Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus/100ksearches


  • This topic is locked This topic is locked
20 replies to this topic

#1 hijohn77

hijohn77

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 15 August 2011 - 09:54 AM

Windows XP SP3

Hi, when I click on a Google search result link in either Firefox or IE my browser is redirected to another site through 100ksearches.com. The CPU is slow upon startup, often with 100% usage, then normal speed resumes. I also noticed a couple of times the computer would not reboot after being in idle mode.

Before posting I ran Malwarebytes, SuperANTIsypware, Trojan Remover and TDSSKiller. All of these anti-virus begin to scan and then crash, when I then try to run them they say "Windows cannot access the specified, device, path, or file. You may not have the appropriate permissions to access the item." I tried reinstalling and using a random .exe for Malwarebytes. I also ran rkill but none of the antivirus will work. Malwarebytes scanned successfully in Safe Mode, and found 6 items, said it successfully removed them, but when I started my computer the log had been removed and the problem still exists.

GMER also stopped running after the scan began, when trying to run it again it also said "Windows cannot access the specified, device, path, or file. You may not have the appropriate permissions to access the item."

Below is my dds log




.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by HP_Owner at 9:28:34 on 2011-08-15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.309 [GMT -5:00]
.
AV: Norton AntiVirus 2005 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\102893117:3271155193.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://home.alot.com/?client_id=CD44135001CB3B0F0C46DE47&install_time=2010-08-13T17:48:56Z&src_id=20001&camp_id=30&tb_version=2.5.15000.521
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=CD44135001CB3B0F0C46DE47&src_id=20001&camp_id=30&tb_version=2.5.15000.521
uURLSearchHooks: H - No File
BHO: ALOT Toolbar Helper: {14ceeaff-96dd-4101-ae37-d5ecdc23c3f6} - c:\program files\alot\bin\bho\alotBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\icoset\adjust.bat seticon
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [TrojanScanner] c:\documents and settings\all users\desktop\trojan remover\Trjscan.exe /boot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: motive.com\patttbc.att
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251339340437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{BFD43A0E-A360-4034-B4D9-E1F763137108} : DhcpNameServer = 192.168.1.254 192.168.1.254
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\tn5vll5e.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\hp_owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_SeekmoSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-8-13 197752]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2003-12-9 218232]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-8-13 164984]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2009-8-5 284016]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-8-27 366640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-9-17 88176]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton antivirus\navapsvc.exe [2004-8-18 176768]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\Savrtpel.sys [2004-7-23 49808]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-8-27 22712]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-8 135664]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-12-10 65536]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-8-13 78968]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-8 135664]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20041006.020\NAVENG.Sys [2004-10-22 68168]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20041006.020\NavEx15.Sys [2004-10-22 617288]
S3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2004-7-23 335504]
S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVScan.exe [2004-7-23 197864]
.
=============== Created Last 30 ================
.
2011-08-15 13:45:03 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2011-08-15 13:45:02 75264 ----a-w- c:\windows\system32\unacev2.dll
2011-08-15 13:45:02 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2011-08-15 13:45:02 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2011-08-15 13:45:01 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2011-08-15 13:44:58 -------- d-----w- c:\documents and settings\hp_owner\application data\Simply Super Software
2011-08-15 13:44:58 -------- d-----w- c:\documents and settings\all users\application data\Simply Super Software
2011-08-15 13:02:45 43408 --sha-w- c:\windows\system32\c_51981.nl_
2011-08-15 10:21:49 -------- d-----w- c:\documents and settings\hp_owner\application data\SUPERAntiSpyware.com
2011-08-15 10:20:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-15 10:20:48 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-15 10:11:27 -------- d--h--w- c:\windows\PIF
2011-08-09 20:48:53 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-09 20:48:11 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 08:21:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP0802N rev.TK200-04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xF7C56660]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82F8AAB8]
3 CLASSPNP[0xF8741FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x82C42030]
\Driver\00001526[0x82B16BE0] -> IRP_MJ_CREATE -> 0xF7C56660
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F1F31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:30:28.70 ===============

BC AdBot (Login to Remove)

 


#2 hijohn77

hijohn77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 15 August 2011 - 10:00 AM

here is my attach.txt file not sure if it attached on first try

Attached File  attach.txt   22.29KB   4 downloads

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:09 PM

Posted 19 August 2011 - 08:47 PM

Please do the following


Download ComboFix from the link below but rename it to hijohn.com and save it directly to your C:\ drive


Now boot into safe mode with networking > navigate to C:\hijohn.com and run it.

Male sure all other windows are closed:


ComboFix


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account


If you cannot get it to run, try running the following tool first, then give it another try:

  • Please Download FixNCR.reg
  • Double-click on the FixNCR.regfile to fix the Registry.
  • Restart your computer back into safe mode (with networking)



If it will not run, then please run the following:

  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 hijohn77

hijohn77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 20 August 2011 - 12:57 AM

when running combofix it gives me a warning and says combofix has detected the following real time program norton 2005 running

norton doesnt appear to be running, how should i proceed?

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:09 PM

Posted 20 August 2011 - 03:30 AM

Uninstall Norton until you are clean

after removing it from add/remove programs, use the Norton Removal Tool

  • Download the appropriate Norton Removal Tool from HERE and save it to your desktop.
  • Next Double click on Norton_Removal_Tool.exe to run the tool.
  • Follow the on-screen instructions.
  • Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 hijohn77

hijohn77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 20 August 2011 - 01:55 PM

CatByte, I forgot to tell you in my last post thanks a ton for taking some time to help me out.

