Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "Security Protection" rogue antivirus software and Defender.exe


  • This topic is locked This topic is locked
9 replies to this topic

#1 helixx77

helixx77

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 27 August 2011 - 09:12 PM

Hello, my laptop is currently infected with malware of some sort called "Security Protection" which shows itself as a fake antivirus program. One of the files it uses is Defender.exe. Also, when I search on Google, and do a search, if I click on any of the items, it redirects back to Google.com. I started my computer in safe mode and installed Malwarebytes Anti-malware with a flash drive, and then ran a full system scan. I removed everything, and started the free trial of Malwarebytes to use the real-time protection and website blocking features. Even after running a full scan and removing everything, Malwarebytes still blocks many outgoing connections (which I believed were false positives). This is my work computer and I use a VPN to connect to access their network services, but with Malwarebytes active, my VPN client would shut down instantly after opening it. Since I thought I had removed the virus completely, I uninstalled Malwarebytes since it wasn't letting my use my VPN. However, the virus came back, and this is why I am on these forums looking for help.


.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Run by root at 21:36:41 on 2011-08-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3055.2765 [GMT -4:00]
.
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Host Intrusion Prevention Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.sun.com/
uInternet Settings,ProxyServer = bcpxy.nycnet:8080
uInternet Settings,ProxyOverride = localhost;<local>
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TPSMain] TPSMain.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [NVRotateSysTray] rundll32.exe c:\windows\system32\nvsysrot.dll,Enable
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [TFncKy] TFncKy.exe
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"
mRun: [TweakAutomaticUpdates] c:\windows\orclobi\gdswsuspatch_soon.exe /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [cleanhtm] %APPDATA%\cleanhtm.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\root\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se\CameraMonitor.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: oracle.com
Trusted Zone: oraclevpn.com\adc-twvpn-1
Trusted Zone: sun.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://adc-twvpn-1.oraclevpn.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229610264553
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://hrawebmail.nyc.gov/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
TCP: Interfaces\{F313BF2D-BBAA-4E11-B516-7B8FBC082219} : DhcpNameServer = 192.168.1.1 71.250.0.12
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 184.95.59.207 www.google.com
Hosts: 184.95.59.208 search.yahoo.com
Hosts: 184.95.59.208 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\root\application data\mozilla\firefox\profiles\2dl3j0bf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.sun.com
FF - prefs.js: network.proxy.ftp - www-proxy.us.oracle.com
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - www-proxy.us.oracle.com
FF - prefs.js: network.proxy.gopher_port - 80
FF - prefs.js: network.proxy.http - www-proxy.us.oracle.com
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - www-proxy.us.oracle.com
FF - prefs.js: network.proxy.socks_port - 80
FF - prefs.js: network.proxy.ssl - www-proxy.us.oracle.com
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\mcafee\siteadvisor enterprise\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-4-27 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2008-9-10 6528]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2010-8-25 22816]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-10-20 41216]
S0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-3-3 344712]
S1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2009-6-4 5888]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-6-27 100944]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-6-27 41424]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 console-3.0.2;console-3.0.2;c:\sun\webconsole\bin\swc.exe [2010-5-4 53248]
S2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2010-6-15 1498224]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-6 136176]
S2 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2010-10-20 35696]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-27 366640]
S2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [2009-12-16 222528]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-5-19 120128]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2010-8-25 147984]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2010-8-25 66880]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-3-3 69192]
S2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-6-24 91456]
S2 MyDesktopWindows;MyDesktopService;c:\windows\orclobi\mydesktop\MyDesktopService.exe [2011-2-18 1030144]
S2 QOSMyDesktop;QOS MyDesktop;c:\windows\orclobi\mydesktop\MyDesktopQOS.exe [2009-10-13 470016]
S2 srv1EE8;srv1EE8;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S2 Sun_STK_FMS;Sun StorageTek™ Fault Management Service;c:\program files\sun\common array manager\component\fms\sbin\wrapper.exe [2010-3-19 167936]
S2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2009-6-4 126976]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2011-6-10 641464]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-6-17 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-6-17 3072]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2010-3-4 44680]
S3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2010-3-4 44680]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-6 136176]
S3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2010-3-4 107960]
S3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2010-3-4 38680]
S3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2010-3-4 35552]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-27 22712]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-27 41272]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-8-21 91896]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-8-21 43192]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-8-21 66536]
S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2009-6-4 435072]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-6-27 79888]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-5-29 87760]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-27 19:47:18 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-27 19:47:15 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-27 19:47:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-21 21:27:39 66536 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-08-21 21:27:39 43192 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-08-21 21:27:39 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2011-08-21 21:27:38 91896 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-08-21 21:27:16 -------- d-----w- c:\program files\common files\McAfee
2011-08-21 17:38:53 -------- d-----w- c:\documents and settings\root\application data\Malwarebytes
2011-08-21 17:38:48 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-03 02:41:42 -------- d-----w- c:\documents and settings\root\application data\McAfee
2011-08-01 19:16:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
==================== Find3M ====================
.
2011-08-05 05:56:14 136512 ----a-w- c:\windows\system32\KevlarSigs.dll
2011-08-01 19:16:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-03 02:27:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45:58 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45:57 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45:57 17408 ----a-w- c:\windows\system32\corpol.dll
2011-06-21 11:47:20 389120 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-10 20:55:58 10680 ----a-w- c:\windows\system32\vpncategories.dll
2011-06-10 20:55:51 30648 ----a-w- c:\windows\system32\vpnevents.dll
2011-06-10 20:42:41 19192 ----a-w- c:\windows\system32\drivers\vpnva.sys
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2009-06-13 00:23:52 0 ---ha-w- c:\program files\.exe
2008-04-18 16:35:50 0 ---h--r- c:\program files\107-1.exe
.
============= FINISH: 21:38:05.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:04 PM

