Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown malware


  • This topic is locked This topic is locked
1 reply to this topic

#1 Ribo3

Ribo3

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 03 May 2012 - 09:17 AM

So I am working on a buddy's computer. He gave it to me because his kids game wouldn't load. I determined that he needed directX installed. I tried to install it but I got a message about a corrupt cab file.

He was running an expired version of Kaspersky AV. I removed and installed MalwareBytes and SAS. They found a ton of stuff. Silly me didn't write anything down to make note of what he was infected with.

Long story short, all the scans are now coming back clean but I know there is still something wrong. The main thing that I don't like is that everytime your reboot and then open IE it asks if you want to make it the default browser. That seems to be a red flag to me.

I still can't install directX, still getting the corrupt cabinet file message. To me I would think that might indicate a root kit.

Weird thing is that it isn't running slow, I'm not seeing any pop ups or search redirects or anything like that. In fact, it seems to be running very well. I'm just afraid there is still something on there.

I included a GMER log below also as ark.txt.


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Garrett at 15:49:09 on 2012-04-28
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.509 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\mapquest toolbar\mapquesttbServer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\42IEF6G1\Defogger[1].exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://oc-startpage.aol.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.yahoo.com
uURLSearchHooks: MapQuest Toolbar Search Class: {2558d83c-097c-4cf1-9163-ce5ecc36ace2} - c:\program files\mapquest toolbar\mapquesttb.dll
mURLSearchHooks: MapQuest Toolbar Search Class: {2558d83c-097c-4cf1-9163-ce5ecc36ace2} - c:\program files\mapquest toolbar\mapquesttb.dll
BHO: MRI_DISABLED - No File
BHO: IEVkbdBHO - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: MapQuest Toolbar Loader: {bd3fd433-147a-482e-a192-614f26e2310c} - c:\program files\mapquest toolbar\mapquesttb.dll
TB: MapQuest Toolbar: {9302e698-7e00-43ab-b867-c6e759bc2ada} - c:\program files\mapquest toolbar\mapquesttb.dll
EB: MRI_DISABLED - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_30.dll
DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{69CC3030-A4CD-4940-ADAD-F7D9A39D3B16} : DhcpNameServer = 10.0.1.1
TCP: Interfaces\{85E5CBD6-1030-4023-B925-3DC49E577D9A} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{D48A1920-F295-4748-876D-81B66FD30EDC} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{DFDA6BEA-2A4F-4F68-A022-391AB6B062F8} : DhcpNameServer = 10.0.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-4-20 136176]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-20 654408]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-20 253088]
S3 APR;APR;\??\c:\program files\gamersfirst\knight online\apr.sys --> c:\program files\gamersfirst\knight online\APR.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-4-20 136176]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-20 22344]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\17d.tmp --> c:\windows\system32\17D.tmp [?]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\garrett\locals~1\temp\mfe_rr.sys --> c:\docume~1\garrett\locals~1\temp\mfe_rr.sys [?]
S3 ZD1211BU(Atheros);Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros);c:\windows\system32\drivers\ZD1211BU.sys [2010-4-22 722432]
.
=============== Created Last 30 ================
.
2012-04-28 20:36:19 -------- d-----w- c:\documents and settings\garrett\local settings\application data\MapQuest Toolbar
2012-04-28 03:49:21 -------- d-----w- c:\program files\MapQuest Toolbar
2012-04-28 03:49:21 -------- d-----w- c:\documents and settings\all users\application data\MapQuest Toolbar
2012-04-28 03:49:09 -------- d-----w- c:\program files\common files\Software Update Utility
2012-04-28 03:38:55 -------- d-----w- c:\program files\IZArc
2012-04-28 03:38:55 -------- d-----w- c:\documents and settings\garrett\application data\OpenCandy
2012-04-25 05:47:07 2682 ----a-w- C:\cc_20120425_004705.reg
2012-04-25 05:10:53 94480 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-04-25 04:25:50 10854 ----a-w- C:\cc_20120424_232548.reg
2012-04-22 05:07:46 -------- d-----w- c:\documents and settings\all users\application data\Sophos
2012-04-22 04:58:56 73728 ----a-r- c:\documents and settings\garrett\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-04-22 04:58:56 73728 ----a-r- c:\documents and settings\garrett\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-04-22 04:58:56 73728 ----a-r- c:\documents and settings\garrett\application data\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
2012-04-22 04:57:54 -------- d-----w- c:\program files\Sophos
2012-04-22 03:07:43 -------- d-sha-r- C:\cmdcons
2012-04-22 02:29:11 98816 ----a-w- c:\windows\sed.exe
2012-04-22 02:29:11 518144 ----a-w- c:\windows\SWREG.exe
2012-04-22 02:29:11 256000 ----a-w- c:\windows\PEV.exe
2012-04-22 02:29:11 208896 ----a-w- c:\windows\MBR.exe
