Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit and google redirect


  • Please log in to reply
8 replies to this topic

#1 Yngwie

Yngwie

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 19 August 2011 - 11:24 AM

I know this is a rootkit because I tried using the posts of other threads here to fix my problem. As well, another technician unsuccessfully attempted to help me with it.
I have hogged out CPU use on svchost.exe, google redirecting (except in firefox I can click on the cached link and it will work) and now I'm getting BSOD on atapi.sys
GMER shows a suspicious MBR!
The most odd thing that is happening is if I put my computer to sleep with out logging out, when I come back again, I can't login. Of if I let the computer hibernate with out loggin out, I have to power slam the system in order to log in again.
I have followed the preparation guide here: http://www.bleepingcomputer.com/forums/topic34773.html
Here are my logs. I really hope you guys can help me out here.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 9:39:19 on 2011-08-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1167 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Sunbelt VIPRE *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\TestOut\Orbis\OrbisClient.Services.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\process explorer\procexp.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: {04885671-4308-4cdc-b4da-a4a336f26b45} - c:\windows\system32\atmpvcno32.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [compmgm] %APPDATA%\compmgm.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\procex~1.lnk - c:\process explorer\procexp.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\2010pro\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~2\2010pro\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\2010pro\office14\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\2010pro\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: kent.edu
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: {00656501-C044-45E8-8D99-87215B79CC88} - hxxps://moac.microsoftlabsonline.com/Content/vvmcax.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176822709375
DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file:///C:/Program%20Files/AutoCAD%202000i/AcDcToday.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://all2d01.eom/tsweb/msrdp.cab
DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file:///C:/Program%20Files/AutoCAD%202000i/InstFred.ocx
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file:///C:/Program%20Files/AutoCAD%202000i/AcPreview.ocx
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
TCP: Interfaces\{74D11D2F-A186-4DC1-B55A-AD6FC43632A5} : DhcpNameServer = 68.94.156.1 68.94.157.1
TCP: Interfaces\{78E689A0-E0CA-451C-AB86-88494564C3E1} : DhcpNameServer = 192.168.1.2
TCP: Interfaces\{B2CB0884-4D80-4C5E-A290-2AB7E25BEAA1} : DhcpNameServer = 192.168.0.3
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 80.79.117.219 www.google.com
Hosts: 80.79.117.220 search.yahoo.com
Hosts: 80.79.117.220 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\g1h81x2e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\g1h81x2e.default\extensions\firesheep@codebutler.com\platform\winnt_x86-msvc\components\mozpopen.dll
FF - plugin: c:\progra~1\micros~2\2010pro\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\2010pro\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-9-7 21592]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-9-7 212568]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2010-9-25 8576]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 OrbisClient.Services;LabSim Configuration and Security;c:\program files\testout\orbis\OrbisClient.Services.exe [2011-3-11 52736]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-9-7 74968]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2011-5-11 181584]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-4-29 98392]
S2 CiSvc32;Indexing Service ;c:\windows\system32\cryptui32.exe --> c:\windows\system32\cryptui32.exe [?]
S2 SBAMSvc;VIPRE Antivirus;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2011-5-11 2804280]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SQLAgent$RBAT;SQLAgent$RBAT;c:\program files\microsoft sql server\mssql$rbat\binn\sqlagent.exe -i rbat --> c:\program files\microsoft sql server\mssql$rbat\binn\sqlagent.EXE -i RBAT [?]
S3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:\windows\system32\drivers\TEUSBMU.sys [2011-5-13 20992]
S3 TVAUSBMU;Panasonic Voice Processing System USB Main Unit driver;c:\windows\system32\drivers\TVAUSBMU.sys [2005-1-14 20992]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 MSSQL$INVENTORCONTENT;MSSQL$INVENTORCONTENT;c:\program files\microsoft sql server\mssql$inventorcontent\binn\sqlservr.exe -sinventorcontent --> c:\program files\microsoft sql server\mssql$inventorcontent\binn\sqlservr.exe -sINVENTORCONTENT [?]
S4 MSSQL$RBAT;MSSQL$RBAT;c:\program files\microsoft sql server\mssql$rbat\binn\sqlservr.exe -srbat --> c:\program files\microsoft sql server\mssql$rbat\binn\sqlservr.exe -sRBAT [?]
S4 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]
.
=============== Created Last 30 ================
.
2011-08-19 12:54:30 -------- d-----w- C:\Symbols
2011-08-19 12:39:57 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2011-08-19 12:39:25 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-08-19 12:38:11 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2011-08-19 12:37:31 -------- d-----w- c:\program files\Application Verifier
2011-08-19 12:33:29 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2011-08-19 12:19:50 -------- d-----w- C:\849fb8564df4b3e9f660124428
2011-08-18 16:47:44 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ebde60b5-712b-4073-85ca-487e4d3e8e78}\mpengine.dll
2011-08-17 21:10:25 -------- d-sh--w- C:\$RECYCLE.BIN
2011-08-17 16:22:52 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-17 16:22:47 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-17 16:22:47 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-17 16:22:47 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-17 16:22:47 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-17 16:22:47 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-17 16:22:46 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-17 16:22:46 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-08-16 22:26:03 270336 ----a-w- c:\windows\system32\kbdsw32.dll
2011-08-16 22:25:59 464896 ----a-w- c:\windows\system32\atmpvcno32.dll
2011-08-16 15:08:18 6962000 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-08-13 05:32:43 10256384 ---ha-w- c:\documents and settings\administrator\ntuser.tmp
2011-08-10 13:16:54 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 13:15:49 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-09 17:39:48 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2011-08-03 16:54:35 -------- d-----w- c:\program files\Microsoft Network Monitor 3
.
==================== Find3M ====================
.
2011-08-16 14:50:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-11 12:45:03 16 ----a-w- c:\windows\kvahu.dll
2011-06-11 12:45:03 16 ----a-w- c:\windows\kvahi.dll
2011-06-11 12:45:03 16 ----a-w- c:\windows\kvah.dll
2011-06-06 01:49:24 186918 ----a-w- c:\windows\system32\termsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-31 18:54:56 0 ---ha-w- c:\documents and settings\administrator\gddgjeqpif.tmp
2011-05-27 04:02:37 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8034GSX rev.AH301D -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A1BF4C0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x8a1c68a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x8a1c6730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A892AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000087[0x8A927F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A8FC940]
\Driver\atapi[0x8A7F0138] -> IRP_MJ_CREATE -> 0x8A1BF4C0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A1BF2E0
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:41:02.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:30 AM