Posted 01 September 2011 - 08:13 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 helixx77

helixx77
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 02 September 2011 - 08:39 AM

Thanks for the help.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:04 PM

Posted 02 September 2011 - 06:12 PM

The Gmer log says there might be a rootkit here too, which we would have to make sure won't stop us from cleaning up

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 helixx77

helixx77
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 03 September 2011 - 08:46 PM

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-03 21:09:51
-----------------------------
21:09:51.796 OS Version: Windows 5.1.2600 Service Pack 3
21:09:51.796 Number of processors: 2 586 0xF0B
21:09:51.796 ComputerName: US-PZ141977-01 UserName: root
21:09:52.640 Initialize success
21:11:01.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
21:11:01.125 Disk 0 Vendor: Hitachi_ BB2O Size: 114473MB BusType: 3
21:11:01.125 Disk 0 MBR read successfully
21:11:01.140 Disk 0 MBR scan
21:11:01.140 Disk 0 unknown MBR code
21:11:01.140 Disk 0 MBR hidden
21:11:01.140 Disk 0 scanning sectors +234420480
21:11:01.218 Disk 0 scanning C:\WINDOWS\system32\drivers
21:11:14.375 Service scanning
21:11:16.015 Modules scanning
21:11:26.421 Disk 0 trace - called modules:
21:11:26.437 ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x8a34432b]<<
21:11:26.437 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad0dab8]
21:11:26.437 3 CLASSPNP.SYS[f76d7fd7] -> nt!IofCallDriver -> \Device\THPDRV[0x8ad715e0]
21:11:26.437 5 thpdrv.sys[f77817a1] -> nt!IofCallDriver -> \Device\000000d9[0x8ad26910]
21:11:26.437 7 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x8ad24028]
21:11:26.437 \Driver\iastor[0x8adf3d88] -> IRP_MJ_CREATE -> 0x8a34432b
21:11:26.437 Scan finished successfully
21:11:54.875 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\root\Desktop\MBR.dat"
21:11:54.921 The log file has been saved successfully to "C:\Documents and Settings\root\Desktop\aswMBR.txt"

