Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects, background ads/audio from invisible iexplore.exe, and hidden processes


  • This topic is locked This topic is locked
19 replies to this topic

#1 Charles Tholen

Charles Tholen

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 15 November 2011 - 09:15 PM

On a Windows XP box I am seeing the symptoms I have been reading about here and elsewhere. tdsskiller will not run, aswMBR will not run. GMER does not run properly. RKunhookerLE shows one or two hidden drivers. I did see hidden processes reported by GMER that could not be killed.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:48 PM

Posted 15 November 2011 - 11:22 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Charles Tholen

Charles Tholen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 16 November 2011 - 12:59 AM

There was a problem running GMER. On launch it said LoadDriver("c:\docume~1\cognos~1\locals~1\temp\uxyapob.sys") error 0xC000010E: Cannot creat a stable subkey under a volaile parent key. I press OK and it will run except the only selectable options that are not greyed out are Services, Registry, Files, and ADS. So I ran with those options. It said nothing found and the ark.log contained nothing.

Here are the logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by cognoscape at 23:38:24 on 2011-11-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1393 [GMT -6:00]
.
AV: Sunbelt VIPRE *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\PROGRA~1\SAAZOD\zRealTime\SAAZappr.exe
C:\PROGRA~1\SAAZOD\zRealTime\SAAZapsc.exe
C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe
C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe
C:\PROGRA~1\SAAZOD\zRealTime\rtHlpDk.exe
C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
C:\PROGRA~1\SAAZOD\zRealTime\rtdrHlpDk.exe
C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
C:\PROGRA~1\SAAZOD\RMHLPDSK.exe
C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBPIMSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TSSchBkpService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\First Backup\BackupClientSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6081115
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Ask Toolbar BHO: {fe063db1-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [NovaNet-WEB Tray Control] c:\program files\first backup\TrayControl.exe
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [ToolboxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SBAMTray] "c:\program files\sunbelt software\sbeagent\SBAMTray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\firstb~1.lnk - c:\program files\first backup\TrayControl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\firstb~2.lnk - c:\program files\firstbackup pro\rbclient.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://tlr.webex.com/client/T27L/training/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 216.201.128.10 66.196.212.10
TCP: Interfaces\{94CCC009-8441-4495-AFEC-5C5C239DA133} : DhcpNameServer = 216.201.128.10 66.196.212.10
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 FAMv4;FAMv4;c:\windows\system32\drivers\FAMv4.sys [2008-11-19 92184]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-8-24 21592]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2011-8-24 212568]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2010-10-25 145920]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-30 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-9-9 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-2 366152]
R2 SAAZappr;SAAZ RMM Agent Presence-PR;c:\progra~1\saazod\zrealtime\SAAZappr.exe [2011-7-13 82760]
R2 SAAZapsc;SAAZ RMM Agent Presence-SC;c:\progra~1\saazod\zrealtime\SAAZapsc.exe [2011-7-13 82760]
R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\saazod\SAAZDPMACTL.exe [2010-9-21 86856]
R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\saazod\SAAZRemoteSupport.exe [2010-9-21 78664]
R2 SAAZScheduler;SAAZScheduler;c:\progra~1\saazod\SAAZScheduler.exe [2010-9-8 77824]
R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\saazod\SAAZServerPlus.exe [2009-4-30 77824]
R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\saazod\SAAZWatchDog.exe [2010-9-21 86856]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-8-24 74200]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\sbeagent\SBPIMSvc.exe [2011-6-23 181584]
R2 TSScheduleBackup;TimeslipsBackup;c:\windows\system32\TSSchBkpService.exe [2008-11-19 705024]
R3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [2011-7-11 20504]
R3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppcfaxio.sys [2011-7-11 21528]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-2 22216]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2007-8-3 13408]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-10 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-5-10 136176]
