Jump to content

SakuraChan

Members
  • Posts

    10
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Thanks for your reply. I scanned the at http://www.virscan.org and https://www.virustotal.com and neither found any indication that they were malicious. As far as I can tell, there is also no indication that my computer is currently infected. Since I cannot detect any problems, I decided not to post in the Malware Removal Forum and to just delete those folders and files from my computer. Again, thanks for the help. Here's to hoping you don't see me in the Malware Removal Forum any time soon!
  2. Hello, I was poking around my user profile (in Windows7, path C:\\Users\UserName\AppData\Roaming ) trying to fix my Firefox profile information when I came upon two folders with names I do not recognize. One is called Izkof and seems to be empty. The other is called Ojyqyt and has two files called lial.poy and lial.poy.0. Strange files always set me on edge, but I also know some of them contain important things that I shouldn't be messing with. Both folders indicate they were last changed in several months ago and scans with my antivirus as well as Malwarebyte shows nothing (so I assume they are not viruses). Google has not been helpful in finding information, so I am turning to the knowledgable people here on this forum for help. What do these files do? Can I/Should I delete them? On a broader note, is there an easy-ish way for me to tell which of my "Mysterious Files" are important and which are not? I know this is a rather vague question, but anything would be helpful so I don't permanently ruin my computer: Can I assume files that have not been touched for a certain period of time are safe/important to have on the computer? The folder I should never, under any circumstances, touch? I just shouldn't touch anything that I don't know exactly what it does without asking someone first? Thank you all for your help
  3. Just wanted to thank you again, because it can't be done enough. You instructions were great and easy to follow. Thanks for all your time and effort.

  4. Just did a check, I am not getting browser redirects anymore. YAY! Thank you so much! I have uninstalled Combofix and re-enabled CD Emulation drivers. Before I uninstall Norton, I plan to uninstall all the other clean-up tools first. I have: -Defogger -DDS -GMER -ATF Cleaner -TDSS Killer -RootKit Unhooker Do any of these have special uninstall procedures/anything I should keep/anything else I should be aware of?
  5. Combofix ran much faster this time. Combofix log: ComboFix 11-04-26.03 - Daniel Chan 04/28/2011 16:22:43.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.421 [GMT -6:00] Running from: c:\documents and settings\Daniel Chan\Desktop\ComboFix.exe AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} AV: Norton 360 *Disabled/Outdated* {A5F1BC7C-EA33-4247-961C-0217208396C4} FW: Norton 360 *Disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3} . . ((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-28 ))))))))))))))))))))))))))))))) . . 2011-04-24 16:06 . 2011-04-24 16:06 -------- d-----w- c:\documents and settings\Daniel Chan\Application Data\Avira 2011-04-24 16:02 . 2011-03-04 22:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-04-24 16:02 . 2011-03-04 20:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-24 16:02 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-04-24 16:02 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-04-24 16:02 . 2011-04-24 16:02 -------- d-----w- c:\program files\Avira 2011-04-24 16:02 . 2011-04-24 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-04-23 21:47 . 2009-02-13 19:02 11520 ----a-r- c:\windows\system32\drivers\wdcsam.sys 2011-04-22 22:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll 2011-04-22 22:43 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll 2011-04-22 22:43 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll 2011-04-22 22:43 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll 2011-04-22 22:43 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll 2011-04-22 22:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll 2011-04-22 22:43 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll 2011-04-22 22:43 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll 2011-04-22 22:07 . 2011-04-22 22:07 54016 ----a-w- c:\windows\system32\drivers\iihl.sys 2011-04-22 08:35 . 2011-04-23 17:00 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2011-04-22 08:34 . 2011-04-23 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro 2011-04-14 09:39 . 2011-04-14 09:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll 2011-04-14 09:39 . 2011-04-14 09:39 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2006-08-08 02:13 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2006-08-08 01:57 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2007-08-12 05:09 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06 . 2006-08-08 01:57 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06 . 2006-08-08 01:56 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06 . 2006-08-08 01:56 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41 . 2006-08-08 01:56 385024 ----a-w- c:\windows\system32\html.iec 2011-02-17 13:18 . 2006-08-08 01:56 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-02-17 13:18 . 2006-08-08 01:57 357888 ----a-w- c:\windows\system32\drivers\srv.sys 2011-02-17 12:32 . 2009-04-16 22:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56 . 2006-08-08 01:56 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53 . 2006-08-08 01:57 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2006-08-08 01:56 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33 . 2006-08-08 01:56 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33 . 2006-08-08 01:56 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-03 03:40 . 2010-05-14 05:03 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-03 01:19 . 2007-10-11 17:25 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-02-02 07:58 . 2006-08-08 02:12 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-03-18 17:53 . 2011-04-22 22:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2009-04-01 04:47 . 