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:04 PM

Posted 03 September 2011 - 08:49 PM

It says unknown so we need to get an ID on it.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#7 helixx77

helixx77
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 03 September 2011 - 09:32 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 201):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80700000 \WINDOWS\system32\hal.dll
0x8A1B7000 \WINDOWS\system32\KDCOM.DLL
0xF789B000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7987000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7607000 ohci1394.sys
0xF7617000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF789F000 compbatt.sys
0xF78A3000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7989000 aliide.sys
0xF798B000 intelide.sys
0xF798D000 toside.sys
0xF798F000 viaide.sys
0xF7991000 cmdide.sys
0xF74D9000 pcmcia.sys
0xF7627000 MountMgr.sys
0xF74BA000 ftdisk.sys
0xF7993000 dmload.sys
0xF7494000 dmio.sys
0xF770F000 PartMgr.sys
0xF7637000 VolSnap.sys
0xF78A7000 cpqarray.sys
0xF747C000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7B0F000 iaStor.sys
0xF7464000 atapi.sys
0xF78AB000 aha154x.sys
0xF7717000 sparrow.sys
0xF78AF000 symc810.sys
0xF7647000 aic78xx.sys
0xF78B3000 dac960nt.sys
0xF7657000 ql10wnt.sys
0xF78B7000 amsint.sys
0xF771F000 asc.sys
0xF78BB000 asc3550.sys
0xF7727000 mraid35x.sys
0xF772F000 i2omp.sys
0xF78BF000 ini910u.sys
0xF7667000 ql1240.sys
0xF7677000 aic78u2.sys
0xF7737000 symc8xx.sys
0xF773F000 sym_hi.sys
0xF7747000 sym_u3.sys
0xF774F000 ABP480N5.SYS
0xF7757000 asc3350p.sys
0xF7995000 cd20xrnt.sys
0xF7687000 ultra.sys
0xBA747000 adpu160m.sys
0xF775F000 dpti2o.sys
0xF7697000 ql1080.sys
0xF76A7000 ql1280.sys
0xF76B7000 ql12160.sys
0xF7767000 perc2.sys
0xF7997000 perc2hib.sys
0xF776F000 hpn.sys
0xF78C3000 cbidf2k.sys
0xBA71B000 dac2w2k.sys
0xF76C7000 disk.sys
0xF76D7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xBA6FB000 fltMgr.sys
0xBA6E9000 sr.sys
0xF76E7000 PxHelp20.sys
0xBA6D2000 KSecDD.sys
0xBA6BF000 WudfPf.sys
0xBA69F000 FirePM.sys
0xBA612000 Ntfs.sys
0xBA5E5000 NDIS.sys
0xF76F7000 viaagp.sys
0xF7777000 TVALZ.SYS
0xF7999000 Thpevm.SYS
0xF7587000 sisagp.sys
0xF777F000 thpdrv.sys
0xBA52B000 Mup.sys
0xBA4D8000 mfehidk.sys
0xF7577000 agp440.sys
0xF7567000 alim1541.sys
0xF7557000 amdagp.sys
0xF7547000 agpCPQ.sys
0xB9D23000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB9D0F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA595000 \SystemRoot\system32\DRIVERS\HECI.sys
0xB9CD1000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xF778F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9CAD000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77CF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9C85000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB990D000 \SystemRoot\system32\DRIVERS\NETw5x32.sys
0xBA585000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB98F9000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xBA575000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB98CC000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xBA565000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB97B1000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xBA478000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA555000 \SystemRoot\system32\DRIVERS\IFXTPM.SYS
0xBA545000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA3DA000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7517000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7507000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF74F7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB978E000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3C6000 \SystemRoot\system32\DRIVERS\tosrfec.sys
0xBA3BE000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBA7F0000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9761000 \SystemRoot\system32\DRIVERS\agnfilt.sys
0xBA7E0000 \SystemRoot\System32\Drivers\tosrfcom.sys
0xF7A95000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA7D0000 \SystemRoot\system32\DRIVERS\firehk.sys
0xBA7C0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA34A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9722000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA7B0000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA7A0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9671000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA790000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF780F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF781F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB960F000 \SystemRoot\system32\DRIVERS\VBoxNetAdp.sys
