Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
18 replies to this topic

#1 NWOSwamp

NWOSwamp

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 28 November 2011 - 07:23 PM

My dad's computer got infected with something. MSSE caught some of it. But some fake antivirus program snuck in. Ran just about every utility I could think of: MS Security Essentials, Spybot Search & Destroy, SUPERAntiSpyware, ComboFix, Malwarebytes' Anti-Malware, Blacklight, and probably some I forgot at this point. Long story short, something is still spawning an IE process out of svchost that generates a ton of traffic. It will also generate traffic if launched from the UI and will not exit when closed. Aside from generating a lot of traffic to random addresses (confirmed with Process Explorer), IE redirects to random websites when clicking links from Bing and Google. Those are the only two remaining issues (I think). ANY help appreciated! Thanks.

==========================================================================================================================================================================
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:11:27 PM, on 11/28/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\procexp.exe
F:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Checking 2.lnk = ?
O4 - Startup: To Do List.doc.lnk = C:\Documents and Settings\Dad\Desktop\To Do List.doc
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1294553474671
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8551 bytes
==========================================================================================================================================================================

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:44 PM

Posted 03 December 2011 - 06:13 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 NWOSwamp

NWOSwamp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 05 December 2011 - 02:36 PM

No problem in the delay, the help is much appreciated.

My dad's computer got some virus a couple weeks ago. He said it was one of those anti-virus looking programs that came up. I tried using my usual swiss army knife programs for removing spy/malware... MS Security Essentials (which was already installed and detected some of the malware, history is "msse_history.jpg"), Spybot Search & Destroy (with TeaTimer and IE immunization), SUPERAntiSpyware, ComboFix, Malwarebytes' Anti-Malware, Ad-Aware, Blacklight. I scanned the system with these apps multiple times. Each removed crap and eventually deemed the system clean. I did not keep any of the logs from these programs.

When I posted originally, I was still seeing in Process Explorer an "iexplore.exe" process spawned out of svchost. It was not visible on screen and generated alot of traffic on the internet. The TCP/IP tab in Process Explorer showed a number of IP addresses and hostnames not being accessed on the system, and they were always changing.

After your reply, I monitored the system and no longer observed the behavior of iexplore.exe. But I ran the programs as requested below. Upon running GMER, Security Essentials popped up and says it found "Trojan:DOS/Alureon.E." It cannot remove this threat either. It says it has to be rebooted to remove and once rebooted, it still notifies that it's an active threat. Searching online, I also found the 15 MB partition.

Anyway, logs as requested:

=== dds.txt ===
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Dad at 17:15:14 on 2011-12-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2438 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
F:\procexp.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.my.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\dad\startm~1\programs\startup\checki~1.lnk - c:\documents and settings\dad\my documents\checking\checking2.xlsx
StartupFolder: c:\docume~1\dad\startm~1\programs\startup\todoli~1.lnk - c:\documents and settings\dad\desktop\To Do List.doc
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1294553474671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 MpKsl7319036c;MpKsl7319036c;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{90d4292c-fc9b-4823-a168-ab3b916f1496}\MpKsl7319036c.sys [2011-12-4 29904]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-1-8 13592]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2011-1-8 35840]
.
=============== Created Last 30 ================
.
2011-12-04 18:57:58 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{90d4292c-fc9b-4823-a168-ab3b916f1496}\MpKsl7319036c.sys
2011-12-04 18:57:55 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{90d4292c-fc9b-4823-a168-ab3b916f1496}\offreg.dll
2011-12-04 00:41:25 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{90d4292c-fc9b-4823-a168-ab3b916f1496}\mpengine.dll
2011-12-04 00:27:50 -------- d-----w- C:\Intel
2011-11-26 17:37:13 -------- d-----w- c:\windows\SxsCaPendDel
2011-11-26 06:31:38 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-11-25 19:56:57 -------- d-----w- C:\ComboFix
2011-11-25 06:57:20 -------- d-sha-r- C:\cmdcons
2011-11-25 04:20:31 98816 ----a-w- c:\windows\sed.exe
2011-11-25 04:20:31 518144 ----a-w- c:\windows\SWREG.exe
2011-11-25 04:20:31 256000 ----a-w- c:\windows\PEV.exe
2011-11-25 04:20:31 208896 ----a-w- c:\windows\MBR.exe
2011-11-25 01:52:10 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-25 01:49:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-25 01:49:02 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
.
==================== Find3M ====================
.
2011-11-25 00:02:13 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-17 19:45:06 462104 ----a-w- c:\windows\system32\drivers\iaStor.sys
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 17:21:23.09 ===============