Combofix ran successfully, said I had Rootkit.ZeroAccess

Google redirect appears to be gone, below is the combofix log



ComboFix 11-08-20.01 - HP_Owner 08/20/2011 13:23:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.258 [GMT -5:00]
Running from: C:\hijohn.com.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Donna\WINDOWS
c:\documents and settings\HP_Owner\Application Data\Adobe\plugs
c:\documents and settings\HP_Owner\Application Data\Adobe\shed
c:\documents and settings\HP_Owner\Application Data\alot
c:\documents and settings\HP_Owner\Application Data\alot\BrowserSearch\BrowserSearch.xml
c:\documents and settings\HP_Owner\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\HP_Owner\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\HP_Owner\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\HP_Owner\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\HP_Owner\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\HP_Owner\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\HP_Owner\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\HP_Owner\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\HP_Owner\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\HP_Owner\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\Button_9\Button_9.xml
c:\documents and settings\HP_Owner\Application Data\alot\Button_9\Button_9.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\configurator\configurator.xml
c:\documents and settings\HP_Owner\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\HP_Owner\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\ErrorSearch\ErrorSearch.xml
c:\documents and settings\HP_Owner\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\HP_Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\products\products.xml
c:\documents and settings\HP_Owner\Application Data\alot\products\products.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\HP_Owner\Application Data\alot\Resources\BrowserSearch\images\favicon.ico
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_1\images\alot_image_search.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_1\images\alot_image_search.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_1\images\alot_news_search.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_1\images\alot_news_search.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_1\images\alot_shop_search.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_1\images\alot_shop_search.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_1\images\alot_videos_search.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_1\images\alot_videos_search.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_1\images\alot_web_search.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_1\images\alot_web_search.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_2\images\alot_configure.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_2\images\alot_configure.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_3\images\default_1008_alot_map_widget_default.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_3\images\default_1008_alot_map_widget_default.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_4\images\1011_icon.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_4\images\1011_icon.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_5\images\default_1870_mrkt_traffic.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_5\images\default_1870_mrkt_traffic.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\alert-icon.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\clear.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\cloudy.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\default_1007_alot_weather_widget.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\mcloud.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\nclear.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\nmcloud.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\pcloud.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\rain.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\shower.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\snow.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_6\images\tstorm.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_7\images\default_2254_email.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_7\images\default_2254_email.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_7\images\icon_configure.JPG
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_8\images\2775_icon.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_8\images\2775_icon.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_9\images\4712_icon.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Button_9\images\4712_icon.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\contextMenu\images\alot_icon.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\discover.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\intro_popup.png
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\widget_btnconfig0.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\widget_btnconfig1.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\widget_btnrefresh0.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\widget_btnrefresh1.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\HP_Owner\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\HP_Owner\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\HP_Owner\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\toolbar.xml
c:\documents and settings\HP_Owner\Application Data\alot\toolbar.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml
c:\documents and settings\HP_Owner\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\HP_Owner\Application Data\alot\ToolbarSearch\ToolbarSearch.xml.backup
c:\documents and settings\HP_Owner\Application Data\alot\Updater\Updater.xml
c:\documents and settings\HP_Owner\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\HP_Owner\WINDOWS
c:\documents and settings\postgres\WINDOWS
C:\install.exe
c:\windows\$NtUninstallKB57599$
c:\windows\$NtUninstallKB57599$\1023812102\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB57599$\1023812102\click.tlb
c:\windows\$NtUninstallKB57599$\1023812102\L\rcsnsdej
c:\windows\$NtUninstallKB57599$\1023812102\loader.tlb
c:\windows\$NtUninstallKB57599$\1023812102\U\@00000001
c:\windows\$NtUninstallKB57599$\1023812102\U\@000000c0
c:\windows\$NtUninstallKB57599$\1023812102\U\@000000cb
c:\windows\$NtUninstallKB57599$\1023812102\U\@000000cf
c:\windows\$NtUninstallKB57599$\1023812102\U\@80000000
c:\windows\$NtUninstallKB57599$\1023812102\U\@800000c0
c:\windows\$NtUninstallKB57599$\1023812102\U\@800000cb
c:\windows\$NtUninstallKB57599$\1023812102\U\@800000cf
c:\windows\$NtUninstallKB57599$\2242177209
c:\windows\system32\c_51981.nls
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\no
c:\windows\system32\ps2.bat
D:\Autorun.inf
.
Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_3d062206
.
.
((((((((((((((((((((((((( Files Created from 2011-07-20 to 2011-08-20 )))))))))))))))))))))))))))))))
.
.
2011-08-20 18:19 . 2008-04-13 19:15 64512 -c--a-w- c:\windows\system32\dllcache\serial.sys
2011-08-20 18:19 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-08-15 13:48 . 2011-08-15 13:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-08-15 13:45 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2011-08-15 13:45 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2011-08-15 13:45 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2011-08-15 13:45 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2011-08-15 13:45 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2011-08-15 13:44 . 2011-08-15 13:44 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Simply Super Software
2011-08-15 13:44 . 2011-08-15 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2011-08-15 13:02 . 2011-08-15 13:02 43408 --sha-w- c:\windows\system32\c_51981.nl_
2011-08-15 10:11 . 2011-08-15 10:11 -------- d--h--w- c:\windows\PIF
2011-08-09 20:48 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-09 20:48 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-08 14:02 . 2004-11-03 18:50 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 00:52 . 2009-08-28 02:47 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52 . 2009-08-28 02:47 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2004-11-03 18:50 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-11-03 18:52 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-11-03 18:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-11-03 18:50 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-11-03 18:50 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-11-03 18:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 08:21 . 2011-06-15 17:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-11-03 18:52 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-13 05:53 . 2011-05-13 05:53 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1630208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-02-02 273544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
"TrojanScanner"="c:\documents and settings\All Users\Desktop\Trojan Remover\Trjscan.exe" [2011-05-18 1233856]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0b\\waol.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/27/2009 9:47 PM 366640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/17/2009 10:02 PM 88176]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/27/2009 9:47 PM 22712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/8/2009 9:04 PM 135664]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [8/5/2009 12:49 PM 284016]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/8/2009 9:04 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-09 02:04]
.
2011-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-09 02:04]
.
2011-08-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2600112436-2130954474-72079630-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 20:25]
.
2011-08-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2600112436-2130954474-72079630-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 20:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.alot.com/?client_id=CD44135001CB3B0F0C46DE47&install_time=2010-08-13T17:48Z&src_id=20001&camp_id=30&tb_version=2.5.15000.521
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=CD44135001CB3B0F0C46DE47&src_id=20001&camp_id=30&tb_version=2.5.15000.521
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\tn5vll5e.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
AddRemove-888poker - c:\progra~1\PACIFI~1\UNWISE.EXE
AddRemove-Betfair Poker_is1 - c:\betfair\unins000.exe
AddRemove-Bodog Poker_is1 - c:\program files\Bodog Poker\unins000.exe
AddRemove-Cake Poker - c:\program files\Cake Poker\uninstall.exe
AddRemove-CardRoom Lobby_is1 - c:\program files\CardRoom\unins000.exe
AddRemove-ClubWPT - c:\progra~1\ClubWPT\UNWISE.EXE
AddRemove-PartyPoker - c:\program files\PartyGaming\PartyPoker\Uninstall.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31} - c:\program files\Full Tilt Poker\uninstall.exe
AddRemove-Bet USA - c:\program files\Merge\BetUSA\uninstall.exe
AddRemove-CarbonPoker - c:\program files\CarbonPoker\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-20 13:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\102893117:3271155193.exe 816 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP0802N rev.TK200-04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F5D31B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3508)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
.
**************************************************************************
.
Completion time: 2011-08-20 13:52:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-20 18:51
.
Pre-Run: 27,671,175,168 bytes free
Post-Run: 28,797,992,960 bytes free
.
- - End Of File - - 5A5FC23C7A42FEE93821921897182A5C

