Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ie redirector and possible rootkit


  • Please log in to reply
7 replies to this topic

#1 FMD

FMD

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 15 July 2011 - 11:41 AM

Hello,

I have a computer that has an IE redirector. I've run Norton 360 and Malwarebytes in normal and safe boots. They come up clean.

Here's the DDS log

DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Pam at 8:48:38 on 2011-07-15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1155 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\5.1.0.29\CoIEPlg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\5.1.0.29\ips\IPSBHO.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\5.1.0.29\CoIEPlg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\5.1.0.29\CoIEPlg.dll
EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [cdloader] "c:\documents and settings\pam\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] "stsystra.exe"
mRun: [DMXLauncher] "c:\program files\dell\media experience\DMXLauncher.exe"
mRun: [RealTray] "c:\program files\real\realplayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NeroFilterCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [InCD] "c:\program files\ahead\incd\InCD.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Corel Photo Downloader] "c:\program files\corel\corel photo album 6\MediaDetect.exe"
mRun: [MSKDetectorExe] "c:\program files\mcafee\spamkiller\MSKDetct.exe" /uninstall
mRun: [SMSTray] "c:\program files\samsung\samsung media studio 5\SMSTray.exe"
mRun: [MAAgent] "c:\program files\markany\contentsafer\MAAgent.exe"
mRun: [MimBoot] "c:\progra~1\musicm~1\musicm~3\mimboot.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1290291181914
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 64.233.217.2 64.233.217.3
TCP: Interfaces\{F3376328-9965-4602-882D-D26335B2DC08} : DHCPNameServer = 64.233.217.2 64.233.217.3
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: ipp - <Clsid value has no data>
Handler: msdaipp - <Clsid value has no data>
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellHook Class - {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\program files\markany\contentsafer\MACSMANAGER.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: Your Image File Name Here without a path - ntsd -d
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys [2011-6-11 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys [2011-6-11 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20110701.001\BHDrvx86.sys [2011-7-13 810616]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl49564916;MpKsl49564916;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{88f93b86-895e-4b2a-83e6-a83160d09443}\MpKsl49564916.sys [2011-7-15 28752]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys [2011-6-11 136312]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.1.0.29\ccSvcHst.exe [2011-6-11 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-6-11 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20110714.034\IDSXpx86.sys [2011-7-14 355256]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20110714.022\NAVENG.SYS [2011-7-14 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20110714.022\NAVEX15.SYS [2011-7-14 1542392]
S1 MpKslc3dadad4;MpKslc3dadad4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a5f4afa5-510f-4235-9445-4272dda9b4d1}\mpkslc3dadad4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a5f4afa5-510f-4235-9445-4272dda9b4d1}\MpKslc3dadad4.sys [?]
S1 MpKslf1e55a0f;MpKslf1e55a0f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4364bd9e-8c5e-437f-93eb-5e8e889806dc}\mpkslf1e55a0f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4364bd9e-8c5e-437f-93eb-5e8e889806dc}\MpKslf1e55a0f.sys [?]
S1 MpKslfa5968f8;MpKslfa5968f8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d89dafdf-2c9e-43d0-85f6-61cc415731a3}\mpkslfa5968f8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d89dafdf-2c9e-43d0-85f6-61cc415731a3}\MpKslfa5968f8.sys [?]
.
=============== Created Last 30 ================
.
2011-07-15 12:42:59 28752 -c--a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{88f93b86-895e-4b2a-83e6-a83160d09443}\MpKsl49564916.sys
2011-07-15 02:35:27 7074640 -c--a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{88f93b86-895e-4b2a-83e6-a83160d09443}\mpengine.dll
2011-07-14 01:59:27 -------- d-----w- c:\documents and settings\pam\application data\Malwarebytes
2011-07-14 01:59:21 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-14 01:59:19 -------- dc----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-14 01:59:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-17 00:37:05 -------- d-----w- c:\documents and settings\pam\application data\ElevatedDiagnostics
2011-06-17 00:36:11 -------- d-----w- c:\documents and settings\pam\application data\Windows Search
2011-06-17 00:35:40 -------- d-----w- c:\documents and settings\pam\application data\Windows Desktop Search
2011-06-17 00:31:17 5082 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-06-17 00:31:09 -------- d-----w- c:\windows\system32\GroupPolicy
2011-06-17 00:31:09 -------- d-----w- c:\program files\Windows Desktop Search
2011-06-17 00:28:59 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2011-06-17 00:28:59 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2011-06-17 00:28:59 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
.
==================== Find3M ====================
.
2011-06-27 23:36:15 4182 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-06-27 23:36:11 88 --sh--r- c:\windows\system32\314D9AEF6E.sys
2011-06-26 15:32:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-11 13:20:17 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-06-11 13:20:17 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-04 08:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 8:49:38.37 ===============

and the GMER log

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-07-15 12:35:25
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18 ST3808110AS rev.3.ADH
Running: gmer.exe; Driver: C:\DOCUME~1\Pam\LOCALS~1\Temp\pwtcqpod.sys


