Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirect Trojan/s... Need Help.


  • This topic is locked This topic is locked
12 replies to this topic

#1 TeeGee123

TeeGee123

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 05 June 2012 - 02:14 PM

Experiencing redirects when clicking links returned by Google. Here are my two DDS reports:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
Run by Tony Grausso at 14:40:40 on 2012-06-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.452 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\CLink\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F5D8073\Belkinwcui.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: SecureBrowsing bho: {7632abca-b104-4fbc-9c70-419c4147061b} - c:\program files\m86security secure browsing\SecureBrowsing.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: M86 Security Secure Browsing: {b99f805c-f0b1-48ea-8c8b-753bfcbed913} - c:\program files\m86security secure browsing\SecureBrowsing.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [CLink_McciTrayApp] "c:\program files\clink\McciTrayApp.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\tonygr~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241711260890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{6209BADF-7B7E-45E9-95EB-189B679EE4E2} : DhcpNameServer = 10.0.0.1
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2007-7-28 537216]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-26 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-26 40552]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-3-16 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-3-16 136176]
.
=============== Created Last 30 ================
.
2012-06-04 23:43:50 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f27a5d87-1402-4179-82d2-c0c1f2b8074c}\mpengine.dll
2012-06-04 16:40:15 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-31 20:52:34 -------- d-----w- c:\program files\CLink
2012-05-31 20:48:33 -------- d-----w- c:\program files\Sprint_Activation
2012-05-31 20:48:03 -------- d-----w- c:\program files\common files\Motive
2012-05-31 16:47:21 -------- d-----w- c:\program files\Linksys
2012-05-31 16:45:30 -------- d-----w- c:\program files\WebEx
2012-05-31 16:45:19 8892928 ----a-w- c:\documents and settings\all users\application data\atscie.msi
2012-05-31 16:44:58 23984 ----a-w- c:\windows\system32\drivers\pnarp.sys
2012-05-31 16:44:51 25264 ----a-w- c:\windows\system32\drivers\purendis.sys
2012-05-31 16:44:29 -------- d-----w- c:\program files\common files\Pure Networks Shared
2012-05-31 16:43:23 -------- d-----w- c:\documents and settings\all users\application data\Pure Networks
2012-05-28 16:09:05 -------- d-----w- c:\documents and settings\tony grausso\application data\Finjan
2012-05-28 16:09:04 -------- d-----w- c:\program files\M86Security Secure Browsing
2012-05-28 16:07:02 -------- d-s---w- C:\ComboFix
2012-05-28 03:47:05 -------- d-----w- c:\documents and settings\tony grausso\local settings\application data\Sun
2012-05-28 03:00:53 -------- d-----w- c:\program files\Oracle
2012-05-28 03:00:32 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-28 02:45:32 -------- d-----w- c:\program files\Microsoft Security Client
2012-05-28 01:25:16 -------- d-sha-r- C:\cmdcons
2012-05-24 15:57:01 -------- d-----w- c:\documents and settings\tony grausso\application data\Malwarebytes
2012-05-24 15:56:41 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-24 15:56:38 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-24 15:56:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-24 13:13:53 -------- d-----w- c:\documents and settings\tony grausso\local settings\application data\PCHealth
2012-05-23 14:08:08 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-05-23 14:08:08 -------- d-----w- c:\windows\system32\wbem\Repository
2012-05-16 20:00:41 -------- dc----w- c:\windows\ie8
2012-05-16 19:41:23 -------- d-----w- c:\windows\system32\Adobe
.
==================== Find3M ====================
.
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 19:42:37 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-16 19:42:37 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-06 12:24:51 5486 --sha-w- c:\windows\system32\KGyGaAvL.sys
2012-04-06 12:24:41 88 --sh--r- c:\windows\system32\37AE522F6C.sys
2012-04-04 22:47:36 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-04 22:47:02 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-21 00:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
============= FINISH: 14:48:14.35 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 5/22/2007 7:35:49 PM
System Uptime: 6/5/2012 2:31:38 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0XD720
Processor: Genuine Intel® CPU T2080 @ 1.73GHz | Microprocessor | 1729/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 144 GiB total, 123.958 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\21E4F961434FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\21E4F961434FC000
Service: NIC1394
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.3)
Adobe Shockwave Player 11.6
Belkin F5D8073 N Wireless ExpressCard Adapter
Broadcom Management Programs
Canon Easy-PhotoPrint EX
Canon MP Navigator EX 4.0
Canon MP280 series MP Drivers
Canon MP280 series User Registration
Canon My Printer
Canon Solution Menu EX
CenturyLink Help
Color LaserJet 2600n
Conexant HDA D110 MDC V.92 Modem
Corel Paint Shop Pro Photo XI
Corel Snapfire Plus
Dell Support 3.2.1
Dell System Restore
Dell Wireless WLAN Card
Digital Line Detect
ERUNT 1.1j
Google Earth
Google Update Helper
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format 11 SDK (KB973442)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
InterVideo XPack (DVD Only)
Java Auto Updater
Java™ 6 Update 26
Java™ 7 Update 4
JavaFX 2.1.0
M86Security Secure Browsing
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Security Client
Microsoft Security Essentials
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft WinUsb 1.0
Microsoft Works
Microsoft Works 2005 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
Move Media Player
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
Network Magic
NVIDIA Drivers
Pure Networks Platform
QFolder
QuickSet
SearchAssist
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
swMSM
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URL Assistant
Veetle TV 0.9.18
vShare Plugin
WebEx Support Manager for Internet Explorer
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
Works Upgrade
.
==== Event Viewer Messages From Past Week ========
.
6/5/2012 2:29:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/5/2012 2:29:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/5/2012 2:29:16 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
6/5/2012 2:29:16 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
6/5/2012 2:29:16 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/5/2012 2:29:16 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/5/2012 2:29:16 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
6/1/2012 8:41:48 AM, error: Dhcp [1002] - The IP address lease 10.0.0.21 for the Network Card with network address 0019B971369A has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
5/31/2012 9:27:29 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.127.966.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8403.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
5/30/2012 7:33:35 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.127.966.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8403.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
5/29/2012 2:48:01 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
5/29/2012 2:34:14 PM, error: Service Control Manager [7000] - The Zune Bus Enumerator Driver service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:03 AM