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:09 PM

Posted 20 August 2011 - 02:22 PM

That looks a little bit better, but we have a little more work to do,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic414509.html/page__pid__2379600#entry2379600

Collect::
c:\windows\system32\c_51981.nl_
c:\windows\102893117

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT


Please see if TDSSKiller will run now, delete the copy that you have from your desktop and download a fresh copy


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 hijohn77

hijohn77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 20 August 2011 - 03:35 PM

tdsskiller ran successfully and found a rootkit, below is my combofix log followed by tdsskiller log



ComboFix 11-08-20.01 - HP_Owner 08/20/2011 14:41:19.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.287 [GMT -5:00]
Running from: C:\hijohn.com.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
.
file zipped: c:\windows\102893117
file zipped: c:\windows\system32\c_51981.nl_
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\102893117
c:\windows\system32\c_51981.nl_
.
.
((((((((((((((((((((((((( Files Created from 2011-07-20 to 2011-08-20 )))))))))))))))))))))))))))))))
.
.
2011-08-20 18:19 . 2008-04-13 19:15 64512 -c--a-w- c:\windows\system32\dllcache\serial.sys
2011-08-20 18:19 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-08-15 13:48 . 2011-08-15 13:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-08-15 13:45 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2011-08-15 13:45 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2011-08-15 13:45 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2011-08-15 13:45 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2011-08-15 13:45 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2011-08-15 13:44 . 2011-08-15 13:44 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Simply Super Software
2011-08-15 13:44 . 2011-08-15 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2011-08-15 10:11 . 2011-08-15 10:11 -------- d--h--w- c:\windows\PIF
2011-08-09 20:48 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-09 20:48 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-08 14:02 . 2004-11-03 18:50 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 00:52 . 2009-08-28 02:47 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52 . 2009-08-28 02:47 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2004-11-03 18:50 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-11-03 18:52 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-11-03 18:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-11-03 18:50 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-11-03 18:50 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-11-03 18:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 08:21 . 2011-06-15 17:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-11-03 18:52 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-13 05:53 . 2011-05-13 05:53 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-08-03 1630208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-02-02 273544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
"TrojanScanner"="c:\documents and settings\All Users\Desktop\Trojan Remover\Trjscan.exe" [2011-05-18 1233856]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0b\\waol.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/27/2009 9:47 PM 366640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/17/2009 10:02 PM 88176]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/27/2009 9:47 PM 22712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/8/2009 9:04 PM 135664]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [8/5/2009 12:49 PM 284016]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/8/2009 9:04 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-09 02:04]
.
2011-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-09 02:04]
.
2011-08-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2600112436-2130954474-72079630-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 20:25]
.
2011-08-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2600112436-2130954474-72079630-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 20:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.alot.com/?client_id=CD44135001CB3B0F0C46DE47&install_time=2010-08-13T17:48Z&src_id=20001&camp_id=30&tb_version=2.5.15000.521
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=CD44135001CB3B0F0C46DE47&src_id=20001&camp_id=30&tb_version=2.5.15000.521
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\tn5vll5e.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-20 14:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP0802N rev.TK200-04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F3631B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3232)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-08-20 15:08:03 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-20 20:07
ComboFix2.txt 2011-08-20 18:52
.
Pre-Run: 28,801,126,400 bytes free
Post-Run: 28,787,081,216 bytes free
.
- - End Of File - - 66076ECC7F630B3F014CA0B6FC53D842
Upload was successful