---- System - GMER 1.0.15 ----

SSDT 8A182E10 ZwAlertResumeThread
SSDT 8A3B6A50 ZwAlertThread
SSDT 8A403D58 ZwAllocateVirtualMemory
SSDT 8A331280 ZwAssignProcessToJobObject
SSDT 8A419160 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0x9E34D710]
SSDT 8A32A960 ZwCreateMutant
SSDT 8A2B8490 ZwCreateSymbolicLinkObject
SSDT 8A1E51D0 ZwCreateThread
SSDT 8A331360 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0x9E34D990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9E34DEF0]
SSDT 8A2A7E00 ZwDuplicateObject
SSDT 8A2B1798 ZwFreeVirtualMemory
SSDT 8A2DFDB0 ZwImpersonateAnonymousToken
SSDT 8A182D30 ZwImpersonateThread
SSDT 8A53A050 ZwLoadDriver
SSDT 8A2DC4B8 ZwMapViewOfSection
SSDT 8A32A8A0 ZwOpenEvent
SSDT 8A2295D8 ZwOpenProcess
SSDT 8A2A7D40 ZwOpenProcessToken
SSDT 8A28BCF0 ZwOpenSection
SSDT 8A27E628 ZwOpenThread
SSDT 89DF03D0 ZwProtectVirtualMemory
SSDT 8A4144D8 ZwResumeThread
SSDT 8A31F8F8 ZwSetContextThread
SSDT 8A284E00 ZwSetInformationProcess
SSDT 8A3AE570 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9E34E140]
SSDT 8A28BDD0 ZwSuspendProcess
SSDT 8A4145B8 ZwSuspendThread
SSDT 8A34C518 ZwTerminateProcess
SSDT 8A31F838 ZwTerminateThread
SSDT 8A3ADC90 ZwUnmapViewOfSection
SSDT 8A1B64E0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

INITc VolSnap.sys BA0D3BD0 4 Bytes [B0, A5, 53, 80]
INITc VolSnap.sys BA0D3BF8 4 Bytes [B8, A1, 4F, 80]
INITc VolSnap.sys BA0D3C20 4 Bytes [B6, AE, 4F, 80]
INITc VolSnap.sys BA0D3C48 4 Bytes [30, FF, 4F, 80]
INITc VolSnap.sys BA0D3C70 4 Bytes [7A, A8, 4F, 80]
INITc ...
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? C:\DOCUME~1\Pam\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1280] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B16811
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B16A1C
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0055000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0052000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0051000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0053000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0054000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2092] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0050000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B16811
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B16A1C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0057000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0056000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0058000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0059000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0055000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 0625003A
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 062500F7
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] kernel32.dll!VirtualProtectEx + 6E 7C801ACF 7 Bytes JMP 062503D2
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] kernel32.dll!ReadProcessMemory + 3E 7C80220E 7 Bytes JMP 062501B0
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 0625031C
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] kernel32.dll!GetVersionExA + D3 7C812C51 7 Bytes JMP 06250488
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] kernel32.dll!GetProcessHandleCount + 35 7C86229F 7 Bytes JMP 06250266
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] ole32.dll!CreateBindCtx + B5F 774FF14F 7 Bytes JMP 062505F8
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] ole32.dll!CoImpersonateClient + 51 775151F0 7 Bytes JMP 0625053E
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B16811
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B16A1C
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0059000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0056000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0055000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0057000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0058000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3688] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0054000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B16811
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B16A1C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00E5000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00E1000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00E4000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3856] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E0000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device 9C384D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device InCDfs.SYS (InCD File System Driver/Nero AG)

---- Threads - GMER 1.0.15 ----

Thread System [4:128] 8A6D2E7A
Thread System [4:132] 8A6D5008

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Pam\Cookies\pam@scorecardresearch[2].txt 0 bytes
File C:\Documents and Settings\Pam\Local Settings\Temp\fla1B.tmp 0 bytes

---- EOF - GMER 1.0.15 ----


Thanks,
Marshall

BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:46 AM

Posted 24 July 2011 - 07:50 AM

hi FMD,

Your post is a few days old. If you still need help simply reply back.

How Can I Reduce My Risk to Malware?


#3 FMD

FMD
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 24 July 2011 - 03:31 PM

Yes please, I still need some help.