Posted 05 June 2012 - 04:00 PM

Hello TeeGee123,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • We need to get a little more information before we begin cleaning your machine.

    1.
    Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

2.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


3.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Scan
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 TeeGee123

TeeGee123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 05 June 2012 - 05:39 PM

Thanks for your assistance.

GMER would not run, even in Safemode.

ASWMBR would not run.

RKiller ran. Report below.

RogueKiller V7.5.3 [06/05/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Tony Grausso [Admin rights]
Mode: Scan -- Date: 06/05/2012 18:32:30

Bad processes: 0

Registry Entries: 3
[SUSP PATH] HKLM\[...]\Run : CLink_UninstallTracking (C:\DOCUME~1\TONYGR~1\LOCALS~1\Temp\IHU70.tmp.exe /uninstalltrackingvendor=CLink) -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver: [LOADED]

Infection : Root.MBR

HOSTS File:
127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: ST9160821AS +++++
--- User ---
[MBR] d4cb7efc21a8b522139a443bba612a9e
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 147448 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 302086260 | Size: 2047 Mo
3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 306279225 | Size: 3074 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 590bcd9574b978393149017ac1f78ad5
[BSP] 0c589c288d476e3efce03ae95c571caa : MaxSS MBR Code!
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 147448 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 302086260 | Size: 2047 Mo
3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 306279225 | Size: 3074 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:03 AM

Posted 05 June 2012 - 05:49 PM

Hello,

Please do the following.


1.
  • Re-Run RogueKiller
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Delete
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again


2.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
RogueKiller log
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 TeeGee123

TeeGee123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 05 June 2012 - 08:02 PM

TDSSKiller would not run.

Logs for others as follows. . . .