tdskiller log

2011/08/20 15:27:50.0234 3740 TDSS rootkit removing tool 2.5.16.0 Aug 19 2011 17:48:17
2011/08/20 15:27:50.0515 3740 ================================================================================
2011/08/20 15:27:50.0515 3740 SystemInfo:
2011/08/20 15:27:50.0515 3740
2011/08/20 15:27:50.0515 3740 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/20 15:27:50.0515 3740 Product type: Workstation
2011/08/20 15:27:50.0515 3740 ComputerName: YOUR-03667082DE
2011/08/20 15:27:50.0515 3740 UserName: HP_Owner
2011/08/20 15:27:50.0515 3740 Windows directory: C:\WINDOWS
2011/08/20 15:27:50.0515 3740 System windows directory: C:\WINDOWS
2011/08/20 15:27:50.0515 3740 Processor architecture: Intel x86
2011/08/20 15:27:50.0515 3740 Number of processors: 1
2011/08/20 15:27:50.0515 3740 Page size: 0x1000
2011/08/20 15:27:50.0515 3740 Boot type: Normal boot
2011/08/20 15:27:50.0515 3740 ================================================================================
2011/08/20 15:27:52.0406 3740 Initialize success
2011/08/20 15:28:01.0375 3840 ================================================================================
2011/08/20 15:28:01.0375 3840 Scan started
2011/08/20 15:28:01.0375 3840 Mode: Manual;
2011/08/20 15:28:01.0375 3840 ================================================================================
2011/08/20 15:28:03.0203 3840 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/20 15:28:03.0343 3840 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/20 15:28:03.0593 3840 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/20 15:28:03.0750 3840 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/08/20 15:28:03.0953 3840 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/08/20 15:28:04.0515 3840 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/08/20 15:28:04.0906 3840 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/08/20 15:28:05.0468 3840 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/20 15:28:05.0609 3840 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/20 15:28:05.0890 3840 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/20 15:28:06.0031 3840 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/20 15:28:06.0187 3840 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/20 15:28:06.0359 3840 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2011/08/20 15:28:06.0515 3840 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/20 15:28:06.0812 3840 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/20 15:28:06.0968 3840 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/20 15:28:07.0125 3840 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/20 15:28:08.0203 3840 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/20 15:28:08.0500 3840 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/20 15:28:08.0671 3840 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/20 15:28:08.0828 3840 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/20 15:28:09.0000 3840 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/20 15:28:09.0296 3840 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/20 15:28:09.0515 3840 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/20 15:28:09.0640 3840 fasttx2k (1e580770bdece924494b368ac980749e) C:\WINDOWS\system32\DRIVERS\fasttx2k.sys
2011/08/20 15:28:09.0828 3840 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/20 15:28:09.0984 3840 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/20 15:28:10.0125 3840 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/20 15:28:10.0265 3840 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/08/20 15:28:10.0421 3840 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/20 15:28:10.0562 3840 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/20 15:28:10.0718 3840 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/08/20 15:28:10.0875 3840 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/20 15:28:11.0062 3840 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/20 15:28:11.0531 3840 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/20 15:28:11.0968 3840 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/20 15:28:12.0156 3840 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/08/20 15:28:12.0328 3840 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/20 15:28:12.0578 3840 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/08/20 15:28:12.0750 3840 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/20 15:28:12.0890 3840 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/08/20 15:28:13.0031 3840 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/20 15:28:13.0171 3840 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/20 15:28:13.0328 3840 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/20 15:28:13.0500 3840 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/20 15:28:13.0640 3840 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/20 15:28:13.0828 3840 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/20 15:28:14.0000 3840 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/20 15:28:14.0140 3840 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/20 15:28:14.0312 3840 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/20 15:28:14.0593 3840 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys
2011/08/20 15:28:14.0796 3840 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/20 15:28:15.0015 3840 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/20 15:28:15.0171 3840 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/20 15:28:15.0312 3840 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/20 15:28:15.0468 3840 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/20 15:28:15.0703 3840 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2011/08/20 15:28:15.0875 3840 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2011/08/20 15:28:16.0046 3840 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/20 15:28:16.0218 3840 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/20 15:28:16.0390 3840 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/20 15:28:16.0562 3840 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/20 15:28:16.0718 3840 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/20 15:28:16.0890 3840 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/20 15:28:17.0046 3840 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/20 15:28:17.0218 3840 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/20 15:28:17.0390 3840 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/20 15:28:17.0531 3840 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/20 15:28:17.0687 3840 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/20 15:28:17.0859 3840 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/20 15:28:18.0031 3840 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/20 15:28:18.0203 3840 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/20 15:28:18.0421 3840 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/20 15:28:18.0593 3840 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/20 15:28:18.0796 3840 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/20 15:28:18.0937 3840 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/20 15:28:19.0093 3840 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/20 15:28:19.0250 3840 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/08/20 15:28:19.0390 3840 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/20 15:28:19.0531 3840 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/20 15:28:19.0687 3840 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/20 15:28:19.0921 3840 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/20 15:28:20.0078 3840 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/20 15:28:20.0906 3840 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/20 15:28:21.0046 3840 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/08/20 15:28:21.0218 3840 Ps2 (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\system32\DRIVERS\PS2.sys
2011/08/20 15:28:21.0359 3840 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/20 15:28:21.0500 3840 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/20 15:28:21.0640 3840 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/08/20 15:28:22.0328 3840 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/20 15:28:22.0468 3840 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/20 15:28:22.0625 3840 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/20 15:28:22.0781 3840 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/20 15:28:22.0937 3840 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/20 15:28:23.0093 3840 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/20 15:28:23.0265 3840 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/20 15:28:23.0421 3840 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/20 15:28:23.0609 3840 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2011/08/20 15:28:23.0781 3840 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
2011/08/20 15:28:23.0968 3840 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/20 15:28:24.0125 3840 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/08/20 15:28:24.0265 3840 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/08/20 15:28:24.0437 3840 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/20 15:28:24.0703 3840 SiS315 (020467b4ee7f73c304943bf0e3e4d526) C:\WINDOWS\system32\DRIVERS\sisgrp.sys
2011/08/20 15:28:24.0859 3840 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys
2011/08/20 15:28:24.0984 3840 SiSkp (02960a9c3f4e5178edbd9c0d2d995b3b) C:\WINDOWS\system32\DRIVERS\srvkp.sys
2011/08/20 15:28:25.0250 3840 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/20 15:28:25.0406 3840 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/20 15:28:25.0578 3840 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/20 15:28:25.0781 3840 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/20 15:28:25.0921 3840 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/20 15:28:26.0515 3840 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/20 15:28:26.0718 3840 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/20 15:28:26.0875 3840 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/20 15:28:27.0000 3840 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/20 15:28:27.0140 3840 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/20 15:28:27.0421 3840 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/20 15:28:27.0718 3840 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/20 15:28:27.0890 3840 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/08/20 15:28:28.0062 3840 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/20 15:28:28.0203 3840 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/20 15:28:28.0359 3840 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/20 15:28:28.0500 3840 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/08/20 15:28:28.0640 3840 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/08/20 15:28:28.0812 3840 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/20 15:28:28.0968 3840 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/20 15:28:29.0109 3840 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/20 15:28:29.0234 3840 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys
2011/08/20 15:28:29.0390 3840 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/20 15:28:29.0531 3840 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
2011/08/20 15:28:29.0718 3840 viagfx (220d565a3afdea901dabc67a5c81a121) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2011/08/20 15:28:29.0875 3840 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/08/20 15:28:30.0000 3840 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/20 15:28:30.0171 3840 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/20 15:28:30.0312 3840 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/08/20 15:28:30.0562 3840 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/20 15:28:30.0828 3840 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/20 15:28:30.0906 3840 MBR (0x1B8) (bd6a320231ba789bc2720a3b359f727a) \Device\Harddisk0\DR0
2011/08/20 15:28:30.0921 3840 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/08/20 15:28:30.0937 3840 Boot (0x1200) (5fac75a48dca739ab4fdb417a5b5339b) \Device\Harddisk0\DR0\Partition0
2011/08/20 15:28:30.0968 3840 Boot (0x1200) (69a792666ac692dd16fad1e66aec0d86) \Device\Harddisk0\DR0\Partition1
2011/08/20 15:28:30.0984 3840 ================================================================================
2011/08/20 15:28:30.0984 3840 Scan finished
2011/08/20 15:28:30.0984 3840 ================================================================================
2011/08/20 15:28:31.0015 0276 Detected object count: 1
2011/08/20 15:28:31.0015 0276 Actual detected object count: 1
2011/08/20 15:28:49.0500 0276 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/08/20 15:28:49.0500 0276 \Device\Harddisk0\DR0 - ok
2011/08/20 15:28:49.0500 0276 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/08/20 15:29:03.0343 1172 Deinitialize success