Thanks,
Marshall

#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:46 AM

Posted 24 July 2011 - 06:15 PM

hi,

ok we will get a download to use. Its called combofix. There is a guide to read first. Read through the guide then apply the directions on your own machine. Post the combofix log in your reply:

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#5 FMD

FMD
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 26 July 2011 - 07:26 AM

OK. It took a while to run but here's the combofix log.

ComboFix 11-07-24.03 - Pam 07/25/2011 23:08:00.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.876 [GMT -4:00]
Running from: c:\documents and settings\Pam\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\SET2345.tmp
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\bszip.dll
c:\windows\system32\muzapp.exe
c:\windows\system32\searchindexer.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_WSearch
-------\Service_WSearch
.
.
((((((((((((((((((((((((( Files Created from 2011-06-26 to 2011-07-26 )))))))))))))))))))))))))))))))
.
.
2011-07-25 12:48 . 2011-07-13 03:39 6881616 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4DBD7518-B47C-49CE-9904-8C1F29870F6E}\mpengine.dll
2011-07-25 05:39 . 2011-07-25 05:41 -------- dc----w- C:\32788R22FWJFW
2011-07-14 01:59 . 2011-07-14 01:59 -------- d-----w- c:\documents and settings\Pam\Application Data\Malwarebytes
2011-07-14 01:59 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-14 01:59 . 2011-07-14 01:59 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-14 01:59 . 2011-07-14 01:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 03:39 . 2011-05-31 23:48 6881616 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-06-26 15:32 . 2011-06-08 00:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-17 00:31 . 2011-06-17 00:31 5082 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-06-11 13:20 . 2011-06-11 13:20 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-06-11 13:20 . 2011-06-11 13:20 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-04 08:52 . 2011-06-10 23:35 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2007-07-09 10:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-06-24 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-26 1397760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-13 1117184]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]
"MAAgent"="c:\program files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-31 57344]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 8192]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\documents and settings\Steve\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-7-8 155648]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-10-4 67128]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Documents and Settings\\Pam\\Application Data\\mjusbsp\\magicJack.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [6/11/2011 9:20 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [6/11/2011 9:20 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20110723.001\BHDrvx86.sys [7/22/2011 8:27 PM 815736]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [6/11/2011 9:20 AM 136312]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [6/11/2011 9:19 AM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/11/2011 2:36 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20110722.031\IDSXpx86.sys [7/22/2011 10:05 PM 355256]
S1 MpKslc3dadad4;MpKslc3dadad4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A5F4AFA5-510F-4235-9445-4272DDA9B4D1}\MpKslc3dadad4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A5F4AFA5-510F-4235-9445-4272DDA9B4D1}\MpKslc3dadad4.sys [?]
S1 MpKslf1e55a0f;MpKslf1e55a0f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4364BD9E-8C5E-437F-93EB-5E8E889806DC}\MpKslf1e55a0f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4364BD9E-8C5E-437F-93EB-5E8E889806DC}\MpKslf1e55a0f.sys [?]
S1 MpKslfa5968f8;MpKslfa5968f8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D89DAFDF-2C9E-43D0-85F6-61CC415731A3}\MpKslfa5968f8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D89DAFDF-2C9E-43D0-85F6-61CC415731A3}\MpKslfa5968f8.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2008-12-03 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 19:56]
.
2008-12-03 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 19:56]
.
2011-07-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
Trusted Zone: billpaysite.com\www
Trusted Zone: musicmatch.com\online
TCP: DhcpNameServer = 64.233.217.2 64.233.217.3
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-26 00:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1952)
c:\windows\system32\WININET.dll
c:\program files\MarkAny\ContentSafer\MaCSProHook.DLL
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\windows\system32\mslbui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\stsystra.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2011-07-26 00:34:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-26 04:34
.
Pre-Run: 44,065,632,256 bytes free
Post-Run: 47,228,325,888 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - A635D3F10F80B99B9479428A51FCA1DB

When the machine rebooted. Explorer.exe was frozen. I had to go into task manager and stop the iexplorer.exe process and the explorer.exe process, restart explorer.exe and then restart internet explorer. Don't know if that's relevant or not, but thought you should know.

Thanks for your help.

#6 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:46 AM

Posted 26 July 2011 - 08:10 PM

Ok thanks for the info. Combofix removed some malware, is the redirection gone now?

How Can I Reduce My Risk to Malware?


#7 FMD

FMD
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 28 July 2011 - 09:17 PM

No, unfortunately. I now can get results from Google, but if I click on a link, it takes me to a bogus site.

Thanks,
Marshall

#8 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:46 AM

Posted 31 July 2011 - 03:56 PM

Sorry for the delay, lost track of the thread. Download and try tdsskiller:

Please download TDSS Killer.exe and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk © as TDSSKiller.2.4.2.1_09.08.2010_17.32.21_log.txt (name, version, date, time)
Please post the log report

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users