Posted 20 August 2011 - 09:17 AM

Hello Yngwie ,

Posted Image

Yngwie......as in Malmsteen? I'm a fan of his music. :)

Let's give the easy one a try first :

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Yngwie

Yngwie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 20 August 2011 - 12:31 PM

Hello Tea.
Yep! It sure is Malmsteen! I'm not a real fan of the newest stuff, but up to the Trilogy album was awesome! I have some video we took of him doing a show in Cleveland ohio.. Maybe I can capture it and turn you on to it.

Yes. TDSSkiller found a rootkit. I made sure that cure was selected then continued. It requested a reboot. Now, I have Microsoft Security Essentials popping up. AND I can not log in to "Safe mode". When I try to go to safe mode, it wil let me log on but then logs me back off and shuts down the computer.. The hard drive runs the entire time tpp... For like 5 or 10 minutes before it actually shuts down.

Here's the log you requested.

Thanks for your help!
Yngwie

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:30 AM

Posted 20 August 2011 - 12:41 PM

Hello,

I'm in Ohio too. :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to yngwie.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Yngwie

Yngwie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 21 August 2011 - 09:51 AM

Ok Tea,
Here we go. After running combo fix, I notice that there is FAR less disk activity now and the network connection has gone quite. Finally!
But I see the Microsoft Security Essentials still in the task bar, and I'm not able to stop it from running. I know that I did not configure it to run as I have a different Antivirus (which has apparently let me down). I read somewhere online about Security Essentials being an attack point when the user hasn't enabled it purposefully.

here's the latest Combofix log.