RogueKiller V7.5.3 [06/05/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Tony Grausso [Admin rights]
Mode: Remove -- Date: 06/05/2012 19:42:46

Bad processes: 0

Registry Entries: 0

Particular Files / Folders:

Driver: [LOADED]

Infection : Root.MBR

HOSTS File:
127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: ST9160821AS +++++
--- User ---
[MBR] d4cb7efc21a8b522139a443bba612a9e
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 147448 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 302086260 | Size: 2047 Mo
3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 306279225 | Size: 3074 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 590bcd9574b978393149017ac1f78ad5
[BSP] 0c589c288d476e3efce03ae95c571caa : MaxSS MBR Code!
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 147448 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 302086260 | Size: 2047 Mo
3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 306279225 | Size: 3074 Mo

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt



ComboFix 12-06-05.03 - Tony Grausso 06/05/2012 20:07:14.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.636 [GMT -4:00]
Running from: c:\documents and settings\Tony Grausso\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-06 to 2012-06-06 )))))))))))))))))))))))))))))))
.
.
2012-06-05 23:55 . 2012-05-08 13:40 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D40ED4B4-6C59-4898-A17E-73B2774030F1}\mpengine.dll
2012-06-04 16:40 . 2012-05-08 13:40 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-31 20:53 . 2012-05-31 20:53 -------- d-----w- c:\documents and settings\Tony Grausso\Application Data\Motive
2012-05-31 20:48 . 2012-05-31 20:48 -------- d-----w- c:\program files\Sprint_Activation
2012-05-31 20:48 . 2012-06-03 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2012-05-31 20:48 . 2012-06-05 20:56 -------- d-----w- c:\program files\Common Files\Motive
2012-05-31 16:47 . 2012-05-31 16:47 -------- d-----w- c:\program files\Linksys
2012-05-31 16:45 . 2012-05-31 16:45 -------- d-----w- c:\program files\WebEx
2012-05-31 16:45 . 2012-05-31 16:45 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2012-05-31 16:44 . 2009-04-07 19:33 23984 ----a-w- c:\windows\system32\drivers\pnarp.sys
2012-05-31 16:44 . 2012-05-31 16:44 -------- dc----w- c:\windows\system32\DRVSTORE
2012-05-31 16:44 . 2009-04-07 19:33 25264 ----a-w- c:\windows\system32\drivers\purendis.sys
2012-05-31 16:44 . 2012-05-31 16:44 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2012-05-31 16:43 . 2012-05-31 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2012-05-28 16:09 . 2012-05-28 16:09 -------- d-----w- c:\documents and settings\Tony Grausso\Application Data\Finjan
2012-05-28 16:09 . 2012-05-28 16:09 -------- d-----w- c:\program files\M86Security Secure Browsing
2012-05-28 03:47 . 2012-05-28 03:47 -------- d-----w- c:\documents and settings\Tony Grausso\Local Settings\Application Data\Sun
2012-05-28 03:01 . 2012-05-28 03:01 -------- d-----w- c:\program files\Common Files\Java
2012-05-28 03:00 . 2012-05-28 03:00 -------- d-----w- c:\program files\Oracle
2012-05-28 03:00 . 2012-05-28 03:00 -------- d-----w- c:\documents and settings\Tony Grausso\Application Data\Oracle
2012-05-28 03:00 . 2012-04-04 22:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-28 02:45 . 2012-05-28 02:45 -------- d-----w- c:\program files\Microsoft Security Client
2012-05-24 15:57 . 2012-05-24 15:57 -------- d-----w- c:\documents and settings\Tony Grausso\Application Data\Malwarebytes
2012-05-24 15:56 . 2012-05-24 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-24 15:56 . 2012-05-24 18:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-24 15:56 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-24 13:13 . 2012-05-24 13:13 -------- d-----w- c:\documents and settings\Tony Grausso\Local Settings\Application Data\PCHealth
2012-05-23 14:08 . 2012-05-23 14:08 -------- d-----w- c:\windows\system32\wbem\Repository
2012-05-16 20:00 . 2012-05-16 20:04 -------- dc----w- c:\windows\ie8
2012-05-16 19:41 . 2012-05-16 19:41 -------- d-----w- c:\windows\system32\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 13:22 . 2004-08-10 17:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 19:42 . 2012-04-03 22:16 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-16 19:42 . 2011-05-19 13:39 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14 . 2004-08-10 17:51 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2004-08-10 17:51 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2004-08-04 03:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 22:47 . 2007-06-22 18:58 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-04 22:47 . 2010-04-21 14:24 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-21 00:44 . 2012-03-21 00:44 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-04-07 642856]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin F5D8073 N Wireless ExpressCard Adapter Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin F5D8073 N Wireless ExpressCard Adapter Utility.lnk
backup=c:\windows\pss\Belkin F5D8073 N Wireless ExpressCard Adapter Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2010-03-25 02:50 2516296 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2010-04-02 15:18 1185112 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 06:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2012-03-26 21:08 931200 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-03-21 11:03 7557120 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 21:30 282624 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 16:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MsMpSvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"NVSvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [7/28/2007 3:48 PM 537216]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/16/2012 10:38 AM 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/16/2012 10:38 AM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-16 14:38]
.
2012-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-16 14:38]
.
2012-06-06 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-05 20:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(844)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(648)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\jscript.dll
c:\windows\system32\ImgUtil.dll
c:\windows\system32\pngfilt.dll
.
Completion time: 2012-06-05 20:52:44
ComboFix-quarantined-files.txt 2012-06-06 00:52
ComboFix2.txt 2012-05-28 14:57
.
Pre-Run: 133,058,052,096 bytes free
Post-Run: 133,184,532,480 bytes free
.
- - End Of File - - 2ACA8E44041EBAA817A690B3D5504DC6


