29 20:41:52 331384 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys
2011-06-29 20:41:52 296568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symnets.sys
2011-06-29 20:41:51 744568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symefa.sys
2011-06-29 20:41:51 516216 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtsp.sys
2011-06-29 20:41:51 50168 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtspx.sys
2011-06-29 20:41:51 340088 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symds.sys
2011-06-29 20:41:51 136312 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys
2011-06-29 20:41:09 -------- d-----w- c:\windows\system32\drivers\n360\0501000.01D
2011-06-29 19:14:25 -------- d-----w- c:\windows\ServicePackFiles
2011-06-29 18:13:34 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-29 17:48:02 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-06-29 17:48:02 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-06-29 17:48:01 -------- d-----w- c:\program files\Symantec
2011-06-29 17:48:01 -------- d-----w- c:\program files\common files\Symantec Shared
2011-06-29 17:46:42 -------- d-----w- c:\windows\system32\drivers\N360
2011-06-29 17:46:37 -------- d-----w- c:\program files\Norton Security Suite
2011-06-29 17:40:53 -------- d-----w- c:\program files\NortonInstaller
2011-06-29 17:40:53 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
2011-06-29 17:23:30 -------- d-----w- c:\documents and settings\all users\application data\Norton
2011-06-29 17:08:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-07 19:35:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-06-07 19:35:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 14:47:19 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 14:47:19 667136 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 14:47:19 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-04-25 12:56:44 369664 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8650FAB8]
3 CLASSPNP[0xF75FDFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000078[0x865559E8]
5 ACPI[0xF7494620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP0T0L0-3[0x86585940]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x80; NOP ; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x620; }
user != kernel MBR !!!
.
============= FINISH: 11:46:38.76 ===============

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:24 PM

Posted 09 July 2011 - 02:01 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 kgene

kgene
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 11 July 2011 - 12:45 AM

Since the last time I posted, my computer installed windows updates automatically. I am not sure if that means I need to rerun dds or gmer. After the updates, I ran ComboFix. While running, it complained that rootkit activity was detected and ComboFix restarted my computer so that it could finish scanning. Here is the log file it generated:


