Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit Infection


  • This topic is locked This topic is locked
70 replies to this topic

#1 craigar52

craigar52

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 04 June 2012 - 06:55 PM

I am helping a friend who picked up some malware. I have run SAS, Malwarebytes Anti-Malware, Spybot S&D, CCleaner and Combofix and eliminated most of the problems.
The main issue remaining is www.google.com is being blocked and searches performed using the IE 8 search box (Google default) returns the following page error:

404 Not Found
----------------
nginx

The same results happen in Firefox.

Combofix warns that AVG Anti-Virus scanner is still active even though AVG has been removed using the AVGremover tool. Combofix also warns about rootkit activity being detected.

Attached are DDS.txt, Attach.txt and Gmer.txt.

Thank you in advance for taking the time to check this out for me.

Regards,

Craig

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 09 June 2012 - 06:54 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please run ComboFix and post a fresh log. You may be prompted to update the tool, please do.

Please post the logs for my review.

#3 craigar52

craigar52
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 09 June 2012 - 10:32 AM

Nasdaq,

Thank you for the reply. I am just getting on an airplane and will post the requested logs in about 12 hours after I arrive back east.

Craig

#4 craigar52

craigar52
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 10 June 2012 - 06:26 PM

Nasdaq,

I'm sorry I didn't get back to your sooner, the flight knocked me out. Here are the requested logs and MBR dat zip.

TDSSkiller did not find anything:

