Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ads in bottom right and left corners (IE), redirect virus -- redux


  • This topic is locked This topic is locked
26 replies to this topic

#1 gandydancer

gandydancer

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 21 September 2012 - 09:46 AM

It appears I have the same virus sucessfully addressed, using TDSSKiller apparently, at http://www.bleepingcomputer.com/forums/topic468898.html/page__hl__browser+hijack, but I want to memorialize a more complete description of the hijacker's behavior. I haven't yet attempted the TDSSKiller fix.

I believe the virus was contracted at a site which resisted my closing the window with an "Are you really sure you want to leave?" box which wouldn't take "yes" for an answer and started hijacking other open windows. I disremember the details but I hit the power switch... not soon enough, though I at first thought otherwise.

Using IE8 on XPSP3 I some time afterward noted a floating ad box obscuring the lower right content of some page. Perhaps it was the "Garett Jones Bad Futures September Bet" message I later collected an image of. It had a feedback button labelled "Dislike this? Write Feedback." and, not noticing the shaky English ("Write" rather than "Provide") I did in fact write a complaint into the resultant scripted window to, I thought, the content provider, then hit the x-button to kill it.

Then a larger box started popping up lower left, blank except for the x-button.

Other versions of this box (which contains links to ad.yieldmanager.com urls, as opposed to the lower right boxes that only seem to generate scripted windows) seen since have included the message "Your system doesn't support this video file"/"click here[blue link] to get the plugin" (two versions, an "Android" head and a "video player") and "(arrow) Click Here [underlined,link] to download iLivid". The other kind of lower right floater I've seen is a small box (no x-button) with the text "Recommended for You".

Not every window I open has a problem, but I happen to have the browser set to open new urls in a new window and have IE7Pro installed (I disremember why -- IE7Pro seems very eager to give me a Page Can Not Be Found! error so that it can display its ad) and if I use the Search Box set for Google or write a google.com url directly into the address the IE7Pro Page Can Not Be Found! pops up with the hijacker's left box with absolute regularity.

Switching to Yahoo for the Search Box brought up a Yahoo page where a cache links worked but the direct link was hijacked to... Well, it just changed, the second time through. Earlier it took me to a site offering Trojan removal services, this time a system message popped up purportedly from Adobe saying something about failure due to "memory corruption" then at http//onlinefinanses2f.info/links/google-go.php the "Are you sure you want to navigate away from this page?" system message showed. I pulled the plug again...

I had Malwarebytes on this computer so, when I relized there was an infection I ran it. The log reads:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.20.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Asus :: JOHN-VALLERO [administrator]

9/20/2012 3:08:34 AM
mbam-log-2012-09-20 (03-08-34).txt

Scan type: Full scan (C:\|E:\|F:\|Q:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 485251
Time elapsed: 8 hour(s), 43 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\5613 (Rootkit.RLoader.Gen) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\Asus\Local Settings\Temp\5613.sys (Rootkit.RLoader.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Asus\Local Settings\Temp\Sys_Drive.exe (Trojan.FakeAlert.FSA20) -> Quarantined and deleted successfully.

(end)

On restart Windows said something about having to restore the registry from a earlier version.

The problem wasn't fixed, so I updated MWB's definitions and ran another full scan. Nothing found, still no fix.

So I disabled Microsoft Security Essentials' Real-time protection and ran ComboFix, which seemingly found nothing and in any case didn't fix the problem.

And that's where it stands.

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:51 AM

Posted 23 September 2012 - 07:22 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gandydancer

gandydancer
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 24 September 2012 - 08:03 PM

PM from gandydancer to Gringo (test of Reply button):
Today, 11:22 AM
Hi, Gringo - Thanks for your response to http://www.bleepingcomputer.com/forums/topic469401.html/page__p__2847008__hl__%22recommended+for+you%22__fromsearch__1#entry2847008, but my attempts to reply failed with message:"[#103130] You do not have permission to reply to this topic." Another oddity: When I search the forums for "gandydancer" I only find my thread from March'09....

#4 gandydancer

gandydancer
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 24 September 2012 - 08:21 PM

Gringo, thanks again for your help.

OK, the Add Reply button at http://www.bleepingcomputer.com/forums/topic469401.html/page__gopid__2850524 works. I think now it was the "Post" button that failed at the other url. Oh, well, I've got my own problem.

I ran defogger and when it said "finished" (I don't believe there was an "ok" button) I killed that message using corner x.

I ran security check and while the command emu showed "Preparing" a system message labelled Autolt Error (or AutoIt Error) appeared with message "[white X on red button] Line -1: [linefeed] [linefeed] Error: Variable must be of type "Object". [OK Button]"

nb: Belarc reports

"Virus Protection
Microsoft Security Essentials Version 4.0.1526.0
Scan Engine Version 1.1.8800.0
Virus Definitions Version 1.137.293.0
Realtime File Scanning On
...
All required security hotfixes (using the 09/21/2012 Microsoft Security Bulletin Summary) have been installed."