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:09 PM

Posted 20 August 2011 - 07:00 PM

Looking better, let's have a look for any leftovers


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish



NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 hijohn77

hijohn77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 20 August 2011 - 11:40 PM

redirect seems gone, now boots from idle where before it wouldnt, cpu usage seems under control but eset definitely found things


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7523

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/20/2011 7:28:57 PM
mbam-log-2011-08-20 (19-28-57).txt

Scan type: Quick scan
Objects scanned: 197264
Time elapsed: 6 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\32\51a3d7e0-5d960223 a variant of Win32/Kryptik.ROW trojan
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\62\62d4253e-78f2c91b Java/TrojanDownloader.OpenStream.NBZ trojan
C:\Program Files\Bonjour\mDNSResponder.exe Win32/Patched.HN trojan
C:\Program Files\Common Files\AOL\Backup\ACS\Current\Suite\comps\acslang.exe probably a variant of Win32/StartPage.HSZAKFT trojan
C:\Program Files\Common Files\AOL\Backup\ACS\Current\US\acslang.exe probably a variant of Win32/StartPage.HSZAKFT trojan
C:\Program Files\Common Files\AOL\Backup\ACS\Current\US\acssetup.exe probably a variant of Win32/StartPage.HSZAKFT trojan
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe Win32/Patched.HN trojan
C:\Program Files\Common Files\Motive\McciCMService.exe Win32/Patched.HN trojan
C:\Program Files\E-Chords Toolbar\e-chords.dll Win32/Adware.SideSearch application
C:\Program Files\iPod\bin\iPodService.exe Win32/Patched.HN trojan
C:\Program Files\Java\jre6\bin\jqs.exe Win32/Patched.HN trojan
C:\Program Files\Kodak\AiO\Center\Kodak.Statistics.exe Win32/Patched.HN trojan
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe Win32/Patched.HN trojan
C:\Qoobox\Quarantine\[4]-Submit_2011-08-20_14.41.03.zip Win32/Sirefef.CR trojan
C:\Qoobox\Quarantine\C\WINDOWS\102893117.vir:3271155193.exe a variant of Win32/Sirefef.CR trojan
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.CH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\wuauclt.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\serial.sys.vir a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP694\A0090921.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP694\A0090922.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP695\A0090968.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP695\A0090969.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP695\A0091968.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP695\A0091969.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP695\A0092968.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP695\A0092969.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP696\A0092993.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP696\A0092998.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP696\A0092999.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP696\A0093056.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP696\A0093064.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP696\A0094060.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP696\A0094061.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP696\A0095060.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP696\A0095061.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP698\A0096060.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP698\A0096061.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP698\A0097060.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP698\A0097061.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP699\A0098060.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP699\A0098061.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP699\A0098070.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP699\A0098071.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP699\A0099070.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP699\A0099071.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP700\A0099136.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099185.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099186.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099268.rbf Win32/Patched.HN trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099331.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099332.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099520.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099573.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099580.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099587.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099597.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099598.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099610.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099611.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099819.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099820.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099859.exe Win32/Adware.SideSearch application
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099869.exe multiple threats
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099898.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0100152.exe Win32/Patched.HN trojan
C:\WINDOWS\system32\searchindexer.exe Win32/Patched.HN trojan
C:\WINDOWS\system32\searchprotocolhost.exe Win32/Patched.HN trojan
C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe Win32/Patched.HN trojan
Operating memory Win32/Patched.HN trojan

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:09 PM

Posted 21 August 2011 - 04:37 AM

Hi,

You have a few files infected with a difficult infection to remove as the files need to be cleaned, not deleted.