PC seems ok. What's next? Thanks. . . .

#6 TeeGee123

TeeGee123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 05 June 2012 - 08:05 PM

Sorry. Forgot to mention I had to run RK a few times to clear it. Here are the other reports.

RogueKiller V7.5.3 [06/05/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Tony Grausso [Admin rights]
Mode: Remove -- Date: 06/05/2012 19:42:05

Bad processes: 0

Registry Entries: 3
[SUSP PATH] HKLM\[...]\Run : CLink_UninstallTracking (C:\DOCUME~1\TONYGR~1\LOCALS~1\Temp\IHU70.tmp.exe /uninstalltrackingvendor=CLink) -> DELETED
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

Driver: [LOADED]

Infection : Root.MBR

HOSTS File:
127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: ST9160821AS +++++
--- User ---
[MBR] d4cb7efc21a8b522139a443bba612a9e
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 147448 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 302086260 | Size: 2047 Mo
3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 306279225 | Size: 3074 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 590bcd9574b978393149017ac1f78ad5
[BSP] 0c589c288d476e3efce03ae95c571caa : MaxSS MBR Code!
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 147448 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 302086260 | Size: 2047 Mo
3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 306279225 | Size: 3074 Mo

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt


RogueKiller V7.5.3 [06/05/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Tony Grausso [Admin rights]
Mode: Scan -- Date: 06/05/2012 19:41:27

Bad processes: 0

Registry Entries: 3
[SUSP PATH] HKLM\[...]\Run : CLink_UninstallTracking (C:\DOCUME~1\TONYGR~1\LOCALS~1\Temp\IHU70.tmp.exe /uninstalltrackingvendor=CLink) -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver: [LOADED]

Infection : Root.MBR

HOSTS File:
127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: ST9160821AS +++++
--- User ---
[MBR] d4cb7efc21a8b522139a443bba612a9e
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 147448 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 302086260 | Size: 2047 Mo
3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 306279225 | Size: 3074 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 590bcd9574b978393149017ac1f78ad5
[BSP] 0c589c288d476e3efce03ae95c571caa : MaxSS MBR Code!
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 147448 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 302086260 | Size: 2047 Mo
3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 306279225 | Size: 3074 Mo

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:03 AM

Posted 05 June 2012 - 08:09 PM

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.


Download the yorkyt.exe disinfection tool (1,31 MB).