I don't notice anything else protection-relevant listed except the free (i.e., inactive) Malwarebytes, but I could of course be wrong.

I went ahead and ran dds.scr. The resultant files were uploaded to http://www.2shared.com/document/U68gwBo1/dds_and_attach.html

#5 gandydancer

gandydancer
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 24 September 2012 - 08:23 PM

On rereading my post I see that the free Malwarebytes ISN'T just on-demand...

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:51 AM

Posted 24 September 2012 - 08:51 PM

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gandydancer

gandydancer
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 24 September 2012 - 11:50 PM

OK, AdwCleaner[S1].txt is brief, so I'll just post it:

# AdwCleaner v2.003 - Logfile created 09/24/2012 at 21:10:39
# Updated 23/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Asus - JOHN-VALLERO
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Asus\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

*************************

AdwCleaner[S1].txt - [947 octets] - [24/09/2012 21:10:39]

########## EOF - C:\AdwCleaner[S1].txt - [1006 octets] ##########

I had an mp3 player connected that I didn't remove until after the prescan. RK produced and opened RKreport[2].txt, but also left a RKreport[1].txt on the desktop.

http://www.2shared.com/document/tdyXC9Ow/RKreport2.html

http://www.2shared.com/document/VlmkFkFN/RKreport1.html

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:51 AM

Posted 25 September 2012 - 01:41 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gandydancer

gandydancer
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 25 September 2012 - 04:45 AM

OK, looks like TDSSKiller might be the bomb, again. It found a rootkit (Virus.Win32.Rloader.a) in ACPI.sys. It restarted on reboot and I got a second, minimal, log, but here is the first one: http://www.2shared.com/document/vSXZZMzS/TDSSKiller28100_25092012_01391.html

The second opinion(?) from aswMBR didn't seem to find anything:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-25 01:51:51
-----------------------------
01:51:51.937 OS Version: Windows 5.1.2600 Service Pack 3
01:51:51.937 Number of processors: 1 586 0x207
01:51:51.937 ComputerName: JOHN-VALLERO UserName: Asus
01:51:52.843 Initialize success
01:55:56.203 AVAST engine defs: 12092500
01:57:59.406 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
01:57:59.406 Disk 0 Vendor: ST380011A 8.01 Size: 76319MB BusType: 3
01:57:59.406 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
01:57:59.406 Disk 1 Vendor: Maxtor_4D040H2 DAH017K0 Size: 39083MB BusType: 3
01:57:59.406 Disk 0 MBR read successfully
01:57:59.406 Disk 0 MBR scan
01:57:59.515 Disk 0 Windows XP default MBR code
01:57:59.531 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
01:57:59.546 Disk 0 scanning sectors +156280320
01:57:59.671 Disk 0 scanning C:\WINDOWS\system32\drivers
01:58:24.859 Service scanning
01:59:03.625 Modules scanning
01:59:14.312 Disk 0 trace - called modules:
01:59:14.671 ntoskrnl.exe CLASSPNP.SYS disk.sys tsk127.tmp hal.dll atapi.sys siside.sys PCIIDEX.SYS
01:59:14.671 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b7aab8]
01:59:14.687 3 CLASSPNP.SYS[f78c3fd7] -> nt!IofCallDriver -> \Device\00000062[0x86b6d218]
01:59:14.687 5 tsk127.tmp[f780c620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x86b84940]
01:59:14.921 AVAST engine scan C:\WINDOWS
01:59:51.562 AVAST engine scan C:\WINDOWS\system32
02:05:47.578 AVAST engine scan C:\WINDOWS\system32\drivers
02:06:12.359 AVAST engine scan C:\Documents and Settings\Asus
02:13:14.906 AVAST engine scan C:\Documents and Settings\All Users
02:14:52.734 Scan finished successfully
02:16:28.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Asus\My Documents\Dropbox\Dropbox\MBR.dat"
02:16:29.031 The log file has been saved successfully to "C:\Documents and Settings\Asus\My Documents\Dropbox\Dropbox\aswMBR.txt"

I'll see if the virus seems gone and report back. Or do you have more in mind? Need to undo Defogger? Anything else?

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:51 AM

Posted 25 September 2012 - 12:50 PM

Hello gandydancer

Only upload the files to 2shared if you cannot paste them here

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:51 AM

Posted 28 September 2012 - 07:02 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gandydancer

gandydancer
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 October 2012 - 08:27 PM

I'll be back to you shortly. Thanks again.

#13 gandydancer

gandydancer
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 October 2012 - 09:20 PM

The virus' effects stopped after TDSSKiller ran.