S3 SBAMSvc;VIPRE Enterprise Agent;c:\program files\sunbelt software\sbeagent\SBAMSvc.exe [2011-6-23 2804280]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-4-29 101720]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 ZEvtSVC;ZEvtSVC;c:\progra~1\saazod\zscc\zEvtSVC.exe [2011-8-26 230216]
.
=============== Created Last 30 ================
.
2011-11-16 03:50:09 -------- d-sha-r- C:\cmdcons
2011-11-16 03:00:49 98816 ----a-w- c:\windows\sed.exe
2011-11-16 03:00:49 518144 ----a-w- c:\windows\SWREG.exe
2011-11-16 03:00:49 256000 ----a-w- c:\windows\PEV.exe
2011-11-16 03:00:49 208896 ----a-w- c:\windows\MBR.exe
2011-11-16 02:59:20 -------- d-----w- C:\ComboFix
2011-11-15 22:46:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-15 21:07:04 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-11-15 21:07:00 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-11-15 21:07:00 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-11-15 21:05:56 701386 -c--a-w- c:\windows\system32\dllcache\wdhaalba.sys
2011-11-15 21:03:17 16925 -c--a-w- c:\windows\system32\dllcache\w940nd.sys
2011-11-15 21:03:14 19016 -c--a-w- c:\windows\system32\dllcache\w926nd.sys
2011-11-15 21:03:10 5632 -c--a-w- c:\windows\system32\dllcache\w3svapi.dll
2011-11-15 21:03:10 364032 -c--a-w- c:\windows\system32\dllcache\w3svc.dll
2011-11-15 21:03:10 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
2011-11-15 21:03:09 73728 -c--a-w- c:\windows\system32\dllcache\w3ext.dll
2011-11-15 21:03:09 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2011-11-15 21:03:09 4608 -c--a-w- c:\windows\system32\dllcache\w3ctrs51.dll
2011-11-15 21:03:05 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys
2011-11-15 21:03:01 397502 -c--a-w- c:\windows\system32\dllcache\vpctcom.sys
2011-11-15 21:03:00 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2011-11-15 21:03:00 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2011-11-15 21:01:59 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2011-11-15 21:00:57 34375 -c--a-w- c:\windows\system32\dllcache\tpro4.sys
2011-11-15 20:59:57 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
2011-11-15 20:58:56 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2011-11-15 20:57:59 73832 -c--a-w- c:\windows\system32\dllcache\slcoinst.dll
2011-11-15 20:56:59 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2011-11-15 20:55:58 65664 -c--a-w- c:\windows\system32\dllcache\s3legacy.sys
2011-11-15 20:54:59 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2011-11-15 20:53:58 259328 -c--a-w- c:\windows\system32\dllcache\perm3dd.dll
2011-11-15 20:52:59 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2011-11-15 20:51:59 15872 -c--a-w- c:\windows\system32\dllcache\ne2000.sys
2011-11-15 20:50:57 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2011-11-15 20:49:58 58368 -c--a-w- c:\windows\system32\dllcache\m3091dc.dll
2011-11-15 20:48:57 6144 -c--a-w- c:\windows\system32\dllcache\kbdax2.dll
2011-11-15 20:47:58 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys
2011-11-15 20:46:58 199711 -c--a-w- c:\windows\system32\dllcache\hsf_faxx.sys
2011-11-15 20:45:59 82304 -c--a-w- c:\windows\system32\dllcache\grclass.sys
2011-11-15 20:44:58 14336 -c--a-w- c:\windows\system32\dllcache\exstrace.dll
2011-11-15 20:43:59 77386 -c--a-w- c:\windows\system32\dllcache\el656nd5.sys
2011-11-15 20:42:59 419357 -c--a-w- c:\windows\system32\dllcache\dgconfig.dll
2011-11-15 20:41:52 980034 -c--a-w- c:\windows\system32\dllcache\cicap.sys
2011-11-15 20:40:59 66557 -c--a-w- c:\windows\system32\dllcache\bcm42u.sys
2011-11-15 20:39:59 6144 -c--a-w- c:\windows\system32\dllcache\admxprox.dll
2011-11-03 04:37:11 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-03 04:36:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-03 02:30:46 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-11-02 21:50:32 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-02 19:55:30 -------- d-sh--w- c:\documents and settings\cognoscape\PrivacIE
2011-11-02 19:55:20 -------- d-----w- c:\documents and settings\cognoscape\local settings\application data\AskToolbar
2011-11-02 19:55:05 -------- d-----w- c:\documents and settings\cognoscape\application data\FCTB000061107
.
==================== Find3M ====================
.
2011-11-15 20:55:30 1682 --sha-w- c:\documents and settings\all users\application data\KGyGaAvL.sys
2011-10-07 16:40:18 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-07 16:40:18 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-10-07 16:40:17 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-07 16:40:16 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-03 08:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
.
============= FINISH: 23:45:55.54 ===============