0xB95DF000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA780000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB95C2000 \SystemRoot\system32\DRIVERS\mcdbus.sys
0xB95AE000 \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys
0xF79BB000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9550000 \SystemRoot\system32\DRIVERS\update.sys
0xBA410000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA770000 \SystemRoot\system32\DRIVERS\tosporte.sys
0xBA760000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA5B5000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79C5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB804C000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB8028000 \SystemRoot\system32\drivers\portcls.sys
0xB98BC000 \SystemRoot\system32\drivers\drmk.sys
0xB7FBD000 \SystemRoot\system32\DRIVERS\TEchoCan.sys
0xB7EA1000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xB9651000 \SystemRoot\System32\Drivers\Modem.SYS
0xB9745000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79D5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7AA2000 \SystemRoot\System32\Drivers\Null.SYS
0xF79D9000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA4A0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA490000 \SystemRoot\System32\drivers\vga.sys
0xF79DD000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79E1000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA480000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA468000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA34E000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB7D6A000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB7D11000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB7CC7000 \??\C:\WINDOWS\system32\Drivers\FireTDI.sys
0xB7CA1000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB985C000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB984C000 \SystemRoot\system32\drivers\mfetdik.sys
0xB983C000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB7C79000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB7E85000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB982C000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB7C57000 \SystemRoot\System32\drivers\afd.sys
0xB9712000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB9702000 \SystemRoot\system32\DRIVERS\VBoxUSBMon.sys
0xB7C3F000 \SystemRoot\system32\DRIVERS\VBoxDrv.sys
0xF79E9000 \SystemRoot\System32\Drivers\TMEI3E.SYS
0xB7C14000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB7BA4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB96F2000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7817000 \SystemRoot\System32\Drivers\tcusb.sys
0xB7CF9000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB7B58000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB7E11000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB7A88000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB7E5D000 \SystemRoot\System32\drivers\Dxapi.sys
0xB9659000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7AB3000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF549000 \SystemRoot\System32\ATMFD.DLL
0xB7B84000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xF7807000 \SystemRoot\system32\DRIVERS\iPassP.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\agnwifi.sys
0xB54EE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB5341000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF77BF000 \SystemRoot\system32\drivers\HIPPSK.sys
0xB5206000 \SystemRoot\system32\drivers\HIPK.sys
0xB567E000 \SystemRoot\system32\drivers\HIPQK.sys
0xB50BE000 \SystemRoot\system32\DRIVERS\srv.sys
0xF77F7000 \??\C:\WINDOWS\system32\drivers\firelm01.sys
0xB4621000 \SystemRoot\system32\drivers\mfeapfk.sys
0xB45E4000 \SystemRoot\system32\drivers\mfeavfk.sys
0xB4401000 \SystemRoot\system32\drivers\wdmaud.sys
0xB46DA000 \SystemRoot\system32\drivers\sysaudio.sys
0xB3F68000 \SystemRoot\System32\Drivers\HTTP.sys
0xB49E2000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xB2EF8000 \??\C:\Temp\aswMBR.sys
0xB27BF000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 84):
0 System Idle Process
4 System
992 C:\WINDOWS\system32\smss.exe
1056 csrss.exe
1088 C:\WINDOWS\system32\winlogon.exe
1200 C:\WINDOWS\system32\services.exe
1224 C:\WINDOWS\system32\lsass.exe
1408 C:\WINDOWS\system32\svchost.exe
1516 svchost.exe
1840 C:\WINDOWS\system32\svchost.exe
1904 C:\WINDOWS\system32\svchost.exe
696 svchost.exe
836 svchost.exe
868 C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
1984 C:\WINDOWS\system32\spoolsv.exe
328 svchost.exe
564 C:\WINDOWS\system32\agrsmsvc.exe
1040 C:\Sun\WebConsole\bin\swc.exe
1064 C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