There aren't any files that -had- to be posted to 2shared, so I'm not sure what to make of that instruction. Seems to me that the thread is easier to read if they're not inline, and there's a security advantage in being able to disable access to them after our communication is done, but I'm not that concerned (just sayin'), so here is the combofix log:

ComboFix 12-09-30.03 - Asus 10/01/2012 18:38:58.2.1 - x86
Running from: c:\documents and settings\Asus\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\WindowsUpdate.log . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-09-02 to 2012-10-02 )))))))))))))))))))))))))))))))
.
.
2012-09-25 08:41 . 2012-09-25 08:41 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-20 10:05 . 2012-09-08 00:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-18 07:25 . 2011-05-30 13:42 240640 ----a-w- c:\windows\system32\xvidvfw.dll
2012-09-18 07:25 . 2011-05-23 09:52 153088 ----a-w- c:\windows\system32\xvid.ax
2012-09-18 07:25 . 2011-05-23 07:46 645632 ----a-w- c:\windows\system32\xvidcore.dll
2012-09-18 07:25 . 2012-09-18 07:26 -------- d-----w- c:\program files\Xvid
2012-09-15 13:59 . 2012-09-15 13:59 -------- d-----w- c:\program files\iPod
2012-09-15 13:58 . 2012-09-15 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-09-15 13:58 . 2012-09-15 14:01 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-25 08:43 . 2004-08-04 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-08-30 08:17 . 2012-10-02 01:16 6980552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B29C4FC0-00A8-4524-BE28-3EE6698A2760}\mpengine.dll
2012-08-30 08:17 . 2012-09-30 18:05 6980552 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-29 03:41 . 2012-08-29 03:41 0 ----a-w- c:\windows\system32\sho85E.tmp
2012-08-28 15:14 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2012-08-26 00:27 . 2012-08-26 00:27 230840 ----a-r- c:\windows\system32\cpnprt2.cid
2012-08-23 10:51 . 2012-04-01 00:05 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-23 10:51 . 2011-10-14 21:05 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-21 20:01 . 2009-08-24 15:09 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 20:01 . 2009-08-24 15:09 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-08-11 10:14 . 2012-07-31 18:19 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2012-07-06 13:58 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2005-02-14 17:11 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Asus\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Asus\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Asus\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Asus\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InstallerTracingAgent"="c:\program files\Full Uninstall\FullUninstallAgent.exe" [2012-06-08 1224448]
"Folder Scout"="c:\program files\Folder Scout Labs\Folder Scout 1\FolderScout.exe" [2012-06-13 5020160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"Hard Disk Sentinel"="c:\program files\Hard Disk Sentinel\HDSentinel.exe" [2012-02-01 4043416]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\documents and settings\Asus\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Asus\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MLB.TV NexDef Plug-in.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MLB.TV NexDef Plug-in.lnk
backup=c:\windows\pss\MLB.TV NexDef Plug-in.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=c:\windows\pss\SBC Self Support Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\anvshell]
2004-06-24 13:28 393216 ----a-r- c:\windows\anvshell.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
2002-09-11 05:26 368706 ----a-w- c:\program files\BroadJump\Client Foundation\CFD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
2002-03-20 01:30 45632 ----a-w- c:\windows\system32\TaskSwitch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 22:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 06:30 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 ----a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 ----a-w- c:\program files\Microsoft Works\WkDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2005-08-24 15:51 442455 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 03:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
2004-02-27 11:06 241664 ----a-w- c:\windows\system32\Keyhook.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
2002-07-12 10:15 106496 ----a-w- c:\windows\SiSUSBrg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
2003-05-05 16:57 143360 ----a-w- c:\program files\Analog Devices\SoundMAX\SMTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Autobahn\\mlb-nexdef-autobahn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Asus\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service
.
R0 ulgvqrx;ulgvqrx;c:\windows\System32\drivers\eigy.sys [x]
R1 ANVIOCTL;ANVIOCTL;c:\windows\system32\DRIVERS\anvioctl.sys [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfsxp.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplayxp.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirxp.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvolxp.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - NDISRD
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 10:51]
.
2012-09-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 01:57]
.
2012-10-02 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-27 00:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-07029614.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-01 18:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{76F363F2-7E9F-4ED7-A6A7-EE30351B6628}\Tool*oxBitmap32]
@="c:\\WINDOWS\\system32\\Dxtmsft.dll,235"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2604)
c:\windows\system32\WININET.dll
c:\documents and settings\Asus\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\asuskbservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\pctspk.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-10-01 18:57:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-02 01:57
ComboFix2.txt 2012-09-21 08:09
.
Pre-Run: 57,190,813,696 bytes free
Post-Run: 57,355,272,192 bytes free
.
- - End Of File - - B2892276981715C31085C2CF5CAD7845

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:51 AM

Posted 01 October 2012 - 10:56 PM

Hello

they are allot more easier to have them here if I need to research them at a later date




I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gandydancer

gandydancer
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 October 2012 - 11:45 PM

Just pasting didn't work (posting caused an error), don't know if this post will go through either...

http://www.2shared.com/document/Qmf_O0Rj/Add-Remove_Programs.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users