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:48 PM

Posted 20 November 2011 - 09:19 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Charles Tholen

Charles Tholen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 22 November 2011 - 02:59 PM

There was no extras.txt minimized after running OTL.

I have had to attach the OTL.log file as the forum told me the post was too long after pasting in the content.

Attached Files

  • Attached File  OTL.Txt   327.79KB   4 downloads


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:48 PM

Posted 22 November 2011 - 03:29 PM

Hi,

could you post the logs you did get from RkU and gmer? I see you tried to run ComboFix, how did that work out?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Charles Tholen

Charles Tholen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 22 November 2011 - 04:53 PM

GMER does not run properly. I get a message "loaddriver("c:\docume~1\cognos~1\locals~1\temp\uxlyapob.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key.

Report.txt ir from RKU and log.txt was from when I ran combofix.

Regards,
Charles

Also on trying to run gmer, only services, Registry, and Files are click able. The other items are greyed out.

Attached Files



#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:48 PM

Posted 22 November 2011 - 04:55 PM

Hi,

those logs don't show much. I think our best shot is to try a live-cd to see what is on your PC.

Do you happen to have a linux live-cd around?

If not please follow these instructions:
Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • It will install a little bootable OS on your USB
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Download xPUDtestdisk.exe and save it to the USB device
  • Double click xPUDtestdisk.exe to extract the contents to your USB device
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Press Tool at the top
  • Choose Open Terminal
  • Type in: dd if=/dev/sda of=MBRbackup.zip bs=512 count=1 and hit Enter.

MBRbackup.zip should be created on your flash drive, please attach it to your next reply.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Charles Tholen

Charles Tholen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 22 November 2011 - 06:09 PM

Here is the MBRbackup file.

Attached Files



#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:48 PM

Posted 22 November 2011 - 07:28 PM

Hi,

the infection has modified your partitions. We will attempt to rectify that. As a first step I would like you to check that the command we are using is recognizing your hard drive correctly.

Please boot from the flash drive once more. Go to File then mnt and select the flash drive (most likely sdb1). Then press Tool and select the command line again. Type in: parted -l and let me know if it shows any warnings.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 Charles Tholen

Charles Tholen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 22 November 2011 - 07:46 PM

Model: ATA ST3160815AS (scsi)
Disk /dev/sda: 160GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.3kB 123MB 123MB primary fat16
2 123MB 160GB 160GB primary ntfs
3 160GB 160GB 1845kB primary ntfs boot, hidden


Model: Generic Flash Disk (scsi)
Disk /dev/sdc: 1032MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 65.5kB 1032MB 1032MB primary fat32 boot

#12 Charles Tholen

Charles Tholen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 22 November 2011 - 07:47 PM

Partition 2 is what shows the system's data. 1 is a dell partion and 3 shows empty.

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:48 PM

Posted 22 November 2011 - 07:52 PM

Hi

3 is the partition the malware created and installed itself too. Since parted can read your drive just fine, please run the following command to disable the malicious partition and reenable your windows partition as booting partition: parted /dev/sda set 2 boot on

reboot and let me know if the redirects stop.

If they do and boot is successful, we will reboot onto the cd drive and delete the partition in question.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Charles Tholen

Charles Tholen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 22 November 2011 - 08:00 PM

Yes, the redirects appear to be gone. It does look like I can delete the partition from inside Windows Disk Manager.

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:48 PM

Posted 22 November 2011 - 08:07 PM

Hi,

that sounds good too. :) You can do it, the way you prefer. The command from the linux live-cd would be: parted /dev/sda rm 3 . Happy to hear that the PC is back to normal!

Please run a scan with Eset to check for leftovers:
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users