01:23:34.0421 0580 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16
01:23:34.0781 0580 ============================================================
01:23:34.0781 0580 Current date / time: 2012/06/10 01:23:34.0781
01:23:34.0781 0580 SystemInfo:
01:23:34.0781 0580
01:23:34.0781 0580 OS Version: 5.1.2600 ServicePack: 3.0
01:23:34.0781 0580 Product type: Workstation
01:23:34.0781 0580 ComputerName: DAVE-XP
01:23:34.0781 0580 UserName: Craig_Temp
01:23:34.0781 0580 Windows directory: C:\WINDOWS
01:23:34.0781 0580 System windows directory: C:\WINDOWS
01:23:34.0781 0580 Processor architecture: Intel x86
01:23:34.0781 0580 Number of processors: 1
01:23:34.0781 0580 Page size: 0x1000
01:23:34.0781 0580 Boot type: Normal boot
01:23:34.0781 0580 ============================================================
01:23:35.0937 0580 Drive \Device\Harddisk0\DR0 - Size: 0x5D27216000 (372.61 Gb), SectorSize: 0x200, Cylinders: 0xBE01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
01:23:35.0953 0580 Drive \Device\Harddisk1\DR2 - Size: 0xEC580000 (3.69 Gb), SectorSize: 0x200, Cylinders: 0x1E2, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
01:23:35.0953 0580 ============================================================
01:23:35.0953 0580 \Device\Harddisk0\DR0:
01:23:35.0953 0580 MBR partitions:
01:23:35.0953 0580 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2E937C82
01:23:35.0953 0580 \Device\Harddisk1\DR2:
01:23:35.0953 0580 MBR partitions:
01:23:35.0953 0580 \Device\Harddisk1\DR2\Partition0: MBR, Type 0xB, StartLBA 0x2000, BlocksNum 0x760C00
01:23:35.0953 0580 ============================================================
01:23:35.0953 0580 Initialize success
01:23:35.0953 0580 ============================================================
01:23:41.0031 6504 ============================================================
01:23:41.0031 6504 Scan started
01:23:41.0031 6504 Mode: Manual;
01:23:41.0031 6504 ============================================================
01:23:41.0031 6504 !SASCORE - ok
01:23:41.0062 6504 Abiosdsk - ok
01:23:41.0078 6504 abp480n5 - ok
01:23:41.0078 6504 ACPI - ok
01:23:41.0093 6504 ACPIEC - ok
01:23:41.0093 6504 adpu160m - ok
01:23:41.0109 6504 aec - ok
01:23:41.0109 6504 AFD - ok
01:23:41.0125 6504 Aha154x - ok
01:23:41.0140 6504 aic78u2 - ok
01:23:41.0140 6504 aic78xx - ok
01:23:41.0140 6504 ALCXWDM - ok
01:23:41.0156 6504 Alerter - ok
01:23:41.0156 6504 ALG - ok
01:23:41.0171 6504 AliIde - ok
01:23:41.0187 6504 AmdK8 - ok
01:23:41.0187 6504 amsint - ok
01:23:41.0203 6504 APLMp50 - ok
01:23:41.0218 6504 appliand - ok
01:23:41.0234 6504 appliandMP - ok
01:23:41.0250 6504 AppMgmt - ok
01:23:41.0265 6504 asc - ok
01:23:41.0281 6504 asc3350p - ok
01:23:41.0281 6504 asc3550 - ok
01:23:41.0296 6504 aspnet_state - ok
01:23:41.0312 6504 AsyncMac - ok
01:23:41.0312 6504 atapi - ok
01:23:41.0328 6504 Atdisk - ok
01:23:41.0328 6504 Atmarpc - ok
01:23:41.0343 6504 AudioSrv - ok
01:23:41.0343 6504 audstub - ok
01:23:41.0359 6504 Beep - ok
01:23:41.0375 6504 BITS - ok
01:23:41.0375 6504 Browser - ok
01:23:41.0390 6504 catchme - ok
01:23:41.0406 6504 cbidf2k - ok
01:23:41.0406 6504 cd20xrnt - ok
01:23:41.0421 6504 Cdaudio - ok
01:23:41.0421 6504 Cdfs - ok
01:23:41.0437 6504 Cdrom - ok
01:23:41.0437 6504 CiSvc - ok
01:23:41.0453 6504 ClipSrv - ok
01:23:41.0453 6504 clr_optimization_v2.0.50727_32 - ok
01:23:41.0468 6504 CmdIde - ok
01:23:41.0484 6504 cmuda3 - ok
01:23:41.0484 6504 COMSysApp - ok
01:23:41.0484 6504 Scan interrupted by user!
01:23:41.0484 6504 Scan interrupted by user!
01:23:41.0484 6504 Scan interrupted by user!
01:23:41.0484 6504 ============================================================
01:23:41.0484 6504 Scan finished
01:23:41.0484 6504 ============================================================
01:23:41.0484 9484 Detected object count: 0
01:23:41.0484 9484 Actual detected object count: 0
01:23:43.0796 3064 ============================================================
01:23:43.0796 3064 Scan started
01:23:43.0796 3064 Mode: Manual;
01:23:43.0796 3064 ============================================================
01:23:43.0796 3064 !SASCORE - ok
01:23:43.0843 3064 Abiosdsk - ok
01:23:43.0843 3064 abp480n5 - ok
01:23:43.0859 3064 ACPI - ok
01:23:43.0875 3064 ACPIEC - ok
01:23:43.0890 3064 adpu160m - ok
01:23:43.0890 3064 aec - ok
01:23:43.0906 3064 AFD - ok
01:23:43.0906 3064 Aha154x - ok
01:23:43.0921 3064 aic78u2 - ok
01:23:43.0937 3064 aic78xx - ok
01:23:43.0937 3064 ALCXWDM - ok
01:23:43.0953 3064 Alerter - ok
01:23:43.0968 3064 ALG - ok
01:23:43.0984 3064 AliIde - ok
01:23:43.0984 3064 AmdK8 - ok
01:23:44.0000 3064 amsint - ok
01:23:44.0015 3064 APLMp50 - ok
01:23:44.0015 3064 appliand - ok
01:23:44.0031 3064 appliandMP - ok
01:23:44.0031 3064 AppMgmt - ok
01:23:44.0046 3064 asc - ok
01:23:44.0062 3064 asc3350p - ok