=== gmer.log ===
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-05 00:47:25
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Intel___ rev.1.0.
Running: 7vsgkgky.exe; Driver: C:\DOCUME~1\Dad\LOCALS~1\Temp\uwtdapog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text KDCOM.DLL!KdSendPacket BA5A8345 45 Bytes [F6, C1, 01, 74, 0A, D1, E9, ...]
.text KDCOM.DLL!KdSendPacket BA5A8373 8 Bytes [55, 8B, EC, 51, 51, 83, 65, ...]
.text KDCOM.DLL!KdSendPacket BA5A837C 9 Bytes [83, 7D, 0C, 00, 8A, 81, 00, ...]
.text KDCOM.DLL!KdD0Transition BA5A8386 26 Bytes [8A, 91, 01, 01, 00, 00, 0F, ...]
.text KDCOM.DLL!KdD0Transition + 1C BA5A83A2 27 Bytes [80, 79, 07, 48, 0D, 00, FF, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 18 BA5A83BE 111 Bytes [00, 80, 79, 08, 4A, 81, CA, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 88 BA5A842E 22 Bytes [56, 57, 85, DB, 75, 07, B8, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 9F BA5A8445 10 Bytes [A0, 00, C0, EB, 34, FF, 73, ...]
.text KDCOM.DLL!KdDebuggerInitialize1 + 5 BA5A8451 84 Bytes [00, 8B, F3, 8D, BD, 00, FE, ...]
.text KDCOM.DLL!KdRestore + 46 BA5A84A6 135 Bytes [03, 45, FC, 6A, 10, 50, FF, ...]
.text KDCOM.DLL!KdRestore + CE BA5A852E 37 Bytes [BF, 00, 00, 00, C0, 8B, C8, ...]
.text KDCOM.DLL!KdRestore + F4 BA5A8554 32 Bytes [2A, FF, FF, FF, 8B, C8, 23, ...]
.text KDCOM.DLL!KdRestore + 115 BA5A8575 6 Bytes [46, 10, 50, 68, E8, 82]
.text KDCOM.DLL!KdRestore + 11D BA5A857D 122 Bytes CALL BA5A8482 \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
.text ...
PAGEKD KDCOM.DLL!KdReceivePacket + 3D BA5A8F89 55 Bytes [F8, 89, 5F, 78, C6, 47, 7C, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + 75 BA5A8FC1 96 Bytes [00, 00, 53, FF, 15, AC, 82, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + D6 BA5A9022 40 Bytes [E4, 33, C0, EB, 05, 1B, C0, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + FF BA5A904B 4 Bytes [EB, 0B, 0F, B7]
PAGEKD KDCOM.DLL!KdReceivePacket + 104 BA5A9050 1 Byte [FC]
PAGEKD ...
PAGEKD KDCOM.DLL!KdSendPacket + 39 BA5A91EB 34 Bytes [8A, 08, 40, 84, C9, 75, F9, ...]
PAGEKD KDCOM.DLL!KdSendPacket + 5C BA5A920E 57 Bytes [00, 6A, 64, 8D, 45, 98, 6A, ...]
PAGEKD KDCOM.DLL!KdSendPacket + 97 BA5A9249 134 Bytes [59, 8B, D0, 66, 8B, 08, 83, ...]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB86EF000, 0x1C5D38, 0xE8000020]
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xA8533A00]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdSendPacket] [BA5A85F8] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdD0Transition] [BA5A85A6] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdD3Transition] [BA5A85B0] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdReceivePacket] [BA5A85D4] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdDebuggerInitialize0] [BA5A85BA] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdSave] [BA5A85EC] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdDebuggerInitialize1] [BA5A85C6] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdRestore] [BA5A85E0] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\hal.dll[KDCOM.dll!KdRestore] [BA5A85E0] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!READ_PORT_UCHAR] 00000032
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!WRITE_PORT_UCHAR] 736F746E
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalQueryRealTimeClock] 6C6E726B
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalInitSystem] 6578652E
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!KdComPortInUse] 00000000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:180] 88AC8309
Thread System [4:188] 88AC8A21
Thread System [4:192] 88AC9901