ComboFix 11-07-09.03 - Personal 07/09/2011 18:32:58.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.682 [GMT -7:00]
Running from: c:\documents and settings\Personal\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\1f89b445-358e-4349-afd2-53f82b87ba43.dll
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\2ee79d71-badc-46b4-b731-42b15f3cd1c3.dll
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\3a79f062-8f3e-464f-9815-2c45840494ee.dll
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\3e4c86d5-a5c1-4c3f-8fc7-6258992b16c5.dll
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\493f295d-1a46-46f6-926c-63b474cedab4.dll
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\5e1c102f-bfde-420c-87c0-64fe851888e5.dll
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\6cf47205-6796-460b-806d-8f5f1a1f6b2e.dll
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\7014e871-cc3b-4dec-b82b-bc70222b40ed.dll
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\a4930af9-016c-4915-a740-a3364e7618aa.dll
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\cf3463d8-8828-4f50-98c8-d04ca1fe42f3.dll
c:\documents and settings\All Users\Application Data\PCDr\5830\Downloads\e9bb45d9-5a2b-47e8-9c48-168276d422cc.dll
.
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-06-10 to 2011-07-10 )))))))))))))))))))))))))))))))
.
.
2011-07-06 21:13 . 2011-07-06 21:17 -------- d-----w- C:\MGtools
2011-07-06 20:06 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2011-07-06 18:56 . 2011-07-06 18:56 -------- d-----w- c:\program files\Sophos
2011-07-06 16:18 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-07-06 16:15 . 2009-06-10 16:19 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2011-07-06 16:12 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2011-07-06 16:11 . 2011-04-29 16:19 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-07-06 16:10 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2011-07-06 16:10 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2011-07-06 16:08 . 2010-12-09 13:42 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-07-06 16:08 . 2010-12-09 13:38 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-07-06 16:08 . 2010-12-09 13:07 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-07-06 16:08 . 2010-12-09 13:07 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-07-06 14:23 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 14:23 . 2011-07-06 14:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-06 14:23 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 13:56 . 2011-07-06 13:56 -------- d-----w- c:\program files\iPod
2011-07-06 13:55 . 2011-07-06 13:58 -------- d-----w- c:\program files\iTunes
2011-07-06 13:47 . 2011-07-06 13:47 -------- d-----w- c:\program files\Bonjour
2011-07-06 13:21 . 2011-07-06 13:21 -------- d-----w- c:\program files\BillP Studios
2011-07-06 13:21 . 2011-07-06 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2011-07-06 12:27 . 2011-07-06 12:29 -------- d-----w- c:\program files\Dell Support Center
2011-07-06 12:06 . 2011-07-06 12:06 -------- d-----w- c:\documents and settings\Lani
2011-07-06 12:06 . 2009-02-15 21:34 172032 ----a-w- c:\windows\system32\igfxres.dll
2011-07-06 11:32 . 2001-08-18 05:36 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-07-06 11:31 . 2001-08-18 05:36 65536 -c--a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2011-07-06 11:30 . 2008-04-13 23:00 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe
2011-07-06 11:29 . 2004-05-13 07:39 598071 -c--a-w- c:\windows\system32\dllcache\fpmmc.dll
2011-07-06 11:13 . 2008-04-13 23:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-07-06 11:13 . 2008-04-13 23:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-07-06 11:13 . 2008-04-13 23:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-07-06 11:13 . 2008-04-13 23:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-07-06 11:12 . 2008-04-13 23:00 16535 ----a-r- c:\windows\SET5A.tmp
2011-07-06 11:12 . 2008-04-13 23:00 1088840 ----a-r- c:\windows\SET46.tmp
2011-07-06 11:12 . 2008-04-13 23:00 1296669 ----a-r- c:\windows\SET43.tmp
2011-07-04 23:50 . 2008-04-13 23:00 16535 ----a-r- c:\windows\SET59.tmp
2011-07-04 23:50 . 2008-04-13 23:00 1088840 ----a-r- c:\windows\SET4D.tmp
2011-07-04 23:50 . 2008-04-13 23:00 1296669 ----a-r- c:\windows\SET4A.tmp
2011-07-04 22:45 . 2011-07-04 22:45 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-07-04 10:28 . 2008-04-13 23:00 16535 ----a-r- c:\windows\SET58.tmp
2011-07-04 10:28 . 2008-04-13 23:00 1088840 ----a-r- c:\windows\SET4C.tmp
2011-07-04 10:27 . 2008-04-13 23:00 1296669 ----a-r- c:\windows\SET49.tmp
2011-07-04 10:03 . 2011-07-04 10:03 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2011-07-04 09:36 . 2008-04-13 23:00 16535 ----a-r- c:\windows\SET57.tmp
2011-07-04 09:36 . 2008-04-13 23:00 1088840 ----a-r- c:\windows\SET4B.tmp
2011-07-04 09:36 . 2008-04-13 23:00 1296669 ----a-r- c:\windows\SET48.tmp
2011-07-04 07:44 . 2011-07-10 01:28 -------- d-----w- c:\documents and settings\Personal
2011-07-04 06:54 . 2008-04-13 23:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-07-04 06:54 . 2008-04-13 23:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-07-04 06:38 . 2008-04-13 23:00 16535 ----a-r- c:\windows\SET114.tmp
2011-07-04 06:38 . 2008-04-13 23:00 1088840 ----a-r- c:\windows\SET108.tmp
2011-07-04 06:38 . 2008-04-13 23:00 1296669 ----a-r- c:\windows\SET105.tmp
2011-07-04 06:37 . 2011-07-04 06:37 -------- d-s---w- c:\windows\system32\config\systemprofile\History
2011-07-04 01:03 . 2011-07-04 01:03 -------- d-----w- c:\program files\Belarc
2011-07-04 01:03 . 2008-02-27 20:49 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2011-07-03 23:25 . 2011-07-03 23:25 -------- d-----w- c:\windows\Dell