ComboFix 11-08-21.01 - Administrator 08/21/2011 10:13:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1270 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Sunbelt VIPRE *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g1h81x2e.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g1h81x2e.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g1h81x2e.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g1h81x2e.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g1h81x2e.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\install.rdf
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g1h81x2e.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g1h81x2e.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g1h81x2e.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g1h81x2e.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g1h81x2e.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\install.rdf
c:\documents and settings\Administrator\gddgjeqpif.tmp
c:\documents and settings\Administrator\ntuser.tmp
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\AMMYY
c:\documents and settings\All Users\Application Data\AMMYY\hr
c:\documents and settings\All Users\Application Data\AMMYY\settings.bin
c:\documents and settings\All Users\Desktop\Security Protection.lnk
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\default\WINDOWS
c:\documents and settings\LocalService\Application Data\02000000cf9ec18c1270C.manifest
c:\documents and settings\LocalService\Application Data\02000000cf9ec18c1270O.manifest
c:\documents and settings\LocalService\Application Data\02000000cf9ec18c1270P.manifest
c:\documents and settings\LocalService\Application Data\02000000cf9ec18c1270S.manifest
c:\documents and settings\LocalService\Application Data\02000000cf9ec18c1406C.manifest
c:\documents and settings\LocalService\Application Data\02000000cf9ec18c1406P.manifest
c:\documents and settings\mjmiller\g2mdlhlpx.exe
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\ccyedf3y.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\ccyedf3y.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\chrome.manifest
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\ccyedf3y.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\chrome\xulcache.jar
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\ccyedf3y.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\defaults\preferences\xulcache.js
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\ccyedf3y.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\install.rdf
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\ccyedf3y.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\ccyedf3y.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\chrome.manifest
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\ccyedf3y.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\chrome\xulcache.jar
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\ccyedf3y.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\defaults\preferences\xulcache.js
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\ccyedf3y.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\install.rdf
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\imwh9g8h.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\imwh9g8h.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\chrome.manifest
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\imwh9g8h.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\chrome\xulcache.jar
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\imwh9g8h.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\defaults\preferences\xulcache.js
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\imwh9g8h.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\install.rdf
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\imwh9g8h.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\imwh9g8h.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\chrome.manifest
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\imwh9g8h.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\chrome\xulcache.jar
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\imwh9g8h.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\defaults\preferences\xulcache.js
c:\documents and settings\terminal\Application Data\Mozilla\Firefox\Profiles\imwh9g8h.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\install.rdf
c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\yr6l3rq7.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}
c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\yr6l3rq7.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\chrome.manifest
c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\yr6l3rq7.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\chrome\xulcache.jar
c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\yr6l3rq7.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\defaults\preferences\xulcache.js
c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\yr6l3rq7.default\extensions\{32a47f14-4210-40c1-9573-2938b0e06388}\install.rdf
c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\yr6l3rq7.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}
c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\yr6l3rq7.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\chrome.manifest
c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\yr6l3rq7.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\chrome\xulcache.jar
c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\yr6l3rq7.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\defaults\preferences\xulcache.js
c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\yr6l3rq7.default\extensions\{cfe265f7-1404-46ef-b78f-abdf52c199d7}\install.rdf
C:\Thumbs.db
c:\windows\kvah.dll
c:\windows\kvahi.dll
c:\windows\kvahu.dll
c:\windows\system32\Cache
c:\windows\system32\termsrv.dllhold
.
Infected copy of c:\windows\system32\termsrv.dll was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\termsrv.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-07-21 to 2011-08-21 )))))))))))))))))))))))))))))))
.
.
2011-08-19 19:46 . 2011-08-11 23:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C89CFD09-A3F0-443A-BE5A-4394A479DFFC}\mpengine.dll
2011-08-19 12:54 . 2011-08-19 12:54 -------- d-----w- C:\Symbols
2011-08-19 12:39 . 2011-08-19 12:39 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2011-08-19 12:39 . 2011-08-19 12:39 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-08-19 12:38 . 2011-08-19 12:38 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2011-08-19 12:37 . 2011-08-19 12:37 -------- d-----w- c:\program files\Application Verifier
2011-08-19 12:33 . 2011-08-19 12:33 -------- d-----w- c:\windows\symbols
2011-08-19 12:33 . 2011-08-19 12:33 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2011-08-19 12:21 . 2011-08-19 12:21 -------- d-----w- c:\program files\Microsoft SDKs
2011-08-17 16:22 . 2011-08-12 05:57 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-17 16:22 . 2011-08-12 05:57 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-17 16:22 . 2011-08-12 05:57 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-17 16:22 . 2011-08-12 05:57 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-17 16:22 . 2011-08-12 05:57 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-17 16:22 . 2011-08-12 05:57 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-17 16:22 . 2011-08-12 03:16 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-17 16:22 . 2011-08-12 03:16 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-16 16:27 . 2011-08-16 16:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-08-16 15:08 . 2011-05-09 17:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-08-15 05:35 . 2011-08-15 05:35 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-08-10 13:16 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 13:15 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-09 17:39 . 2000-01-04 10:39 212992 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ILog.dll