2012-04-21 05:40:46 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-04-21 05:40:43 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-04-21 05:40:41 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-04-21 05:40:38 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-04-21 05:40:34 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2012-04-21 05:40:28 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2012-04-21 05:40:24 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2012-04-21 05:40:21 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2012-04-21 05:40:15 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2012-04-21 05:40:13 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2012-04-21 05:38:55 11775 -c--a-w- c:\windows\system32\dllcache\wadv05nt.sys
2012-04-21 05:37:57 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys
2012-04-21 05:36:57 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2012-04-21 05:35:58 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
2012-04-21 05:34:57 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll
2012-04-21 05:33:49 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2012-04-21 05:32:57 12288 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2012-04-21 05:31:57 50432 -c--a-w- c:\windows\system32\dllcache\sisv.sys
2012-04-21 05:30:59 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2012-04-21 05:29:57 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys
2012-04-21 05:28:42 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2012-04-21 05:27:58 112574 -c--a-w- c:\windows\system32\dllcache\ptserlp.sys
2012-04-21 05:26:59 27904 -c--a-w- c:\windows\system32\dllcache\perm2.sys
2012-04-21 05:25:59 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2012-04-21 05:24:55 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2012-04-21 05:23:58 128000 -c--a-w- c:\windows\system32\dllcache\n100325.sys
2012-04-21 05:23:55 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2012-04-21 05:23:52 75520 -c--a-w- c:\windows\system32\dllcache\mxport.sys
2012-04-21 05:23:50 7168 -c--a-w- c:\windows\system32\dllcache\mxport.dll
2012-04-21 05:23:47 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys
2012-04-21 05:23:44 19968 -c--a-w- c:\windows\system32\dllcache\mxicfg.dll
2012-04-21 05:23:41 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2012-04-21 05:23:37 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2012-04-21 05:23:25 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2012-04-21 05:23:19 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2012-04-21 05:23:10 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2012-04-21 05:23:07 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2012-04-21 05:21:58 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2012-04-21 05:20:59 37376 -c--a-w- c:\windows\system32\dllcache\kousd.dll
2012-04-21 05:19:34 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2012-04-21 05:18:59 702845 -c--a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2012-04-21 05:17:59 324608 -c--a-w- c:\windows\system32\dllcache\hpojwia.dll
2012-04-21 05:16:58 320384 -c--a-w- c:\windows\system32\dllcache\g200m.sys
2012-04-21 05:15:59 595647 -c--a-w- c:\windows\system32\dllcache\es56cvmp.sys
2012-04-21 05:14:59 26698 -c--a-w- c:\windows\system32\dllcache\dlh5xnd5.sys
2012-04-21 05:13:59 3712 -c--a-w- c:\windows\system32\dllcache\ctljystk.sys
2012-04-21 05:12:59 32256 -c--a-w- c:\windows\system32\dllcache\brmfrsmg.exe
2012-04-21 05:11:50 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2012-04-21 04:55:15 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-21 04:46:56 -------- d-----w- c:\windows\msdownld.tmp
2012-04-21 04:20:50 -------- d-----w- c:\program files\CrossLoop
2012-04-21 04:12:09 -------- d-----w- c:\documents and settings\garrett\application data\Auslogics
2012-04-21 04:12:05 -------- d-----w- c:\program files\Auslogics
2012-04-21 04:05:31 3614 ----a-w- C:\cc_20120420_230530.reg
2012-04-21 04:04:38 657434 ----a-w- C:\cc_20120420_230431.reg
2012-04-21 03:14:01 -------- d-----w- c:\documents and settings\garrett\local settings\application data\Temp
2012-04-21 02:24:36 -------- d-----w- c:\documents and settings\garrett\application data\Malwarebytes
2012-04-21 02:08:42 -------- d-----w- c:\program files\AVAST Software
2012-04-21 02:08:42 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-04-21 02:06:08 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-21 02:06:05 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-21 02:06:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-21 02:05:34 -------- d-----w- c:\program files\CCleaner
2012-04-21 02:04:02 -------- d-----w- c:\documents and settings\garrett\application data\SUPERAntiSpyware.com
2012-04-21 02:03:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-21 02:03:17 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-04-04 05:53:56 182160 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-04-21 04:55:15 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 15:49:28.96 ===============


Yes, this is a repost of my earlier post here. I waited 5 days with no response and I didn't want to bump the other post per forum instructions.
http://www.bleepingcomputer.com/forums/topic451811.html/page__p__2681805#entry2681805

Attached Files



BC AdBot (Login to Remove)

 


#2 Ribo3

Ribo3
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 03 May 2012 - 10:26 AM

nasdaq has replied to my original post and is helping me with the problem. you can disregard this post. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users