2009-01-22 03:30 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] "Aim6"="c:\program files\AIM6\aim6.exe" [2006-11-07 50736] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784] "SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-28 217088] "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768] "VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216] "Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128] "VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632] "VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672] "LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200] "BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512] "LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 243248] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888] "NapsterShell"="c:\program files\Napster\napster.exe" [2006-06-29 319488] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 614960] "HostManager"="c:\program files\Common Files\AOL\1162857249\ee\AOLSoftware.exe" [2006-04-13 50792] "DISCover"="c:\program files\DISC\DISCover.exe" [2006-06-02 1077248] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-1-13 113664] Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-2-3 1753088] CU VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-4-27 6144] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon] 2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\DISC\\DISCover.exe"= "c:\\Program Files\\DISC\\DiscStreamHub.exe"= "c:\\Program Files\\DISC\\myFTP.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1162857249\\ee\\aolsoftware.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Sony\\VAIO Media 5.0\\Vc.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"= "c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"= "c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"= . R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/24/2011 10:02 AM 135336] R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 1:37 PM 149352] R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/10/2009 11:48 PM 102448] R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [8/7/2006 7:57 PM 30080] R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [8/7/2006 7:57 PM 226304] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 8:32 PM 23888] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/27/2009 6:35 PM 38224] S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [4/23/2011 3:47 PM 11520] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - COMHOST . Contents of the 'Scheduled Tasks' folder . 2011-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] . 2011-04-28 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07] . . ------- Supplementary Scan ------- . IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000 Trusted Zone: trymedia.com TCP: {0EF1749B-D7EE-4B29-B02B-B10087DDA8C3} = 68.87.69.146,68.87.85.98 FF - ProfilePath - c:\documents and settings\Daniel Chan\Application Data\Mozilla\Firefox\Profiles\85m73iz6.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - prefs.js: network.proxy.type - 4 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-28 16:33 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1696) c:\windows\system32\VESWinlogon.dll . - - - - - - - > 'explorer.exe'(3352) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2011-04-28 16:38:32 ComboFix-quarantined-files.txt 2011-04-28 22:38 ComboFix2.txt 2011-04-27 04:56 . Pre-Run: 120,648,896,512 bytes free Post-Run: 120,638,271,488 bytes free . - - End Of File - - D1791FE6A624A9C825D63EF8A629CE30
  6. AV is Anti-Virus, right? The Norton subscription has been expired for over a year; I was going to buy the update, but never got around to it and the computer never had any problems with viruses so I got lazy and never did it. It's likely how I managed to get the virus in the first place. I assumed that since Norton was expired, it was the same as being disabled. It this is not so, please tell me so I can make sure to turn it off. The Avira I only downloaded after I got the virus as per instructions in the sticky post. I will uninstall one of them when the computer is clean/if you need me to do so. I will run the combofix scan now and reply with the results.
  7. I followed your instructions and ran the Recovery Console. It told me the new MBR was successful and the computer was rebooted in normal mode. It started up normally and seems to be running normally, although it might be just a bit slightly slower than usual.
  8. Here is the RKU log: RkU Version: 3.8.388.590, Type LE (SR2) ============================================== OS Name: Windows XP Version 5.1.2600 (Service Pack 3) Number of processors #2 ============================================== >Drivers ============================================== 0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 3969024 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 84.73 ) 0xF6E21000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3661824 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 84.73 ) 0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System) 0x804D7000 PnpManager 2154496 bytes 0x804D7000 RAW 2154496 bytes 0x804D7000 WMIxWDM 2154496 bytes 0xBF800000 Win32k 1859584 bytes 0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver) 0xF6C88000 C:\WINDOWS\system32\DRIVERS\w39n51.sys 1429504 bytes (Intel
  9. I'm still having trouble running TDSSKiller. I downloaded the new version provided in your link and unzipped it to desktop. When I click on it normally, it starts but fails at 80%. I get the message "TDSS rootkit removing tool has encountered a problem and needs to close. We are sorry for the inconvenience." I have tried 3 times to open it normally. If I open it with "Run as..." it opens, however the program gives me a popup "Can't initialize log." The scan only takes 4 seconds and then reports that no infection was found. It does not generate a log/report. When I return to the main screen, the report button is grey and not selectable. When I look in C:\ I can only find logs for the failed start-ups, none for the scans. I have tried running it this way 2 times. This is the log generated when it fails to initialize: 2011/04/27 09:45:36.0515 8824 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28 2011/04/27 09:45:37.0125 8824 ================================================================================ 2011/04/27 09:45:37.0125 8824 SystemInfo: 2011/04/27 09:45:37.0125 8824 2011/04/27 09:45:37.0125 8824 OS Version: 5.1.2600 ServicePack: 3.0 2011/04/27 09:45:37.0125 8824 Product type: Workstation 2011/04/27 09:45:37.0125 8824 ComputerName: CHANDANIEL 2011/04/27 09:45:37.0125 8824 UserName: Daniel Chan 2011/04/27 09:45:37.0125 8824 Windows directory: C:\WINDOWS 2011/04/27 09:45:37.0125 8824 System windows directory: C:\WINDOWS 2011/04/27 09:45:37.0125 8824 Processor architecture: Intel x86 2011/04/27 09:45:37.0125 8824 Number of processors: 2 2011/04/27 09:45:37.0125 8824 Page size: 0x1000 2011/04/27 09:45:37.0125 8824 Boot type: Normal boot 2011/04/27 09:45:37.0125 8824 ================================================================================ 2011/04/27 09:45:37.0781 8824 !crdlk