2011-08-03 16:54 . 2011-08-03 16:54 -------- d-----w- c:\program files\Microsoft Network Monitor 3
2011-07-22 17:48 . 2011-07-22 17:48 -------- d-----w- c:\program files\Apple Software Update
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-16 14:50 . 2011-05-17 16:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-11 23:44 . 2010-02-10 02:48 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-15 13:29 . 2004-08-11 22:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-11 22:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-01 14:04 . 2011-07-01 14:04 1984 ----a-w- c:\documents and settings\user\Local Settings\Application Data\d3d9caps.tmp
2011-06-24 14:10 . 2004-08-11 22:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-11 22:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-11 22:00 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-11 22:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2004-08-11 22:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-27 04:02 . 2004-08-11 22:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-08-12 05:57 . 2011-08-17 16:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2011-05-11 1353040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-06-29 1032192]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
procexp.exe.lnk - c:\process explorer\procexp.exe [2011-5-26 3412856]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to assignment for tuesday Nov 23.txt.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Shortcut to assignment for tuesday Nov 23.txt.lnk
backup=c:\windows\pss\Shortcut to assignment for tuesday Nov 23.txt.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2005-10-07 18:13 176128 ----a-r- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2006-11-22 22:35 1392640 ----a-w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 21:10 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-01-26 14:08 18944 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
2010-10-17 19:38 1259008 ----a-w- c:\program files\FileZilla Server\FileZilla Server Interface.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 17:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 03:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2011-06-15 19:16 997920 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBAMTray]
2011-05-11 21:08 1353040 ----a-w- c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gupdate1c9aef3ea8428"=2 (0x2)
"Bonjour Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"vpnagent"=2 (0x2)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"osppsvc"=3 (0x3)
"ose"=3 (0x3)
"MsMpSvc"=2 (0x2)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gupdatem"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"FileZilla Server"=3 (0x3)
"CCALib8"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)
"Adobe LM Service"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\NetMeeting\conf.exe"= c:\program files\NetMeeting\conf.exe:192.168.0.0/255.255.255.255,192.168.1.0/255.255.255.0:Enabled:conf
"c:\\Program Files\\TESTOUT\\Cmi\\Navigator.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Microsoft Office\\2010Pro\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\2010Pro\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\TestOut\\Orbis\\Legacy\\LegacyXEng.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1731:TCP"= 1731:TCP:192.168.0.0/255.255.255.255,192.168.1.0/255.255.255.0:Enabled:Netmeeting
"1720:TCP"= 1720:TCP:192.168.0.0/255.255.255.255,192.168.1.0/255.255.255.0:Enabled:netmeeting
"1503:TCP"= 1503:TCP:192.168.0.0/255.255.255.255,192.168.1.0/255.255.255.0:Enabled:Netmeeting
"521:TCP"= 521:TCP:192.168.0.0/255.255.255.255,192.168.1.0/255.255.255.0:Enabled:Netmeetin
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Server
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [9/7/2010 10:45 PM 21592]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [9/7/2010 10:35 PM 212568]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [9/25/2010 6:56 PM 8576]
R2 OrbisClient.Services;LabSim Configuration and Security;c:\program files\TESTOUT\Orbis\OrbisClient.Services.exe [3/11/2011 12:22 PM 52736]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [9/7/2010 10:45 PM 74968]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [5/11/2011 4:54 PM 181584]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/29/2011 2:15 PM 98392]
S2 CiSvc32;Indexing Service ;c:\windows\system32\cryptui32.exe --> c:\windows\system32\cryptui32.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 SBAMSvc;VIPRE Antivirus;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [5/11/2011 4:54 PM 2804280]
S3 BlackBox;BlackBox SR2; [x]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 1:07 PM 35088]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 SQLAgent$RBAT;SQLAgent$RBAT;c:\program files\Microsoft SQL Server\MSSQL$RBAT\Binn\sqlagent.EXE -i RBAT --> c:\program files\Microsoft SQL Server\MSSQL$RBAT\Binn\sqlagent.EXE -i RBAT [?]
S3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:\windows\system32\drivers\TEUSBMU.sys [5/13/2011 9:00 PM 20992]
S3 TVAUSBMU;Panasonic Voice Processing System USB Main Unit driver;c:\windows\system32\drivers\TVAUSBMU.sys [1/14/2005 6:36 PM 20992]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 MSSQL$INVENTORCONTENT;MSSQL$INVENTORCONTENT;c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT --> c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT [?]
S4 MSSQL$RBAT;MSSQL$RBAT;c:\program files\Microsoft SQL Server\MSSQL$RBAT\Binn\sqlservr.exe -sRBAT --> c:\program files\Microsoft SQL Server\MSSQL$RBAT\Binn\sqlservr.exe -sRBAT [?]
S4 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/17/2009 3:32 PM 497856]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PROCEXP141
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-08-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\2010Pro\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\2010Pro\Office14\ONBttnIE.dll/105
Trusted Zone: kent.edu
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g1h81x2e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-compmgm - c:\documents and settings\Administrator\Application Data\compmgm.exe
SafeBoot-13277474.sys
MSConfigStartUp-GoToMeeting - c:\program files\Citrix\GoToMeeting\457\g2mstart.exe
MSConfigStartUp-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-21 10:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-346539130-214902180-3957087311-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,1d,67,d2,2a,8a,05,4a,a9,6a,ff,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,1d,67,d2,2a,8a,05,4a,a9,6a,ff,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2756)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
.
**************************************************************************
.
Completion time: 2011-08-21 10:33:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-21 14:33
.
Pre-Run: 16,128,561,152 bytes free
Post-Run: 28,086,837,248 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 93DFF2AD4761B00D2AB586BEEFE8E03F