01:23:44.0078 3064 asc3550 - ok
01:23:44.0093 3064 aspnet_state - ok
01:23:44.0109 3064 AsyncMac - ok
01:23:44.0109 3064 atapi - ok
01:23:44.0125 3064 Atdisk - ok
01:23:44.0140 3064 Atmarpc - ok
01:23:44.0156 3064 AudioSrv - ok
01:23:44.0171 3064 audstub - ok
01:23:44.0187 3064 Beep - ok
01:23:44.0187 3064 BITS - ok
01:23:44.0203 3064 Browser - ok
01:23:44.0203 3064 catchme - ok
01:23:44.0218 3064 cbidf2k - ok
01:23:44.0234 3064 cd20xrnt - ok
01:23:44.0234 3064 Cdaudio - ok
01:23:44.0250 3064 Cdfs - ok
01:23:44.0265 3064 Cdrom - ok
01:23:44.0265 3064 CiSvc - ok
01:23:44.0281 3064 ClipSrv - ok
01:23:44.0296 3064 clr_optimization_v2.0.50727_32 - ok
01:23:44.0312 3064 CmdIde - ok
01:23:44.0312 3064 cmuda3 - ok
01:23:44.0328 3064 COMSysApp - ok
01:23:44.0343 3064 Cpqarray - ok
01:23:44.0359 3064 Creative Service for CDROM Access - ok
01:23:44.0375 3064 CryptSvc - ok
01:23:44.0375 3064 ctljystk - ok
01:23:44.0390 3064 ctsfm2k - ok
01:23:44.0406 3064 CTUSFSYN - ok
01:23:44.0421 3064 dac2w2k - ok
01:23:44.0421 3064 dac960nt - ok
01:23:44.0437 3064 DcomLaunch - ok
01:23:44.0453 3064 Dhcp - ok
01:23:44.0468 3064 Disk - ok
01:23:44.0468 3064 dmadmin - ok
01:23:44.0484 3064 dmboot - ok
01:23:44.0500 3064 dmio - ok
01:23:44.0500 3064 dmload - ok
01:23:44.0531 3064 dmserver - ok
01:23:44.0531 3064 DMusic - ok
01:23:44.0546 3064 Dnscache - ok
01:23:44.0546 3064 Dot3svc - ok
01:23:44.0562 3064 Dot4 - ok
01:23:44.0578 3064 Dot4Print - ok
01:23:44.0578 3064 dpti2o - ok
01:23:44.0593 3064 drmkaud - ok
01:23:44.0609 3064 EapHost - ok
01:23:44.0625 3064 emu10k - ok
01:23:44.0640 3064 ERSvc - ok
01:23:44.0656 3064 Eventlog - ok
01:23:44.0671 3064 EventSystem - ok
01:23:44.0687 3064 Fastfat - ok
01:23:44.0687 3064 FastUserSwitchingCompatibility - ok
01:23:44.0703 3064 Fdc - ok
01:23:44.0718 3064 Fips - ok
01:23:44.0734 3064 Flpydisk - ok
01:23:44.0750 3064 FltMgr - ok
01:23:44.0765 3064 FontCache3.0.0.0 - ok
01:23:44.0781 3064 Fs_Rec - ok
01:23:44.0796 3064 Ftdisk - ok
01:23:44.0812 3064 gagp30kx - ok
01:23:44.0812 3064 gameenum - ok
01:23:44.0843 3064 GMSIPCI - ok
01:23:44.0859 3064 Gpc - ok
01:23:44.0875 3064 helpsvc - ok
01:23:44.0890 3064 HidServ - ok
01:23:44.0906 3064 HidUsb - ok
01:23:44.0921 3064 hkmsvc - ok
01:23:44.0921 3064 hpn - ok
01:23:44.0937 3064 HSFHWBS2 - ok
01:23:44.0953 3064 HSF_DP - ok
01:23:44.0968 3064 HTTP - ok
01:23:44.0984 3064 HTTPFilter - ok
01:23:45.0000 3064 i2omgmt - ok
01:23:45.0015 3064 i2omp - ok
01:23:45.0031 3064 i8042prt - ok
01:23:45.0046 3064 idsvc - ok
01:23:45.0062 3064 Imapi - ok
01:23:45.0062 3064 ImapiService - ok
01:23:45.0093 3064 ini910u - ok
01:23:45.0109 3064 IntelIde - ok
01:23:45.0125 3064 Ip6Fw - ok
01:23:45.0125 3064 IpFilterDriver - ok
01:23:45.0140 3064 IpInIp - ok
01:23:45.0156 3064 IpNat - ok
01:23:45.0171 3064 IPSec - ok
01:23:45.0187 3064 IRENUM - ok
01:23:45.0203 3064 isapnp - ok
01:23:45.0218 3064 JavaQuickStarterService - ok
01:23:45.0234 3064 Kbdclass - ok
01:23:45.0250 3064 kmixer - ok
01:23:45.0265 3064 KSecDD - ok
01:23:45.0281 3064 lanmanserver - ok
01:23:45.0296 3064 lanmanworkstation - ok
01:23:45.0312 3064 lbrtfdc - ok
01:23:45.0328 3064 LmHosts - ok
01:23:45.0343 3064 LMIGuardianSvc - ok
01:23:45.0359 3064 LMIInfo - ok
01:23:45.0375 3064 LMIMaint - ok
01:23:45.0390 3064 lmimirr - ok
01:23:45.0406 3064 LMIRfsClientNP - ok
01:23:45.0421 3064 LMIRfsDriver - ok
01:23:45.0437 3064 LogMeIn - ok
01:23:45.0453 3064 mbr - ok
01:23:45.0468 3064 mdmxsdk - ok
01:23:45.0468 3064 Messenger - ok
01:23:45.0484 3064 mnmdd - ok
01:23:45.0500 3064 mnmsrvc - ok
01:23:45.0515 3064 Modem - ok
01:23:45.0531 3064 Mouclass - ok
01:23:45.0531 3064 mouhid - ok
01:23:45.0546 3064 MountMgr - ok
01:23:45.0562 3064 MozillaMaintenance - ok
01:23:45.0578 3064 mraid35x - ok
01:23:45.0593 3064 MRxDAV - ok
01:23:45.0593 3064 MRxSmb - ok
01:23:45.0609 3064 MSDTC - ok
01:23:45.0625 3064 Msfs - ok
01:23:45.0640 3064 MSIServer - ok
01:23:45.0656 3064 MSKSSRV - ok
01:23:45.0656 3064 MSPCLOCK - ok
01:23:45.0671 3064 MSPQM - ok
01:23:45.0687 3064 mssmbios - ok
01:23:45.0703 3064 Mup - ok
01:23:45.0718 3064 MySQL - ok
01:23:45.0734 3064 napagent - ok
01:23:45.0734 3064 NDIS - ok
01:23:45.0750 3064 NdisTapi - ok
01:23:45.0765 3064 Ndisuio - ok
01:23:45.0781 3064 NdisWan - ok
01:23:45.0781 3064 NDProxy - ok
01:23:45.0796 3064 NetBIOS - ok
01:23:45.0812 3064 NetBT - ok
01:23:45.0828 3064 NetDDE - ok
01:23:45.0828 3064 NetDDEdsdm - ok
01:23:45.0828 3064 Netlogon - ok
01:23:45.0843 3064 Netman - ok
01:23:45.0859 3064 NetTcpPortSharing - ok
01:23:45.0875 3064 Nla - ok
01:23:45.0890 3064 nm - ok
01:23:45.0906 3064 NPF - ok
01:23:45.0921 3064 Npfs - ok
01:23:45.0937 3064 Ntfs - ok
01:23:45.0937 3064 NtLmSsp - ok
01:23:45.0953 3064 NtmsSvc - ok
01:23:45.0968 3064 Null - ok
01:23:45.0968 3064 NwlnkFlt - ok
01:23:45.0984 3064 NwlnkFwd - ok