---- EOF - GMER 1.0.15 ----

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:44 PM

Posted 05 December 2011 - 07:58 PM

Gmer is flagging a rootkit and the iexplore.exe problem points to TDL4, a variant of the TDSS rootkit family.

Please run aswMBR next

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Then MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 NWOSwamp

NWOSwamp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 05 December 2011 - 09:45 PM

=== aswMBR.txt ===
aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-05 20:05:50
-----------------------------
20:05:50.890 OS Version: Windows 5.1.2600 Service Pack 3
20:05:50.890 Number of processors: 2 586 0xF02
20:05:50.890 ComputerName: DAD-PC UserName: Dad
20:05:51.375 Initialize success
20:07:55.781 AVAST engine defs: 11120501
20:08:06.531 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
20:08:06.531 Disk 0 Vendor: Intel___ 1.0. Size: 238472MB BusType: 8
20:08:06.546 Disk 0 MBR read successfully
20:08:06.546 Disk 0 MBR scan
20:08:06.562 Disk 0 Windows XP default MBR code
20:08:06.562 Disk 0 scanning sectors +488390640
20:08:06.593 Disk 0 scanning C:\WINDOWS\system32\drivers
20:08:18.625 Service scanning
20:08:19.109 Service MpKslda5807a8 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{950324BE-DAFD-4C85-88C1-8BF974D9C4BB}\MpKslda5807a8.sys **LOCKED** 32
20:08:19.734 Modules scanning
20:08:22.828 Disk 0 trace - called modules:
20:08:22.843 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a8effa9]<<
20:08:22.859 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8feab8]
20:08:22.859 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x89aa8028]
20:08:22.859 \Driver\iaStor[0x8a999c28] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8a8effa9
20:08:23.375 AVAST engine scan C:\WINDOWS
20:08:37.437 AVAST engine scan C:\WINDOWS\system32
20:11:09.984 AVAST engine scan C:\WINDOWS\system32\drivers
20:11:25.421 AVAST engine scan C:\Documents and Settings\Dad
20:40:28.671 AVAST engine scan C:\Documents and Settings\All Users
20:43:35.468 Scan finished successfully
21:02:34.265 Disk 0 MBR has been saved successfully to "F:\Bleeping Computer\4\MBR.dat"
21:02:34.453 The log file has been saved successfully to "F:\Bleeping Computer\4\aswMBR.txt"

=== MBRCheck_12.05.11_21.03.09.txt ===
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d

