Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

former browser hijack via trojan win32.reveton.a


  • This topic is locked This topic is locked
3 replies to this topic

#1 doon1968

doon1968

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 25 December 2011 - 11:44 AM

hi all

had a ie8 browser hijack from trojan win32.reveton.a and ran malware antibytes in safemode to remove. still had process of ping.exe trying to run constantly in the background trying to contact outgoing ip 83.133.124.196. used tdsskiller to stop that.

have now run defrogger to kill cd emulation, dds with the following logs:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by michael at 10:46:09 on 2011-12-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.354 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\MioNet\MioNetManager.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUman000&fl=0&ptb=xRT6VLxMu8Tb9xOjvjx4CQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uSearch Bar = hxxp://www.orange.co.uk/iesearch/
uStart Page = hxxp://uk.yahoo.com/
uInternet Settings,ProxyServer = http=hxxp://www-cache.orangehome.co.uk:8080;ftp=http://www-cache.orangehome.co.uk:8080
mSearchAssistant = hxxp://search.alot.com/sidebar?pr=asst&client_id=F6F53FB001C8DB55002628FB&install_time=01-07-2008:09:39&src_id=11031&tb_version=1.2.1.200&q=To&url=http%3A%2F%2Fhome%2Ealot%2Ecom%3Fclient%5Fid%3DF6F53FB001C8DB55002628FB%26install%5Ftime%3D01%2D07%2D2008%3A09%3A39%26src%5Fid%3D11031%26tb%5Fversion%3D1%2E2%2E1%2E200
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Radio TV 2.1 Toolbar: {4adc4b13-b4c2-4946-835e-c5f61fa9d8bf} - c:\program files\radio_tv_2.1\prxtbRad0.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Radio TV 2.1 Toolbar: {4adc4b13-b4c2-4946-835e-c5f61fa9d8bf} - c:\program files\radio_tv_2.1\prxtbRad0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{827F33F4-CBE4-42E9-928D-C44ACD573C86} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: fdewuqe - c:\documents and settings\networkservice\local settings\application data\fdewuqe.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2003-12-17 5632]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsldc02b742;MpKsldc02b742;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b3067fa-4dde-4636-9677-d5c43b7d1b34}\MpKsldc02b742.sys [2011-12-25 29904]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-22 228208]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-11-7 71440]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-22 366152]
R2 MioNet;MioNet Service;c:\program files\mionet\MioNetManager.exe [2005-7-15 139264]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-11-7 931640]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-22 22216]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\RapportIaso.sys [2011-8-7 21520]
S1 MpKsl3caa6d65;MpKsl3caa6d65;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bdb56520-368e-4e47-a000-6d1cf8e3f90a}\mpksl3caa6d65.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bdb56520-368e-4e47-a000-6d1cf8e3f90a}\MpKsl3caa6d65.sys [?]
S1 MpKsl4fc6cec2;MpKsl4fc6cec2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6ecae09e-bc91-4ca4-85e1-a881dbea24ff}\mpksl4fc6cec2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6ecae09e-bc91-4ca4-85e1-a881dbea24ff}\MpKsl4fc6cec2.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-11-7 56208]
S3 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-11-7 164112]
.
=============== Created Last 30 ================
.
2011-12-25 08:10:58 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b3067fa-4dde-4636-9677-d5c43b7d1b34}\MpKsldc02b742.sys
2011-12-25 08:10:34 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b3067fa-4dde-4636-9677-d5c43b7d1b34}\offreg.dll
2011-12-25 08:10:30 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5b3067fa-4dde-4636-9677-d5c43b7d1b34}\mpengine.dll
2011-12-23 11:50:56 -------- d-----w- c:\windows\system32\NtmsData
2011-12-23 10:13:42 -------- d-----w- c:\program files\CCleaner
2011-12-22 15:54:29 -------- d-----w- c:\program files\FreshDevices
2011-12-22 15:34:02 8211200 ----a-w- c:\documents and settings\michael\application data\ts3client_win32.exe