01:23:46.0000 3064 ose - ok
01:23:46.0015 3064 ossrv - ok
01:23:46.0031 3064 P17xfi - ok
01:23:46.0031 3064 p17xfilt - ok
01:23:46.0062 3064 Parport - ok
01:23:46.0078 3064 PartMgr - ok
01:23:46.0078 3064 ParVdm - ok
01:23:46.0093 3064 PCI - ok
01:23:46.0093 3064 PCIDump - ok
01:23:46.0109 3064 PCIIde - ok
01:23:46.0125 3064 Pcmcia - ok
01:23:46.0140 3064 pcouffin - ok
01:23:46.0156 3064 PDCOMP - ok
01:23:46.0171 3064 PDFRAME - ok
01:23:46.0187 3064 PDRELI - ok
01:23:46.0187 3064 PDRFRAME - ok
01:23:46.0203 3064 perc2 - ok
01:23:46.0218 3064 perc2hib - ok
01:23:46.0265 3064 PlugPlay - ok
01:23:46.0265 3064 PolicyAgent - ok
01:23:46.0281 3064 PptpMiniport - ok
01:23:46.0296 3064 Processor - ok
01:23:46.0312 3064 ProtectedStorage - ok
01:23:46.0312 3064 PSched - ok
01:23:46.0328 3064 Ptilink - ok
01:23:46.0343 3064 PxHelp20 - ok
01:23:46.0343 3064 ql1080 - ok
01:23:46.0359 3064 Ql10wnt - ok
01:23:46.0375 3064 ql12160 - ok
01:23:46.0390 3064 ql1240 - ok
01:23:46.0406 3064 ql1280 - ok
01:23:46.0406 3064 RasAcd - ok
01:23:46.0421 3064 RasAuto - ok
01:23:46.0437 3064 Rasl2tp - ok
01:23:46.0453 3064 RasMan - ok
01:23:46.0468 3064 RasPppoe - ok
01:23:46.0468 3064 Raspti - ok
01:23:46.0484 3064 Rdbss - ok
01:23:46.0500 3064 RDPCDD - ok
01:23:46.0515 3064 RDPWD - ok
01:23:46.0531 3064 RDSessMgr - ok
01:23:46.0546 3064 redbook - ok
01:23:46.0562 3064 RemoteAccess - ok
01:23:46.0562 3064 rpcapd - ok
01:23:46.0578 3064 RpcLocator - ok
01:23:46.0593 3064 RpcSs - ok
01:23:46.0609 3064 RSVP - ok
01:23:46.0625 3064 rtl8139 - ok
01:23:46.0640 3064 S3GIGP - ok
01:23:46.0656 3064 SamSs - ok
01:23:46.0656 3064 SASDIFSV - ok
01:23:46.0671 3064 SASKUTIL - ok
01:23:46.0687 3064 SCardSvr - ok
01:23:46.0687 3064 Schedule - ok
01:23:46.0718 3064 Secdrv - ok
01:23:46.0734 3064 seclogon - ok
01:23:46.0750 3064 SENS - ok
01:23:46.0765 3064 serenum - ok
01:23:46.0781 3064 Serial - ok
01:23:46.0812 3064 Sfloppy - ok
01:23:46.0828 3064 SharedAccess - ok
01:23:46.0843 3064 ShellHWDetection - ok
01:23:46.0843 3064 Simbad - ok
01:23:46.0859 3064 Sparrow - ok
01:23:46.0875 3064 splitter - ok
01:23:46.0890 3064 Spooler - ok
01:23:46.0906 3064 sr - ok
01:23:46.0906 3064 srservice - ok
01:23:46.0921 3064 Srv - ok
01:23:46.0937 3064 SSDPSRV - ok
01:23:46.0953 3064 StillCam - ok
01:23:46.0968 3064 stisvc - ok
01:23:46.0968 3064 swenum - ok
01:23:46.0984 3064 swmidi - ok
01:23:46.0984 3064 SwPrv - ok
01:23:47.0000 3064 symc810 - ok
01:23:47.0000 3064 symc8xx - ok
01:23:47.0015 3064 sym_hi - ok
01:23:47.0015 3064 sym_u3 - ok
01:23:47.0015 3064 sysaudio - ok
01:23:47.0031 3064 SysmonLog - ok
01:23:47.0031 3064 TapiSrv - ok
01:23:47.0046 3064 Tcpip - ok
01:23:47.0046 3064 TDPIPE - ok
01:23:47.0062 3064 TDTCP - ok
01:23:47.0062 3064 TermDD - ok
01:23:47.0062 3064 TermService - ok
01:23:47.0078 3064 Themes - ok
01:23:47.0093 3064 TosIde - ok
01:23:47.0093 3064 TrkWks - ok
01:23:47.0109 3064 Udfs - ok
01:23:47.0109 3064 ultra - ok
01:23:47.0109 3064 Update - ok
01:23:47.0109 3064 upnphost - ok
01:23:47.0125 3064 UPS - ok
01:23:47.0140 3064 usbehci - ok
01:23:47.0140 3064 usbhub - ok
01:23:47.0156 3064 usbscan - ok
01:23:47.0171 3064 USBSTOR - ok
01:23:47.0171 3064 usbuhci - ok
01:23:47.0171 3064 VgaSave - ok
01:23:47.0187 3064 ViaIde - ok
01:23:47.0187 3064 VolSnap - ok
01:23:47.0203 3064 VSS - ok
01:23:47.0203 3064 W32Time - ok
01:23:47.0218 3064 Wanarp - ok
01:23:47.0218 3064 WDICA - ok
01:23:47.0218 3064 wdmaud - ok
01:23:47.0234 3064 WebClient - ok
01:23:47.0234 3064 winachsf - ok
01:23:47.0250 3064 winmgmt - ok
01:23:47.0265 3064 WMDM PMSP Service - ok
01:23:47.0265 3064 WmdmPmSN - ok
01:23:47.0281 3064 WmiApSrv - ok
01:23:47.0296 3064 WMPNetworkSvc - ok
01:23:47.0296 3064 WS2IFSL - ok
01:23:47.0312 3064 wscsvc - ok
01:23:47.0312 3064 wuauserv - ok
01:23:47.0328 3064 WudfPf - ok
01:23:47.0328 3064 WudfRd - ok
01:23:47.0343 3064 WudfSvc - ok
01:23:47.0343 3064 WZCSVC - ok
01:23:47.0343 3064 xmlprov - ok
01:23:47.0390 3064 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
01:23:47.0734 3064 \Device\Harddisk0\DR0 - ok
01:23:47.0750 3064 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR2
01:23:47.0765 3064 \Device\Harddisk1\DR2 - ok
01:23:47.0765 3064 Boot (0x1200) (07f7c8cbd5532a629024df61a1c70517) \Device\Harddisk0\DR0\Partition0
01:23:47.0765 3064 \Device\Harddisk0\DR0\Partition0 - ok
01:23:47.0781 3064 Boot (0x1200) (6a9a6bd1c64471406070576b953ad054) \Device\Harddisk1\DR2\Partition0
01:23:47.0781 3064 \Device\Harddisk1\DR2\Partition0 - ok
01:23:47.0781 3064 ============================================================
01:23:47.0781 3064 Scan finished
01:23:47.0781 3064 ============================================================
01:23:47.0812 4032 Detected object count: 0
01:23:47.0812 4032 Actual detected object count: 0
01:24:19.0593 2096 Deinitialize success