768 C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
1348 C:\Program Files\Java\jre6\bin\jqs.exe
860 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
600 C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
1660 C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
2948 C:\Program Files\McAfee\Common Framework\FrameworkService.exe
2440 C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
2508 C:\WINDOWS\system32\mfevtps.exe
2524 C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
2908 C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
1820 naPrdMgr.exe
3184 C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
2644 C:\WINDOWS\system32\nvsvc32.exe
3764 C:\WINDOWS\system32\svchost.exe
3804 C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
420 C:\WINDOWS\system32\svchost.exe
472 C:\Program Files\Sun\Common Array Manager\Component\fms\sbin\wrapper.exe
1356 C:\WINDOWS\system32\ThpSrv.exe
2128 C:\Program Files\Java\jdk1.6.0_12\bin\java.exe
2792 C:\Program Files\Toshiba\TME3\TMESRV31.exe
2932 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
1808 C:\WINDOWS\system32\searchindexer.exe
2060 C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
1880 mfeann.exe
1596 C:\Program Files\Canon\CAL\CALMAIN.exe
3584 alg.exe
524 C:\WINDOWS\explorer.exe
3316 C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
3796 C:\WINDOWS\system32\ctfmon.exe
3328 C:\WINDOWS\system32\wuauclt.exe
3504 C:\WINDOWS\system32\TPSODDCtl.exe
2592 C:\WINDOWS\system32\00THotkey.exe
3608 C:\Program Files\Apoint2K\Apoint.exe
2192 C:\WINDOWS\system32\rundll32.exe
3496 C:\WINDOWS\system32\rundll32.exe
2452 C:\WINDOWS\system32\TPSBattM.exe
2752 C:\WINDOWS\RTHDCPL.EXE
2772 C:\Program Files\Apoint2K\ApntEx.exe
3360 C:\Program Files\Apoint2K\hidfind.exe
2184 C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
3416 C:\Program Files\Toshiba\TME3\TMERzCtl.exe
1648 C:\Program Files\Toshiba\Wireless Hotkey\TosHKCW.exe
3240 C:\Program Files\Toshiba\TME3\TMEEJME.exe
3232 C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
3236 C:\WINDOWS\system32\ThpSrv.exe
852 C:\WINDOWS\system32\TFNF5.exe
4216 C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
4444 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
4536 C:\Program Files\Java\jre6\bin\jusched.exe
4560 C:\Program Files\McAfee\Common Framework\UdaterUI.exe
4904 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
5184 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
5472 C:\Program Files\Palm\Hotsync.exe
5692 C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe
4236 C:\Program Files\McAfee\Common Framework\McTray.exe
3152 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
4512 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
5344 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
5220 C:\Program Files\Mozilla Thunderbird\thunderbird.exe
2368 C:\Program Files\Internet Explorer\iexplore.exe
4676 C:\Program Files\Mozilla Firefox\firefox.exe
5708 C:\Program Files\Mozilla Firefox\plugin-container.exe
2284 C:\WINDOWS\system32\searchprotocolhost.exe
1636 searchfilterhost.exe
4584 C:\Documents and Settings\root\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000017`aca81200 (FAT32)

PhysicalDrive0 Model Number: HitachiHTS542512K9SA00, Rev: BB2OC33P

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 79676F4E51A16ADA956A4B4690E542CA21B921B8


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:04 PM

Posted 04 September 2011 - 05:44 AM

That also fails to find it. More suspicious now...

Please do the following:

Run MBRCheck again

When prompted, Enter 'Y' and hit ENTER for more options
When you see: "Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit):"

Enter 0 to dump the MBR to the physical disk.

Name the dumped file as helixx.dat

Enter -1 to exit.

Please then locate the files and visit this site and follow the instructions for uploading the file.
Posted Image
m0le is a proud member of UNITE

#9 helixx77

helixx77
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 04 September 2011 - 02:35 PM

The virus was rendering my whole computer unusable, and I was unable to access the things I needed for work. I went to the last resort option of restoring my hard drive back to the old company ISO. I appreciate the help you've given me, and I will surely come back to these forums when I am in need of any assistance.

Thanks,
Helixx77

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:04 PM

Posted 04 September 2011 - 05:28 PM

Thanks for letting me know. Sometimes time beats us :angry: we were about to go down the route of replacing what appears to be a malicious MBR rewrite.

-----------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users