Kernel Drivers (total 120):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xB9C58000 iaStor.sys
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9C38000 fltMgr.sys
0xB9C26000 sr.sys
0xB9C0F000 KSecDD.sys
0xB9B82000 Ntfs.sys
0xB9B55000 NDIS.sys
0xB9B3B000 Mup.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8785000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB8771000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA398000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB874D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3A0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8725000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA218000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA228000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8702000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA238000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA248000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA3A8000 \SystemRoot\System32\Drivers\Modem.SYS
0xB92B2000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA3B0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA5E4000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xB86EE000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA258000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA3B8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA3C0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA776000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA268000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB92AE000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB86D7000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA278000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA288000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3D0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB86C6000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA298000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8696000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5E6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8638000 \SystemRoot\system32\DRIVERS\update.sys
0xBA588000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8B4B000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB93DD000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5F6000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA7EB0000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xA7E8C000 \SystemRoot\system32\drivers\portcls.sys
0xAB8D7000 \SystemRoot\system32\drivers\drmk.sys
0xA7E74000 \SystemRoot\system32\drivers\AEAudio.sys
0xA7E14000 \SystemRoot\system32\drivers\Senfilt.sys
0xBA358000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xA055A000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xBA5B0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6BE000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5B2000 \SystemRoot\System32\Drivers\Beep.SYS
0xA160B000 \SystemRoot\System32\drivers\vga.sys
0xBA5B4000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5B6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA1603000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA15FB000 \SystemRoot\System32\Drivers\Npfs.SYS
0xAB92F000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA0527000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA04CE000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA04A6000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA1084000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA0480000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA045E000 \SystemRoot\System32\drivers\afd.sys
0xA08DF000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA0433000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA08CF000 \SystemRoot\System32\Drivers\Fips.SYS
0xA8F98000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xA089F000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA0180000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA7F28000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA390000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA70F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF065000 \SystemRoot\System32\ati2cqag.dll
0xBF0FE000 \SystemRoot\System32\atikvmag.dll
0xBF182000 \SystemRoot\System32\atiok3x2.dll
0xBF1CD000 \SystemRoot\System32\ati3duag.dll
0xBF572000 \SystemRoot\System32\ativvaxx.dll
0xBF9C6000 \SystemRoot\System32\ATMFD.DLL
0xB92C2000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9DE3B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA5DA000 \SystemRoot\System32\Drivers\ParVdm.SYS
0x9DD43000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA368000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x9D8AF000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x9D89A000 \SystemRoot\system32\drivers\wdmaud.sys
0x9DA03000 \SystemRoot\system32\drivers\sysaudio.sys
0x9D6B7000 \SystemRoot\System32\Drivers\HTTP.sys
0x9B3E2000 \??\C:\DOCUME~1\Dad\LOCALS~1\Temp\aswMBR.sys
0xBA490000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC00DEFD-40EB-4FA4-8D5A-053C02322611}\MpKsl9e4ecafd.sys
0x9ABA9000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 39):
0 System Idle Process
4 System
496 C:\WINDOWS\system32\smss.exe
544 csrss.exe
576 C:\WINDOWS\system32\winlogon.exe
620 C:\WINDOWS\system32\services.exe
632 C:\WINDOWS\system32\lsass.exe
788 C:\WINDOWS\system32\ati2evxx.exe
808 C:\WINDOWS\system32\svchost.exe
884 svchost.exe
972 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1008 C:\WINDOWS\system32\svchost.exe
1084 C:\WINDOWS\system32\ati2evxx.exe
1144 svchost.exe
1188 svchost.exe
1292 C:\WINDOWS\system32\spoolsv.exe
1372 svchost.exe
1536 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
1588 C:\Program Files\Java\jre6\bin\jqs.exe
1652 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
1724 C:\WINDOWS\system32\svchost.exe
1788 C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
340 alg.exe
2584 C:\WINDOWS\explorer.exe
2696 C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
2764 C:\Program Files\Analog Devices\Core\smax4pnp.exe
2836 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
2900 C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
2908 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
2988 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
3072 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
3084 C:\Program Files\Microsoft Security Client\msseces.exe
3132 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3168 C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
3200 C:\WINDOWS\system32\ctfmon.exe
3376 WPFFontCache_v0400.exe
3384 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
2896 F:\Bleeping Computer\4\aswMBR.exe
3108 F:\Bleeping Computer\5\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT)

PhysicalDrive0 Model Number: WDCWD2500AAKS-00F0A0, Rev: 12.01B02
PhysicalDrive1 Model Number: LEXARJUMPDRIVE SECURE, Rev: 1000

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
0 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:44 PM

Posted 06 December 2011 - 05:44 PM

I need a Master Boot Record log but done offline

Try this please. You will also need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download dumpit to your USB
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#7 NWOSwamp

NWOSwamp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 06 December 2011 - 09:08 PM

Here is mbr.zip...

Attached Files

  • Attached File  mbr.zip   2.74KB   10 downloads


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:44 PM

Posted 08 December 2011 - 08:56 PM

  • Boot the Sick computer with the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following:

    parted /dev/sda set 1 boot on
  • Press enter
  • Now type:
parted /dev/sda rm 2

Now reboot without xPUD and rerun MBRCheck and post the log.