Kaspewrsky Antivirus does a very good job of it, you can download and use a trial version of it, please download, install and run it > select to cure the file, not delete it.

Once completed, you can uninstall Kaspersky trial, then re-run the ESET on-line scan so I can see that those files have been dealt with:


http://www.kaspersky.com/anti-virus_trial

Edited by CatByte, 21 August 2011 - 09:13 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 hijohn77

hijohn77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 21 August 2011 - 02:20 PM

Ok, Kaspersky disinfected alot of stuff, there was one piece of malware in the file list that said "Detected but not processed" the main screen in Kaspersky gave me an option to "fix" I clicked fix and the file appeared to be removed from the file list was this a mistake?

anyway, eset still found some things, log below



C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\62\62d4253e-78f2c91b Java/TrojanDownloader.OpenStream.NBZ trojan
C:\Program Files\Common Files\AOL\Backup\ACS\Current\Suite\comps\acslang.exe probably a variant of Win32/StartPage.HSZAKFT trojan
C:\Program Files\Common Files\AOL\Backup\ACS\Current\US\acslang.exe probably a variant of Win32/StartPage.HSZAKFT trojan
C:\Program Files\Common Files\AOL\Backup\ACS\Current\US\acssetup.exe probably a variant of Win32/StartPage.HSZAKFT trojan
C:\Program Files\E-Chords Toolbar\e-chords.dll Win32/Adware.SideSearch application
C:\Qoobox\Quarantine\[4]-Submit_2011-08-20_14.41.03.zip Win32/Sirefef.CR trojan
C:\Qoobox\Quarantine\C\WINDOWS\102893117.vir:3271155193.exe a variant of Win32/Sirefef.CR trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP694\A0090921.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP695\A0090968.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP695\A0091968.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP695\A0092968.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP696\A0092998.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP696\A0093056.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099859.exe Win32/Adware.SideSearch application
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP701\A0099869.exe multiple threats

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:09 PM

Posted 21 August 2011 - 03:55 PM

Hi,

That looks good, the AOL items are a false positive, the other items are in quarantine or old system restore points which we will clean up shortly, we just need to update Java and clear the Java cache now and there is one file you can delete as ESET has detected it as malware
Navigate to the following file > right click and delete it C:\Program Files\E-Chords Toolbar\e-chords.dll

Please do the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 7 and save it to your desktop.
  • Scroll down to where it says JDK 7 (JDK or JRE)
  • Click the Download JDK button tunderneath
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "Oracle Binary Code License Agreement for Java SE ". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


Please post a fresh DDS Log and attach.txt and advise how the computer is running now and if there are any outstanding issues.

Edited by CatByte, 21 August 2011 - 03:56 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 hijohn77

hijohn77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 21 August 2011 - 04:47 PM

Ok, computer seems to be doing fine, after installing and rebooting with kaspersky, malwarebytes was removed, I'm assuming this is something Kaspersky did and not a symptom of malware, can you please advise me on this?



.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by HP_Owner at 16:35:57 on 2011-08-21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.284 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\program files\real\realplayer\update\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://home.alot.com/?client_id=CD44135001CB3B0F0C46DE47&install_time=2010-08-13T17:48:56Z&src_id=20001&camp_id=30&tb_version=2.5.15000.521
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=CD44135001CB3B0F0C46DE47&src_id=20001&camp_id=30&tb_version=2.5.15000.521
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\icoset\adjust.bat seticon
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [TrojanScanner] c:\documents and settings\all users\desktop\trojan remover\Trjscan.exe /boot
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: motive.com\patttbc.att
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251339340437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{BFD43A0E-A360-4034-B4D9-E1F763137108} : DhcpNameServer = 192.168.1.254 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\tn5vll5e.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-12-10 65536]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-8 135664]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2009-8-5 278528]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-8 135664]
.
=============== Created Last 30 ================
.
2011-08-21 21:32:25 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\Sun
2011-08-21 21:30:36 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-21 00:41:52 -------- d-----w- c:\program files\ESET
2011-08-20 18:19:24 64512 -c--a-w- c:\windows\system32\dllcache\serial.sys
2011-08-20 18:19:24 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-08-20 18:12:22 98816 ----a-w- c:\windows\sed.exe
2011-08-20 18:12:22 518144 ----a-w- c:\windows\SWREG.exe
2011-08-20 18:12:22 256000 ----a-w- c:\windows\PEV.exe
2011-08-20 18:12:22 208896 ----a-w- c:\windows\MBR.exe
2011-08-20 05:46:33 4179402 ------r- C:\hijohn.com.exe
2011-08-15 13:45:03 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2011-08-15 13:45:02 75264 ----a-w- c:\windows\system32\unacev2.dll
2011-08-15 13:45:02 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2011-08-15 13:45:02 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2011-08-15 13:45:01 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2011-08-15 13:44:58 -------- d-----w- c:\documents and settings\hp_owner\application data\Simply Super Software
2011-08-15 13:44:58 -------- d-----w- c:\documents and settings\all users\application data\Simply Super Software
2011-08-15 10:11:27 -------- d--h--w- c:\windows\PIF
2011-08-09 20:48:53 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-09 20:48:11 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-08-21 21:29:42 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-21 15:06:26 439808 ----a-w- c:\windows\system32\searchindexer.exe
2011-08-21 14:58:04 184832 ----a-w- c:\windows\system32\searchprotocolhost.exe
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 08:21:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 16:37:17.73 ===============