Save the file to your hard disk; to the Windows Desktop, for example.
Double click the yorkyt.exe file.
A reboot will be requested to install a driver.
Another reboot will be requested to complete the disinfection.
When the disinfection is completed, accept the message that will be displayed.
In order to ensure a full cleanup, run a scan of your PC with the antivirus installed.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 TeeGee123

TeeGee123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 05 June 2012 - 08:13 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 137):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7A91000 \WINDOWS\system32\KDCOM.DLL
0xF79A1000 \WINDOWS\system32\BOOTVID.dll
0xF7462000 ACPI.sys
0xF7A93000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7451000 pci.sys
0xF7591000 isapnp.sys
0xF79A5000 compbatt.sys
0xF79A9000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B59000 pciide.sys
0xF7811000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF75A1000 MountMgr.sys
0xF7432000 ftdisk.sys
0xF7819000 PartMgr.sys
0xF75B1000 VolSnap.sys
0xF741A000 atapi.sys
0xF75C1000 disk.sys
0xF75D1000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73FA000 fltmgr.sys
0xF73D2000 MpFilter.sys
0xF73BD000 drvmcdb.sys
0xF7821000 PxHelp20.sys
0xF73A6000 KSecDD.sys
0xF7319000 Ntfs.sys
0xF72EC000 NDIS.sys
0xF75E1000 ohci1394.sys
0xF75F1000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF72D2000 Mup.sys
0xF7791000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7A71000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7A75000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6AD4000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF6AC0000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6A98000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6A04000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF78D1000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF69E0000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF78D9000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF77A1000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF69CC000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF78E1000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xF77B1000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xF6980000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xF77C1000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF6951000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7ABD000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF78E9000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF78F1000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF77D1000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7ABF000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF77E1000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF77F1000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF692E000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7C95000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7801000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF72AA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6917000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7611000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7621000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78F9000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF68DE000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7631000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7901000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7909000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7641000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7AC1000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6880000 \SystemRoot\system32\DRIVERS\update.sys
0xF729A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7911000 \SystemRoot\system32\DRIVERS\omci.sys
0xF7651000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF46A1000 \SystemRoot\system32\drivers\sthda.sys
0xF467D000 \SystemRoot\system32\drivers\portcls.sys
0xF7661000 \SystemRoot\system32\drivers\drmk.sys
0xF464B000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xF454E000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF449E000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7919000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7671000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A4D000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7AD1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B93000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AD3000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7929000 \SystemRoot\system32\drivers\ssrtln.sys
0xF7931000 \SystemRoot\System32\drivers\vga.sys
0xF7AD5000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7AD7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7939000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7941000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A55000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF441B000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF43C2000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF439A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7A59000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF4378000 \SystemRoot\System32\drivers\afd.sys
0xF7681000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF434D000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF42DD000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76A1000 \SystemRoot\System32\Drivers\Fips.SYS
0xF428F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF76B1000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF6907000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xF76D1000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF4277000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7ADF000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF4496000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7951000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7CCF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF3DB000 \SystemRoot\System32\ATMFD.DLL
0xF6830000 \SystemRoot\system32\drivers\drvnddm.sys
0xF7C8A000 \SystemRoot\system32\dla\tfsndres.sys
0xBA4AA000 \SystemRoot\system32\dla\tfsnifs.sys
0xBA544000 \SystemRoot\system32\dla\tfsnopio.sys
0xF7AE9000 \SystemRoot\system32\dla\tfsnpool.sys
0xF7961000 \SystemRoot\system32\dla\tfsnboio.sys
0xF6820000 \SystemRoot\system32\dla\tfsncofs.sys
0xF7C90000 \SystemRoot\system32\dla\tfsndrct.sys
0xBA491000 \SystemRoot\system32\dla\tfsnudf.sys
0xBA478000 \SystemRoot\system32\dla\tfsnudfa.sys
0xF7869000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xBA4C4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF7871000 \SystemRoot\system32\DRIVERS\pnarp.sys
0xF7879000 \SystemRoot\system32\DRIVERS\purendis.sys
0xB9222000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB90DA000 \SystemRoot\system32\DRIVERS\srv.sys
0xB909D000 \SystemRoot\system32\drivers\wdmaud.sys
0xB9A87000 \SystemRoot\system32\drivers\sysaudio.sys
0xB91FA000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB8295000 \SystemRoot\System32\Drivers\HTTP.sys
0xF7B27000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xF7979000 \??\C:\DOCUME~1\TONYGR~1\LOCALS~1\Temp\catchme.sys
0xB6727000 \SystemRoot\system32\DRIVERS\RT2860.sys
0xB5383000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 31):
0 System Idle Process
4 System
764 C:\WINDOWS\system32\smss.exe
820 csrss.exe
844 C:\WINDOWS\system32\winlogon.exe
888 C:\WINDOWS\system32\services.exe
900 C:\WINDOWS\system32\lsass.exe
1080 C:\WINDOWS\system32\svchost.exe
1148 svchost.exe
1188 C:\Program Files\Microsoft Security Client\MsMpEng.exe
1224 C:\WINDOWS\system32\svchost.exe
1472 svchost.exe
1528 svchost.exe
1808 C:\WINDOWS\system32\spoolsv.exe
1884 svchost.exe
1940 C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
1960 C:\Program Files\Common Files\Motive\McciCMService.exe
484 C:\WINDOWS\system32\svchost.exe
620 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
1704 alg.exe
640 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1336 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
2068 C:\WINDOWS\system32\ctfmon.exe
2780 C:\Program Files\Microsoft Security Client\msseces.exe
3220 C:\Program Files\Belkin\F5D8073\Belkinwcui.exe
648 C:\WINDOWS\explorer.exe
1272 C:\WINDOWS\system32\notepad.exe
3824 C:\Program Files\Internet Explorer\iexplore.exe
1376 wmiprvse.exe
4048 MpCmdRun.exe
3148 C:\Documents and Settings\Tony Grausso\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: ST9160821AS, Rev: 3.CDD