2011-07-02 12:10 . 2011-06-16 04:17 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-07-02 12:10 . 2011-06-16 04:17 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-07-02 12:10 . 2011-06-16 04:17 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-07-02 12:10 . 2011-06-16 04:17 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-07-02 12:10 . 2011-06-16 04:17 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-07-02 12:10 . 2011-06-16 04:17 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-07-02 12:10 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-02 12:10 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-07-02 11:47 . 2011-07-02 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2011-07-02 11:47 . 2011-07-02 11:47 -------- d-----w- c:\program files\Security Task Manager
2011-06-30 04:14 . 2011-06-30 04:14 -------- d-----w- c:\program files\CCleaner
2011-06-29 23:21 . 2011-06-29 23:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Windows Search
2011-06-29 19:34 . 2011-06-29 19:34 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-06-29 19:14 . 2011-06-29 19:14 -------- d-----w- c:\windows\ServicePackFiles
2011-06-29 18:13 . 2011-06-29 21:17 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-29 17:48 . 2011-06-29 20:41 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-06-29 17:48 . 2011-06-29 20:41 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-06-29 17:48 . 2011-06-29 20:41 -------- d-----w- c:\program files\Symantec
2011-06-29 17:48 . 2011-06-29 19:30 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-06-29 17:46 . 2011-06-29 21:18 -------- d-----w- c:\windows\system32\drivers\N360
2011-06-29 17:46 . 2011-06-29 17:46 -------- d-----w- c:\program files\Norton Security Suite
2011-06-29 17:46 . 2011-06-29 17:46 -------- d-----w- c:\program files\Windows Sidebar
2011-06-29 17:40 . 2011-06-29 17:40 -------- d-----w- c:\program files\NortonInstaller
2011-06-29 17:23 . 2011-06-29 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-06-29 17:08 . 2011-06-29 17:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 21:17 . 2011-07-06 21:13 165924 ----a-w- C:\MGlogs.zip
2011-05-02 15:31 . 2008-04-26 01:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2008-04-13 23:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2008-04-13 23:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 14:47 . 2008-04-13 23:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 14:47 . 2008-04-13 23:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 14:47 . 2008-04-13 23:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-04-25 12:56 . 2008-04-13 23:00 369664 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-13 23:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-06-16 04:17 . 2011-07-02 12:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2011-06-24 2423608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"OA012Mon"="c:\windows\OA012Mon.exe" [2009-05-11 24576]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"WSED"="c:\program files\WSED\WSED.exe" [2009-03-31 251176]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\d:\0autocheck autochk *\0sprestrt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
"4100:UDP"= 4100:UDP:uPNP Router Control Port
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [9/21/2009 2:30 PM 14248]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\symds.sys [6/29/2011 1:41 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\symefa.sys [6/29/2011 1:41 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110701.001\BHDrvx86.sys [7/6/2011 5:25 AM 810616]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\ironx86.sys [6/29/2011 1:41 PM 136312]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/6/2011 7:23 AM 366640]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe [6/29/2011 1:41 PM 130008]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [9/21/2009 2:38 PM 143840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/29/2011 1:42 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110708.032\IDSXpx86.sys [7/8/2011 4:35 PM 355256]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/6/2011 7:23 AM 22712]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [9/21/2009 5:01 PM 135168]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [9/21/2009 5:01 PM 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [9/21/2009 5:01 PM 272032]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [9/21/2009 5:00 PM 162816]
S0 cerc6;cerc6; [x]
S0 iutxyce;iutxyce;c:\windows\system32\drivers\iohjahsk.sys --> c:\windows\system32\drivers\iohjahsk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/15/2010 2:22 PM 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/21/2009 5:00 PM 1684736]
S3 BONKMJKV;BONKMJKV;c:\docume~1\Personal\LOCALS~1\Temp\BONKMJKV.exe --> c:\docume~1\Personal\LOCALS~1\Temp\BONKMJKV.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E.tmp --> c:\windows\system32\1E.tmp [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-15 21:21]
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-15 21:21]
.
2011-07-06 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Connection Wizard,ShellNext = hxxp://www.streetracekingz.com/banner3.php?q=5112.5112.2000.0.0.6d8200e3d911cd8977d632a8e675c7c81756d3956a37b589b8a296821d2f5bd4.1.55687.4
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.87.76.182 68.87.78.134
FF - ProfilePath - c:\documents and settings\Personal\Application Data\Mozilla\Firefox\Profiles\jo3bbfq8.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-RunOnce-tscuninstall - c:\windows\system32\tscupgrd.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-09 18:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1E.tmp"
.
Completion time: 2011-07-09 18:44:07
ComboFix-quarantined-files.txt 2011-07-10 01:44
.
Pre-Run: 134,548,996,096 bytes free
Post-Run: 134,542,495,744 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 1D144A32EE8B39AC7607D9444E0CFCF3

Thank you for your help!

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:24 PM

Posted 11 July 2011 - 06:51 AM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic408279.html/page__pid__2329739#entry2329739

Collect::
c:\windows\system32\drivers\iohjahsk.sys
c:\docume~1\Personal\LOCALS~1\Temp\BONKMJKV.exe

Driver::
iutxyce
BONKMJKV

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:24 PM

Posted 19 July 2011 - 09:25 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users