.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/6/2009 12:43:00 AM
System Uptime: 8/21/2011 4:27:29 PM (0 hours ago)
.
Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | Gamila/Giovani/Neon series
Processor: Intel® Celeron® CPU 2.80GHz | Socket 478 | 2799/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 68 GiB total, 26.182 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 0.836 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP617: 5/23/2011 3:39:09 PM - System Checkpoint
RP618: 5/24/2011 8:53:17 PM - System Checkpoint
RP619: 5/25/2011 9:34:44 PM - System Checkpoint
RP620: 5/26/2011 10:33:10 PM - System Checkpoint
RP621: 5/27/2011 11:33:17 PM - System Checkpoint
RP622: 5/29/2011 11:39:40 AM - System Checkpoint
RP623: 5/31/2011 12:05:56 AM - System Checkpoint
RP624: 6/1/2011 3:00:26 AM - Software Distribution Service 3.0
RP625: 6/2/2011 4:50:20 AM - System Checkpoint
RP626: 6/3/2011 5:09:45 AM - System Checkpoint
RP627: 6/4/2011 5:19:45 AM - System Checkpoint
RP628: 6/5/2011 5:50:52 AM - System Checkpoint
RP629: 6/6/2011 9:01:33 AM - System Checkpoint
RP630: 6/7/2011 9:14:38 AM - System Checkpoint
RP631: 6/8/2011 2:04:12 PM - System Checkpoint
RP632: 6/9/2011 3:19:48 PM - System Checkpoint
RP633: 6/10/2011 3:52:29 PM - System Checkpoint
RP634: 6/11/2011 9:17:17 PM - System Checkpoint
RP635: 6/12/2011 9:54:46 PM - System Checkpoint
RP636: 6/13/2011 10:02:44 PM - System Checkpoint
RP637: 6/14/2011 11:17:53 PM - System Checkpoint
RP638: 6/16/2011 12:14:00 AM - System Checkpoint
RP639: 6/16/2011 3:00:44 AM - Software Distribution Service 3.0
RP640: 6/17/2011 3:10:40 AM - System Checkpoint
RP641: 6/18/2011 4:08:00 AM - System Checkpoint
RP642: 6/19/2011 8:58:58 AM - System Checkpoint
RP643: 6/20/2011 9:46:41 AM - System Checkpoint
RP644: 6/21/2011 10:40:14 AM - System Checkpoint
RP645: 6/22/2011 11:02:49 AM - System Checkpoint
RP646: 6/23/2011 12:06:11 PM - System Checkpoint
RP647: 6/24/2011 12:51:08 PM - System Checkpoint
RP648: 6/25/2011 1:02:49 PM - System Checkpoint
RP649: 6/26/2011 2:02:49 PM - System Checkpoint
RP650: 6/27/2011 2:14:43 PM - System Checkpoint
RP651: 6/28/2011 3:14:42 PM - System Checkpoint
RP652: 6/29/2011 3:00:21 AM - Software Distribution Service 3.0
RP653: 6/30/2011 3:01:14 AM - Software Distribution Service 3.0
RP654: 7/1/2011 5:30:20 AM - System Checkpoint
RP655: 7/2/2011 6:01:53 AM - System Checkpoint
RP656: 7/3/2011 7:02:25 AM - System Checkpoint
RP657: 7/4/2011 8:17:36 AM - System Checkpoint
RP658: 7/5/2011 9:58:04 AM - System Checkpoint
RP659: 7/6/2011 10:57:11 AM - System Checkpoint
RP660: 7/7/2011 11:28:20 AM - System Checkpoint
RP661: 7/8/2011 12:29:26 PM - System Checkpoint
RP662: 7/9/2011 4:22:24 PM - System Checkpoint
RP663: 7/10/2011 4:34:52 PM - System Checkpoint
RP664: 7/11/2011 5:03:07 PM - System Checkpoint
RP665: 7/12/2011 8:52:50 PM - System Checkpoint
RP666: 7/13/2011 3:00:48 AM - Software Distribution Service 3.0
RP667: 7/14/2011 7:04:13 AM - System Checkpoint
RP668: 7/15/2011 8:10:09 AM - System Checkpoint
RP669: 7/16/2011 11:59:09 AM - System Checkpoint
RP670: 7/17/2011 12:32:35 PM - System Checkpoint
RP671: 7/18/2011 1:59:29 PM - System Checkpoint
RP672: 7/19/2011 4:46:18 PM - System Checkpoint
RP673: 7/20/2011 10:46:26 PM - System Checkpoint
RP674: 7/21/2011 11:12:11 PM - System Checkpoint
RP675: 7/22/2011 11:30:15 PM - System Checkpoint
RP676: 7/24/2011 12:30:16 AM - System Checkpoint
RP677: 7/25/2011 7:36:04 AM - System Checkpoint
RP678: 7/26/2011 8:52:15 AM - System Checkpoint
RP679: 7/27/2011 9:22:43 AM - System Checkpoint
RP680: 7/28/2011 9:52:35 AM - System Checkpoint
RP681: 7/29/2011 3:10:36 PM - System Checkpoint
RP682: 7/30/2011 3:41:56 PM - System Checkpoint
RP683: 7/31/2011 3:49:09 PM - System Checkpoint
RP684: 8/1/2011 4:04:09 PM - System Checkpoint
RP685: 8/3/2011 12:07:35 AM - System Checkpoint
RP686: 8/4/2011 3:22:44 AM - System Checkpoint
RP687: 8/5/2011 4:02:19 AM - System Checkpoint
RP688: 8/6/2011 4:31:30 AM - System Checkpoint
RP689: 8/7/2011 4:33:43 AM - System Checkpoint
RP690: 8/8/2011 7:45:57 AM - System Checkpoint
RP691: 8/9/2011 8:58:44 AM - System Checkpoint
RP692: 8/10/2011 3:00:51 AM - Software Distribution Service 3.0
RP693: 8/11/2011 5:13:32 AM - System Checkpoint
RP694: 8/12/2011 6:01:42 AM - System Checkpoint
RP695: 8/13/2011 11:14:37 AM - System Checkpoint
RP696: 8/14/2011 11:21:51 AM - System Checkpoint
RP697: 8/15/2011 12:16:31 PM - System Checkpoint
RP698: 8/16/2011 12:32:22 PM - System Checkpoint
RP699: 8/17/2011 2:25:36 PM - System Checkpoint
RP700: 8/18/2011 4:23:01 PM - System Checkpoint
RP701: 8/19/2011 4:41:58 PM - System Checkpoint
RP702: 8/20/2011 8:43:04 PM - System Checkpoint
RP703: 8/21/2011 9:40:43 AM - Installed Kaspersky Anti-Virus 2012.
RP704: 8/21/2011 12:00:26 PM - Removed Kaspersky Anti-Virus 2012.
RP705: 8/21/2011 4:10:05 PM - Removed Adobe Reader 9.4.4.
RP706: 8/21/2011 4:10:41 PM - Installed Adobe Reader X (10.1.0).
RP707: 8/21/2011 4:24:09 PM - Removed Java 2 Runtime Environment, SE v1.4.2_03
RP708: 8/21/2011 4:25:26 PM - Removed Java™ 6 Update 20
RP709: 8/21/2011 4:29:17 PM - Installed Java™ 7
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.0)