2011-12-22 15:33:59 -------- d-----w- c:\program files\Xenocode
2011-12-22 15:33:59 -------- d-----w- c:\documents and settings\michael\local settings\application data\Xenocode
2011-12-22 15:16:58 -------- d-----w- c:\documents and settings\michael\application data\SUPERAntiSpyware.com
2011-12-22 14:46:35 388096 ----a-r- c:\documents and settings\michael\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-22 14:46:31 -------- d-----w- c:\program files\Trend Micro
2011-12-22 14:39:15 -------- d-----w- c:\program files\NKProds
2011-12-22 14:31:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-22 14:31:23 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-12-22 14:31:09 -------- d-----w- c:\documents and settings\all users\application data\SUPERSetup
2011-12-22 14:26:27 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-22 13:34:58 -------- d-----w- c:\documents and settings\michael\local settings\application data\PCHealth
2011-12-22 13:25:47 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-22 13:25:47 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-22 13:13:17 -------- d-----w- c:\program files\Mozilla Firefox(2)
2011-12-22 13:10:28 -------- d--h--w- c:\windows\ie8
2011-12-21 14:48:12 -------- d-----w- c:\documents and settings\michael\application data\MSNInstaller
2011-12-21 14:37:21 -------- d-----w- c:\documents and settings\michael\application data\Malwarebytes
2011-12-21 14:37:10 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-21 14:37:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-11 11:08:44 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-12-11 10:57:58 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-12-11 10:57:58 215920 ----a-w- c:\windows\system32\muweb.dll
2011-12-11 10:57:58 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-12-10 09:45:38 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-10 09:39:52 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-07 10:57:20 -------- d-----w- c:\documents and settings\michael\local settings\application data\LogMeIn Rescue Applet
2011-12-05 20:27:04 -------- d-----w- c:\documents and settings\michael\application data\Umunyl
2011-12-05 20:27:04 -------- d-----w- c:\documents and settings\michael\application data\Syecinu
2011-12-04 12:14:13 -------- d-----w- c:\program files\New Folder
.
==================== Find3M ====================
.
2011-12-23 11:49:58 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-07 21:28:38 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-11-04 19:20:51 916992 ------w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-20 11:49:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-17 14:48:28 69948784 ----a-w- c:\program files\iTunesSetup.exe
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
.
============= FINISH: 10:47:35.10 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 29/01/2008 16:09:55
System Uptime: 25/12/2011 07:58:34 (3 hours ago)
.
Motherboard: Dell Computer Corp. | | 0X1105
Processor: Intel® Pentium® 4 CPU 3.20GHz | Microprocessor | 3192/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 105.222 GiB free.
D: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP423: 31/10/2011 14:16:28 - System Checkpoint
RP424: 01/11/2011 14:43:34 - System Checkpoint
RP425: 03/11/2011 11:25:05 - System Checkpoint
RP426: 03/11/2011 21:26:26 - Installed Rapport
RP427: 07/11/2011 17:35:09 - Installed Rapport
RP428: 09/11/2011 13:53:21 - Software Distribution Service 3.0
RP429: 09/11/2011 17:15:44 - Installed Rapport
RP430: 10/11/2011 18:47:29 - System Checkpoint
RP431: 11/11/2011 11:47:33 - Software Distribution Service 3.0
RP432: 14/11/2011 16:47:29 - Restore Operation
RP433: 17/05/2004 01:03:11 - Restore Operation
RP434: 17/05/2004 00:03:19 - Restore Operation
RP435: 18/05/2004 00:08:22 - System Checkpoint
RP436: 19/05/2004 00:14:14 - System Checkpoint
RP437: 21/05/2004 22:16:26 - System Checkpoint
RP438: 22/05/2004 22:42:34 - System Checkpoint
RP439: 23/05/2004 15:14:32 - Restore Operation
RP440: 23/05/2004 17:13:16 - Restore Operation
RP441: 23/05/2004 21:28:11 - Restore Operation