Here is aswMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-10 01:29:10
-----------------------------
01:29:10.312 OS Version: Windows 5.1.2600 Service Pack 3
01:29:10.312 Number of processors: 1 586 0x3702
01:29:10.312 ComputerName: DAVE-XP UserName:
01:29:11.421 Initialize success
01:34:00.234 AVAST engine defs: 12060901
01:34:36.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1b
01:34:36.828 Disk 0 Vendor: ST3400620A 3.AAF Size: 381554MB BusType: 3
01:34:36.859 Disk 0 MBR read successfully
01:34:36.890 Disk 0 MBR scan
01:34:36.937 Disk 0 Windows XP default MBR code
01:34:36.968 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 381551 MB offset 63
01:34:37.000 Disk 0 scanning sectors +781417665
01:34:37.125 Disk 0 scanning C:\WINDOWS\system32\drivers
01:34:50.781 Service scanning
01:34:51.500 Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
01:35:11.203 Modules scanning
01:35:19.046 Disk 0 trace - called modules:
01:35:19.156 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x86394b39]<<
01:35:19.203 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86361ab8]
01:35:19.265 3 CLASSPNP.SYS[f75b0fd7] -> nt!IofCallDriver -> \Device\00000069[0x8631b9e8]
01:35:19.328 5 ACPI.sys[f7447620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-1b[0x862fd940]
01:35:20.250 AVAST engine scan C:\WINDOWS
01:35:30.328 AVAST engine scan C:\WINDOWS\system32
01:38:33.562 AVAST engine scan C:\WINDOWS\system32\drivers
01:39:01.343 AVAST engine scan C:\Documents and Settings\Craig_Temp
01:39:59.781 AVAST engine scan C:\Documents and Settings\All Users.WINDOWS
01:40:21.828 Scan finished successfully
01:43:45.312 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Craig_Temp\Desktop\MBR.dat"
01:43:45.390 The log file has been saved successfully to "C:\Documents and Settings\Craig_Temp\Desktop\aswMBR.txt"