Adobe Shockwave Player 11.5
Agere Systems PCI Soft Modem
AiO_Scan
aiofw
aioprnt
aioscnnr
AiOSoftware
ALOT Toolbar
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AT&T Self Support Tool
AT&T Toolbar
Betfair Poker JPC 1.0.0
Bonjour
BufferChm
CameraDrivers
center
Copy
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Director
DocProc
DocumentViewer
ESET Online Scanner v3
Fax
Google Earth
Google Update Helper
Help and Support Additions
High Definition Audio Driver Package - KB835221
Holdem Manager
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet Preloaded Printer Drivers
HP Diagnostic Assistant
HP Image Zone 4.2.3
HP Image Zone Plus 4.2.3
HP Organize
HP Photosmart Cameras 4.0
HP PSC & OfficeJet 4.0
HP Software Update
HPIZ423
HpSdpAppCoreApp
InstantShare
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
iTunes
Java Auto Updater
Java™ 7
KBD
KODAK AiO Home Center
ksDIP
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MobileMe Control Panel
Mozilla Firefox 4.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
OpenOffice.org 3.2
PC-Doctor for Windows
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series
PokerStars
PokerStove version 1.23
PostgreSQL 8.3
PreReq
PrintScreen
PS2
PSPrinters06
QFolder
QuickProjects
QuickTime
Readme
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
SA30xx Device Manager
SA30xx Media Converter
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SkinsHP1
Skype Toolbars
Skype™ 5.3
Sonic Update Manager
SoulSeek 157 NS 13e
TheGreekPoker
TrayApp
Trojan Remover 6.8.2
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Updates from HP
Viewpoint Media Player
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR 4.01 (32-bit)
WinZip 15.0
.
==== Event Viewer Messages From Past Week ========
.
8/21/2011 4:27:56 PM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.
8/21/2011 4:25:00 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
8/21/2011 12:01:50 PM, error: Service Control Manager [7034] - The Kaspersky Anti-Virus Service service terminated unexpectedly. It has done this 1 time(s).
8/21/2011 10:07:03 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: fasttx2k SISAGP viaagp1
8/21/2011 10:06:46 AM, error: Service Control Manager [7001] - The Kodak AiO Network Discovery Service service depends on the Bonjour Service service which failed to start because of the following error: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
8/21/2011 10:06:46 AM, error: Service Control Manager [7000] - The McciCMService service failed to start due to the following error: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
8/21/2011 10:06:46 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
8/21/2011 10:06:46 AM, error: Service Control Manager [7000] - The Bonjour Service service failed to start due to the following error: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
8/21/2011 10:06:34 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
8/20/2011 7:49:07 PM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
8/20/2011 6:01:14 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
8/20/2011 2:31:17 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
8/20/2011 2:30:30 PM, error: PSched [14103] - QoS [Adapter {BFD43A0E-A360-4034-B4D9-E1F763137108}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.
8/20/2011 12:50:23 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/20/2011 12:36:44 PM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
8/20/2011 12:21:25 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/20/2011 12:20:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
8/20/2011 12:20:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SYMTDI
8/20/2011 12:19:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
8/20/2011 1:10:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
8/20/2011 1:03:43 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
8/20/2011 1:02:15 PM, error: Service Control Manager [7024] - The Workstation service terminated with service-specific error 2250 (0x8CA).
8/20/2011 1:02:15 PM, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The service has returned a service-specific error code.
8/20/2011 1:02:15 PM, error: Service Control Manager [7000] - The Machine Debug Manager service failed to start due to the following error: Access is denied.
8/20/2011 1:02:15 PM, error: Service Control Manager [7000] - The Kodak AiO Network Discovery Service service failed to start due to the following error: Access is denied.
8/20/2011 1:00:38 PM, error: Workstation [5727] - Could not load RDR device driver.
8/19/2011 10:21:44 AM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service MDM with arguments "" in order to run the server: {943B6A75-BB5E-41A7-A6D3-A1A5E892B33B}
.
==== End Of File ===========================

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:09 PM

Posted 21 August 2011 - 05:33 PM

It shouldn't have, I wonder if MalwareBytes knows that Kaspersky removes it?

Please download it and install it again and run a scan with it, make sure that it functions as it should,

The log looks clean, so it must have been kaspersky




Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users