RP442: 22/11/2011 20:17:24 - System Checkpoint
RP443: 24/11/2011 11:31:05 - System Checkpoint
RP444: 28/11/2011 14:13:16 - System Checkpoint
RP445: 29/11/2011 15:10:46 - System Checkpoint
RP446: 30/11/2011 15:59:21 - System Checkpoint
RP447: 17/05/2004 06:04:52 - System Checkpoint
RP448: 18/05/2004 08:37:44 - System Checkpoint
RP449: 03/12/2011 12:05:54 - Restore Operation
RP450: 04/12/2011 10:24:58 - Restore Operation
RP451: 04/12/2011 11:55:10 - Restore Operation
RP452: 04/12/2011 16:39:04 - Installed Rapport
RP453: 04/12/2011 17:25:38 - Removed Ask Toolbar.
RP454: 04/12/2011 17:27:59 - Removed Bonjour
RP455: 04/12/2011 17:38:10 - Software Distribution Service 3.0
RP456: 05/12/2011 20:52:19 - System Checkpoint
RP457: 06/12/2011 17:19:37 - Removed Ask Toolbar.
RP458: 10/12/2011 09:45:37 - Software Distribution Service 3.0
RP459: 11/12/2011 11:07:46 - Software Distribution Service 3.0
RP460: 12/12/2011 14:31:16 - Software Distribution Service 3.0
RP461: 13/12/2011 15:00:30 - System Checkpoint
RP462: 13/12/2011 18:01:26 - Software Distribution Service 3.0
RP463: 13/12/2011 20:39:05 - Software Distribution Service 3.0
RP464: 14/12/2011 21:49:50 - Software Distribution Service 3.0
RP465: 15/12/2011 09:45:44 - Software Distribution Service 3.0
RP466: 16/12/2011 10:21:38 - Software Distribution Service 3.0
RP467: 17/12/2011 15:50:28 - Software Distribution Service 3.0
RP468: 19/12/2011 06:29:59 - Software Distribution Service 3.0
RP469: 20/12/2011 14:30:30 - Software Distribution Service 3.0
RP470: 21/12/2011 16:57:54 - Software Distribution Service 3.0
RP471: 22/12/2011 13:10:03 - Restore Operation
RP472: 22/12/2011 13:32:57 - Software Distribution Service 3.0
RP473: 22/12/2011 14:22:49 - Software Distribution Service 3.0
RP474: 22/12/2011 14:46:29 - Installed HiJackThis
RP475: 22/12/2011 15:21:04 - Installed Microsoft Fix it 50157
RP476: 23/12/2011 10:16:41 - Installed Microsoft Fix it 50157
RP477: 23/12/2011 12:05:51 - Removed SPAMfighter
RP478: 23/12/2011 20:42:25 - Software Distribution Service 3.0
RP479: 24/12/2011 20:50:24 - System Checkpoint
RP480: 25/12/2011 08:10:20 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
BT Broadband Desktop Help
BT Wireless Connection Manager
BT Yahoo! Applications
BTHomeHub
Canon MP Navigator 3.0
Canon MP460
Canon MP460 User Registration
Canon Utilities Easy-PhotoPrint
CCleaner
Conduit Engine
Critical Update for Windows Media Player 11 (KB959772)
Dell Resource CD
Easy-WebPrint
FinePixViewer Ver.3.2
FUJIFILM USB Driver
getPlus® for Adobe
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImageMixer VCD for FinePix
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
InterVideo WinDVD
iTunes
Java Auto Updater
Java™ 6 Update 23
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Magentic
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MicroStaff WINASPI
MioNet
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero OEM
Nero Suite
Norton Ghost
Philips SPC210NC Webcam
Photo Notifier and Animation Creator
Picture Package Music Transfer
QuickTime
Radio TV 2.1 Toolbar
Rapport
screensaverV2
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype Toolbars
Skype™ 4.2
Skype™ 5.5
Sonic UDF Reader
Sony Picture Utility
Sony USB Driver
SoundMAX
SpeedTouch USB Software
SUPERAntiSpyware
TomTom HOME 2.7.5.2014
TomTom HOME Visual Studio Merge Modules
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR 4.01 (32-bit)
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
24/12/2011 20:51:44, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file 'app-config_var_0.cfg.data' on the volume 'Hardd .. lume1'. It has stopped monitoring the volume.
24/12/2011 20:51:26, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
24/12/2011 20:47:01, error: Schedule [7901] - The At90.job command failed to start due to the following error: %%2147942402
24/12/2011 19:47:02, error: Schedule [7901] - The At88.job command failed to start due to the following error: %%2147942402
24/12/2011 18:47:03, error: Schedule [7901] - The At86.job command failed to start due to the following error: %%2147942402
24/12/2011 17:47:00, error: Schedule [7901] - The At84.job command failed to start due to the following error: %%2147942402