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 8D0070E3B97C3ACBF87614B5388B532E61EE9757


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#9 TeeGee123

TeeGee123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 06 June 2012 - 05:54 AM

I ran Anti-Malware and MSE.

MBAM report shows no detections:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.05.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Tony Grausso :: TONY [administrator]

6/5/2012 9:26:43 PM
mbam-log-2012-06-05 (21-26-43).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 246021
Time elapsed: 1 hour(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


I ran MSE and it did not detect anything. But it showed that a file was quarantined 6/5/2012 at 9:32 pm. I "removed" it.

File: Trojan: ODS/Alureon.F

File detected in DocumentsandSettings/Desktop/RK_Quarantined/PhysicalDrive0_LL2.dat

What's next? Thanks much. . . .

#10 TeeGee123

TeeGee123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 06 June 2012 - 06:02 AM

Just did a Google search on "candles." I clicked on a results link for a site and it was trying to redirect me to this site: http://letmehelpu.com/

So looks like the redirect problem persists. ???

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:03 AM

Posted 06 June 2012 - 08:17 PM

Earlier on ComboFix installed the Recovery Console. We're going to use that now.

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

Posted Image

Posted Image


When you get to the above screen, take note of the number that references your operating system.

If it's '1' like the picture above, type 1 and press Enter
Posted Image

Next type FIXMBR

Posted Image

If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

With that done, please post back and let me know how things are now.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 TeeGee123

TeeGee123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 07 June 2012 - 11:40 AM

Fireman,

I was able to successfully run TDSSKiller by copying the exe and pasting it into the Malware Chameleon folder and then running in there. Here is the portion of the TDSSKiller report showing what was identified and removed:

21:28:26.0750 0200 Detected object count: 1
21:28:26.0750 0200 Actual detected object count: 1
21:30:51.0203 0200 \Device\Harddisk0\DR0\# - copied to quarantine
21:30:51.0375 0200 \Device\Harddisk0\DR0 - copied to quarantine
21:30:51.0843 0200 \Device\Harddisk0\DR0 - processing error
21:31:25.0171 0200 \Device\Harddisk0\DR0 - will be restored on reboot
21:31:25.0171 0200 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - User select action: Cure Restore
21:31:29.0953 4084 Deinitialize success

I did a few test searched via Google, and none of the links redirected. So it appears I am rid of the trojan. Thanks for your willingness to help. Should anything remerge, I will check in. Hopefully, that won't happen.

Thanks again. . . . .

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:03 AM

Posted 07 June 2012 - 07:30 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users