Edited by m0le, 08 December 2011 - 08:57 PM.

Posted Image
m0le is a proud member of UNITE

#9 NWOSwamp

NWOSwamp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 10 December 2011 - 03:54 PM

New mbr.zip

Attached Files

  • Attached File  mbr.zip   2.69KB   3 downloads


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:44 PM

Posted 10 December 2011 - 06:54 PM

That's gone. Please rerun aswMBR and post the log.
Posted Image
m0le is a proud member of UNITE

#11 NWOSwamp

NWOSwamp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 10 December 2011 - 07:59 PM

=== aswMBR.txt ===
aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-10 19:18:02
-----------------------------
19:18:02.125 OS Version: Windows 5.1.2600 Service Pack 3
19:18:02.125 Number of processors: 2 586 0xF02
19:18:02.125 ComputerName: DAD-PC UserName: Dad
19:18:02.875 Initialize success
19:18:14.171 AVAST engine defs: 11121001
19:18:25.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
19:18:25.968 Disk 0 Vendor: Intel___ 1.0. Size: 238472MB BusType: 8
19:18:25.984 Disk 0 MBR read successfully
19:18:25.984 Disk 0 MBR scan
19:18:26.062 Disk 0 Windows XP default MBR code
19:18:26.078 Disk 0 scanning sectors +488390640
19:18:26.125 Disk 0 scanning C:\WINDOWS\system32\drivers
19:18:37.734 Service scanning
19:18:38.187 Service MpKsl1cba108e c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9CF42CDF-0DA1-47DF-9BD1-AEAC74A2EB2E}\MpKsl1cba108e.sys **LOCKED** 32
19:18:38.828 Modules scanning
19:18:42.453 Disk 0 trace - called modules:
19:18:42.468 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x88ab5fa9]<<
19:18:42.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8aaab8]
19:18:42.468 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a916028]
19:18:42.484 \Driver\iaStor[0x8a963140] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x88ab5fa9
19:18:43.156 AVAST engine scan C:\WINDOWS
19:18:58.078 AVAST engine scan C:\WINDOWS\system32
19:21:40.218 AVAST engine scan C:\WINDOWS\system32\drivers
19:21:59.250 AVAST engine scan C:\Documents and Settings\Dad
19:50:23.046 AVAST engine scan C:\Documents and Settings\All Users
19:53:31.046 Scan finished successfully
19:55:42.484 Disk 0 MBR has been saved successfully to "F:\Bleeping Computer\8\MBR.dat"
19:55:42.640 The log file has been saved successfully to "F:\Bleeping Computer\8\aswMBR.txt"

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:44 PM

Posted 10 December 2011 - 08:28 PM

How is the machine running now?
Posted Image
m0le is a proud member of UNITE

#13 NWOSwamp

NWOSwamp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 11 December 2011 - 02:27 PM

At the moment it seems to be running well. I haven't seen any pop-ups and the anti-virus is OK with everything. I'll have him keep an eye out for search engine redirects.

Much appreciated. How do you guys do it??

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:44 PM

Posted 11 December 2011 - 07:39 PM

How do you guys do it??


It's all down to teamwork, the malware removal community is a massive network of really good people.


Can you get an ESET online scan just to make sure there's no leftovers hanging around.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

Edited by m0le, 11 December 2011 - 07:40 PM.

Posted Image
m0le is a proud member of UNITE

#15 NWOSwamp

NWOSwamp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 12 December 2011 - 01:12 AM

It did, but the file was already on the computer and the other is probably the copy:

===
C:\Documents and Settings\Dad\Desktop\Notebook Docs Bkup\My Documents Kim\downloads\Install_AIM.exe Win32/Adware.WBug.A application deleted - quarantined
C:\System Volume Information\_restore{D80773E1-46E2-42D2-8C09-238F54795E25}\RP367\A0041689.exe Win32/Adware.WBug.A application deleted - quarantined

===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users