24/12/2011 16:47:00, error: Schedule [7901] - The At82.job command failed to start due to the following error: %%2147942402
24/12/2011 12:36:17, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
22/12/2011 16:11:15, error: Internet Explorer 8 [4376] - Internet Explorer 8 ie8 uninstall failed, leaving Internet Explorer 8 partially updated.
Internet Explorer 8 Uninstall canceled.
22/12/2011 15:47:00, error: Schedule [7901] - The At80.job command failed to start due to the following error: %%2147942402
22/12/2011 14:55:05, error: Service Control Manager [7000] - The My Web Search Service service failed to start due to the following error: The system cannot find the path specified.
22/12/2011 14:01:50, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.1438.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
22/12/2011 14:01:50, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
22/12/2011 14:01:43, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
22/12/2011 13:59:22, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
22/12/2011 13:52:06, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter
22/12/2011 13:51:32, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
22/12/2011 13:47:00, error: Schedule [7901] - The At76.job command failed to start due to the following error: %%2147942402
22/12/2011 13:39:02, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.1438.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
22/12/2011 13:39:02, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.1438.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
22/12/2011 13:39:02, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.1438.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
22/12/2011 13:27:32, error: Service Control Manager [7000] - The My Web Search Service service failed to start due to the following error: Access is denied.
22/12/2011 13:26:49, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x80070002 Error description: The system cannot find the file specified. Signature version: 0.0.0.0;0.0.0.0 Engine version: 0.0.0.0
22/12/2011 12:47:00, error: Schedule [7901] - The At74.job command failed to start due to the following error: %%2147942402
22/12/2011 12:37:21, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
21/12/2011 16:47:14, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'i8042prt.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
21/12/2011 15:33:21, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
21/12/2011 14:47:00, error: Schedule [7901] - The At78.job command failed to start due to the following error: %%2147942402
19/12/2011 06:47:00, error: Schedule [7901] - The At62.job command failed to start due to the following error: %%2147942402
18/12/2011 11:47:00, error: Schedule [7901] - The At72.job command failed to start due to the following error: %%2147942402
.
==== End Of File ===========================

tried to run gmer.exe, first time crashed with stop dump error. tried to run in safe mode but die to the screen resolution in xp pro could not access the save and copy button on the user interface. tried again to run today in normal boot but after scan system shut down and rebooted with chkdsk and into normal boot.

think the browser hijack has been sorted but now left with the problem of no toolbar in ie8 and no right click function. also one of the users has been deleted from the xp login screen but their details are still available in wnidows explorer.

any help would be greatly appreciated as really don't want to have to do a fresh install of xp. have already tried to uninstall ie8 but errors on uninstall and reinstall as erros doind that as well.

Happy holidays!!!!!!!!

rgds doon

BC AdBot (Login to Remove)

 


#2 doon1968

doon1968
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 26 December 2011 - 11:56 PM

bump

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:03 AM

Posted 30 December 2011 - 08:47 PM

Hi

Please run the following:


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:03 AM

Posted 09 January 2012 - 06:01 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users