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:30 AM

Posted 23 August 2011 - 11:52 AM

Hello,

Sorry for my delay. :(

Glad to know it's better. :) I'm not sure about the MSE.....have you tried to stop it from running?

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Yngwie

Yngwie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 24 August 2011 - 08:43 AM

Hey Tea.
No problem on the Delay. My computer has been "usable" since I ran the last tools. Google redirect is gone now! So I'm able to use that again. Which is nice.
I ran Malwarebytes, per your request. It did find a few things. The log in included here.
I was able to get rid of Microsoft security essentials too. Seems that it was not rogue at all. It just didn't show up in add/remove.


I think I tracked down where my virus problems started: It a tutorial on creating multiple remote desktop sessions in XP. It's not an infected webpage. But the file downloaded to follow the instructions IS infected.
http://www.golod.com/enabling-multiple-remote-desktop-sessions-in-windows-xp-professional-and-media-center-edition-2005/

Here's my Malwarebytes log.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7552

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/24/2011 9:17:10 AM
mbam-log-2011-08-24 (09-17-10).txt

Scan type: Quick scan
Objects scanned: 249313
Time elapsed: 10 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\administrator\local settings\temp\74.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\temp\75.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000cf9ec18c1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000cf9ec18c1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000cf9ec18c1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000cf9ec18c1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000cf9ec18c1406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000cf9ec18c1406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000cf9ec18c1406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000cf9ec18c1406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:30 AM

Posted 24 August 2011 - 03:48 PM

Hello,

Oh dear....well, I never got the idea that you thought MSE was rogue, only that you never configured it to run. Anyway, glad you were able to do what you wanted to with it. Are any of the problems remaining now? Also, what AntiVirus are you going to put on this system? You need one, for sure.

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Yngwie

Yngwie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 24 August 2011 - 05:48 PM

Hello again Tea,
The only problem remains is that I am unable to put my computer to sleep with out first logging out. If I do not log out before closing the lid or hibernating the system or sleeping it, when I bring it up or out of sleep I can't login. There are 2 users and an admin account configured. All of which work fine after a fresh boot, or if the previous session was logged out before the computer was hibernated or put to sleep. But If the logout did not happen, I have to power slam the system to get a working login.
The remaining problem may not even be malware related, but it started at the same time as the google redirect. That's why I put the two together.
I have not researched the problem at Microsoft yet.

My antivirus is Viper Antivirus from http://www.sunbelt-software.com. Can we post links? If not, I'm sorry admin: please remove the link.

Thanks for your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users