Here is Combofix log:

ComboFix 12-06-10.01 - Craig_Temp 06/10/2012 16:51:52.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.672 [GMT -4:00]
Running from: c:\documents and settings\Craig_Temp\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-10 to 2012-06-10 )))))))))))))))))))))))))))))))
.
.
2012-06-07 17:20 . 2012-06-07 17:20 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-07 17:20 . 2012-06-07 17:20 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-03 21:21 . 2012-06-03 21:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-03 21:21 . 2012-06-03 21:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2012-06-03 21:13 . 2012-06-04 04:44 -------- d-----w- c:\documents and settings\Craig_Temp
2012-05-28 03:33 . 2012-05-28 03:34 -------- dc-h--w- c:\windows\ie8
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-21 17:05 . 2007-08-29 03:18 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-05-21 17:05 . 2007-08-29 03:18 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-05-21 17:05 . 2007-08-29 03:18 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-05-21 17:05 . 2007-08-29 03:17 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-04-11 13:12 . 2004-08-04 12:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10 . 2004-08-04 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 19:56 . 2008-10-03 23:37 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-20 18:49 . 2012-03-20 18:49 1409 ----a-w- c:\windows\QTFont.for
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
2012-06-07 17:20 . 2011-05-07 04:27 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-05-21 3905920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]
"VTTimer"="VTTimer.exe" [2006-08-03 53248]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"P17Helper"="SPIRun.dll" [2006-07-03 10752]
"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1077248]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-26 296056]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-7-1 114688]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-05-21 17:05 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/3/2010 3:29 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/5/2007 12:41 PM 12856]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [1/25/2012 3:29 PM 28256]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [1/25/2012 3:29 PM 28256]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/1/2012 12:46 PM 113120]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [2/15/2010 1:20 AM 47360]
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1202660629-746137067-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 21:14]
.
2012-06-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1202660629-746137067-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 21:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Craig_Temp\Application Data\Mozilla\Firefox\Profiles\6gwmxr37.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-HijackThis - c:\documents and settings\Craig_Temp\Desktop\Anti-Spyware and Anti-Virus Tools\HijackThis.exe
.
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
P17Helper = Rundll32 SPIRun.dll,RunDLLEntry?
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(884)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2012-06-10 16:59:58
ComboFix-quarantined-files.txt 2012-06-10 20:59
.
Pre-Run: 342,183,751,680 bytes free
Post-Run: 342,251,360,256 bytes free
.
- - End Of File - - 12BB44FC7653222DA6A7ED8696ABE313


Attached is the aswMBR boot record.

Looking forward to your earliest reply.

Regards,

Craig

Attached Files

  • Attached File  MBR.zip   499bytes   1 downloads


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 11 June 2012 - 09:25 AM

Now run the aswMBR.exe tool. Select the Fix button.

Important > you need to wait for the tool to report ... Infection fixed successfully or MBR fixed successfully"
Do not reboot the machine until it has said so.

When you see the message restart the computer normally.

Run aswBMR.exe normally this time and post the log.
===

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please let me know what problem persists.

#6 craigar52

craigar52
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 11 June 2012 - 05:10 PM

Nasdaq,

Unfortunately, aswMBR.exe does not fix the MBR when I press the fixMBR button. It displays the warning about changing the boot sector and after I acknowledge by clicking "yes" it disables/freezes the mouse and keyboard. I have tried it twice, the first time I waited over 2 hours and nothing happened. The second time I only waited for 1/2 hour. I don't believe changing the MBR should take over two hours.

The original problem of google.com and google search being locked out still exists.

I ran the security check scan and here are the results:
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-11 17:13:30
-----------------------------
17:13:30.131 OS Version: Windows 5.1.2600 Service Pack 3
17:13:30.131 Number of processors: 1 586 0x3702
17:13:30.131 ComputerName: DAVE-XP UserName:
17:13:30.975 Initialize success
17:13:44.991 AVAST engine defs: 12061100
17:13:56.898 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1b
17:13:56.913 Disk 0 Vendor: ST3400620A 3.AAF Size: 381554MB BusType: 3
17:13:56.945 Disk 0 MBR read successfully
17:13:56.976 Disk 0 MBR scan
17:13:57.038 Disk 0 Windows XP default MBR code
17:13:57.054 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 381551 MB offset 63
17:13:57.101 Disk 0 scanning sectors +781417665
17:13:57.195 Disk 0 scanning C:\WINDOWS\system32\drivers
17:14:10.492 Service scanning
17:14:11.086 Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
17:14:25.930 Modules scanning
17:14:31.618 Disk 0 trace - called modules:
17:14:31.618 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x86381819]<<
17:14:31.618 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86301ab8]
17:14:31.618 3 CLASSPNP.SYS[f75b0fd7] -> nt!IofCallDriver -> \Device\00000068[0x863d19e8]
17:14:31.618 5 ACPI.sys[f7447620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-1b[0x8631dd98]
17:14:32.602 AVAST engine scan C:\WINDOWS
17:14:44.134 AVAST engine scan C:\WINDOWS\system32
17:17:42.141 AVAST engine scan C:\WINDOWS\system32\drivers
17:18:10.689 AVAST engine scan C:\Documents and Settings\Craig_Temp
17:18:36.080 AVAST engine scan C:\Documents and Settings\All Users.WINDOWS
17:18:57.112 Scan finished successfully
17:20:29.647 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Craig_Temp\Desktop\MBR.dat"
17:20:29.757 The log file has been saved successfully to "C:\Documents and Settings\Craig_Temp\Desktop\aswMBR.txt"


I am also curious as to why combofix says the AVG scanner is still active as AVG has been removed/uninstalled. There are no AVG entries in the service list and there are no running processes in the task manager.

Regards,

Craig

#7 craigar52

craigar52
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 11 June 2012 - 05:16 PM

Sorry, I posted the wrong scan results for the security check. I posted the re-run of aswMBR even though the MBR fix did not work. Here is the correct security scan results:

Results of screen317's Security Check version 0.99.41
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
SpywareBlaster v3.5.1
Spybot - Search & Destroy
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.61.0.1400
CCleaner
JavaFX 2.0.3
Java™ 7 Update 3
Java version out of date!
Adobe Flash Player 10 Flash Player out of date!
Adobe Flash Player 11.1.102.62
Adobe Reader X (10.1.3)
Mozilla Firefox (13.0)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 4%
````````````````````End of Log``````````````````````


While waiting for your response I will update the out of date Flash Player and Java. I plan on re-installing AVG Free when this problem is all cleared up.

Regards,

Craig

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 12 June 2012 - 09:28 AM

ComboFix AVG message is being triggered by this remant item in the registry. Nothing to worry about.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

Disable the CD emulators....

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed. Or when this computer is clean.

HOW TO: Enable the CD Emulators... < restore only when we are finished.

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.
===

Please run the GMER tool again and post the log for my review.

===

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    atapi.sys
    ACPI.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#9 craigar52

craigar52
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 12 June 2012 - 02:08 PM

Nasdaq,

As requested, here is the defogger log:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 14:44 on 12/06/2012 (Craig_Temp)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

Here is the gmer log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-12 15:01:27
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1b ST3400620A rev.3.AAF
Running: gmer.exe; Driver: C:\DOCUME~1\CRAIG_~1\LOCALS~1\Temp\kxddapow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEC8B8640]

---- Kernel code sections - GMER 1.0.15 ----

.text atapi.sys F73FF852 1 Byte [CC] {INT 3 }
init C:\WINDOWS\system32\drivers\p17xfilt.sys entry point in "init" section [0xF6633EB0]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[604] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AA5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD119 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254686 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB70 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E5717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:296] 8626C0F4

---- EOF - GMER 1.0.15 ----

And finally here is the system-look log:

SystemLook 30.07.11 by jpshortstuff
Log created at 15:03 on 12/06/2012 by Craig_Temp
Administrator - Elevation successful

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c- 95360 bytes [04:42 07/05/2008] [12:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a---- 96512 bytes [02:45 04/06/2012] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------- 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a---- 96512 bytes [12:00 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

Searching for "ACPI.sys"
C:\WINDOWS\$NtServicePackUninstall$\acpi.sys -----c- 187776 bytes [04:42 07/05/2008] [12:00 04/08/2004] A10C7534F7223F4A73A948967D00E69B
C:\WINDOWS\ServicePackFiles\i386\acpi.sys ------- 187776 bytes [18:36 13/04/2008] [18:36 13/04/2008] 8FD99680A539792A30E97944FDAECF17
C:\WINDOWS\system32\drivers\acpi.sys --a---- 187776 bytes [12:00 04/08/2004] [18:36 13/04/2008] 8FD99680A539792A30E97944FDAECF17

-= EOF =-

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 13 June 2012 - 07:21 AM

Your files are good.

Lets try these fixes.

Go Posted Image > run box and type cmd and hit OK
type
ipconfig /flushdns <-- (The space between g and / is needed) press the Enter key.

repeat with
ipconfig /renew

Then type Exit, hit the Enter key
==

If still having a connection problem continue.

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

On a Vista or Windows 7 operating system right click on the fixme.reg file and run as Administrator.

Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

===

Continue if still no joy.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

Please let me know if the problem perists.

#11 craigar52

craigar52
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 13 June 2012 - 11:42 PM

Nasdaq,

It appeared that clearing the zone map domains was going to work. After running the registry fix I was able to search and go directly to google.com in both IE8 and Firefox, however after the first try in each it reverted back to where I was. Here is what I am still getting:

Posted Image

When I do searches through something like AOL or Yahoo the results are weird and not at all the typical results I was expecting. In some cases I can actually see other search engine urls in the address bar.

Something is still hijacking my browsers.

Thank you for sticking with me on this problem.

Craig

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 14 June 2012 - 09:33 AM

Reset your router as suggested on my previous post.

#13 craigar52

craigar52
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 14 June 2012 - 12:19 PM

Nasdaq,

I reset the router and that seems to have solved the problem. I'm not sure I understand why though. The problem with the search and Google.com did not present itself on any of the other computers that were connected to the router. Can you explain why it only affected this computer?

I am going to uninstall combofix. Are there any other things I should uninstall that we have used?

Thank you,

Craig

#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,159 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 AM

Posted 14 June 2012 - 01:06 PM

The only thing I can see was your IP to your router.
But yes it's strange.

Adobe Flash Player 10 Flash Player out of date!
Remove this old version of Flash using the Add/Remove Programs applet.
===

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#15 craigar52

craigar52
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 14 June 2012 - 02:51 PM

Thanks for your help. Where do accept donations? I see others have a link to PayPal, but I don't see one for you. Do you accept donations?

Craig




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users