  10. I tried to run using "Administrator," however the computer gives me "log on failure". Looking at the user info, it says this account is the "computer administrator" so I assume that this is the appropriate account. The computer restarted normally, and seems to be working; I don't immediately see anything that is not working. It took ComboFix a while (around 20 min.) to generate the log after restarting, but that might be normal. Here is the ComboFix log: ComboFix 11-04-26.03 - Daniel Chan 04/26/2011 22:20:38.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.444 [GMT -6:00] Running from: c:\documents and settings\Daniel Chan\Desktop\ComboFix.exe AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} AV: Norton 360 *Disabled/Outdated* {A5F1BC7C-EA33-4247-961C-0217208396C4} FW: Norton 360 *Disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\_000005_.tmp.dll c:\windows\system32\_000006_.tmp.dll c:\windows\system32\_000008_.tmp.dll c:\windows\system32\Thumbs.db . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_usnjsvc . . ((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 ))))))))))))))))))))))))))))))) . . 2011-04-27 04:11 . 2011-04-27 04:12 -------- d-----r- C:\32788R22FWJFW 2011-04-24 16:06 . 2011-04-24 16:06 -------- d-----w- c:\documents and settings\Daniel Chan\Application Data\Avira 2011-04-24 16:02 . 2011-03-04 22:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-04-24 16:02 . 2011-03-04 20:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-24 16:02 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-04-24 16:02 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-04-24 16:02 . 2011-04-24 16:02 -------- d-----w- c:\program files\Avira 2011-04-24 16:02 . 2011-04-24 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-04-23 21:47 . 2009-02-13 19:02 11520 ----a-r- c:\windows\system32\drivers\wdcsam.sys 2011-04-22 22:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll 2011-04-22 22:43 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll 2011-04-22 22:43 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll 2011-04-22 22:43 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll 2011-04-22 22:43 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll 2011-04-22 22:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll 2011-04-22 22:43 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll 2011-04-22 22:43 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll 2011-04-22 22:07 . 2011-04-22 22:07 54016 ----a-w- c:\windows\system32\drivers\iihl.sys 2011-04-22 08:35 . 2011-04-23 17:00 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2011-04-22 08:34 . 2011-04-23 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro 2011-04-14 09:39 . 2011-04-14 09:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll 2011-04-14 09:39 . 2011-04-14 09:39 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2006-08-08 02:13 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2006-08-08 01:57 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2007-08-12 05:09 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06 . 2006-08-08 01:57 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06 . 2006-08-08 01:56 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06 . 2006-08-08 01:56 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41 . 2006-08-08 01:56 385024 ----a-w- c:\windows\system32\html.iec 2011-02-17 13:18 . 2006-08-08 01:56 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-02-17 13:18 . 2006-08-08 01:57 357888 ----a-w- c:\windows\system32\drivers\srv.sys 2011-02-17 12:32 . 2009-04-16 22:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56 . 2006-08-08 01:56 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53 . 2006-08-08 01:57 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2006-08-08 01:56 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33 . 2006-08-08 01:56 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33 . 2006-08-08 01:56 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-03 03:40 . 2010-05-14 05:03 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-03 01:19 . 2007-10-11 17:25 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-02-02 07:58 . 2006-08-08 02:12 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57 . 2006-08-08 02:12 677888 ----a-w- c:\windows\system32\mstsc.exe 2011-03-18 17:53 . 2011-04-22 22:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2009-04-01 04:47 . 2009-01-22 03:30 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] "Aim6"="c:\program files\AIM6\aim6.exe" [2006-11-07 50736] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784] "SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-28 217088] "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768] "VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216] "Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128] "VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632] "VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672] "LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200] "BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512] "LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 243248] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888] "NapsterShell"="c:\program files\Napster\napster.exe" [2006-06-29 319488] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 614960] "HostManager"="c:\program files\Common Files\AOL\1162857249\ee\AOLSoftware.exe" [2006-04-13 50792] "DISCover"="c:\program files\DISC\DISCover.exe" [2006-06-02 1077248] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-1-13 113664] Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-2-3 1753088] CU VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-4-27 6144] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="userinit.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon] 2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\DISC\\DISCover.exe"= "c:\\Program Files\\DISC\\DiscStreamHub.exe"= "c:\\Program Files\\DISC\\myFTP.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1162857249\\ee\\aolsoftware.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Sony\\VAIO Media 5.0\\Vc.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"= "c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"= "c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"= . R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/24/2011 10:02 AM 135336] R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 1:37 PM 149352] R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/10/2009 11:48 PM 102448] R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [8/7/2006 7:57 PM 30080] R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [8/7/2006 7:57 PM 226304] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 8:32 PM 23888] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/27/2009 6:35 PM 38224] S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [4/23/2011 3:47 PM 11520] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - COMHOST *NewlyCreated* - WUAUSERV . Contents of the 'Scheduled Tasks' folder . 2011-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34] . 2011-04-27 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07] . . ------- Supplementary Scan ------- . IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000 Trusted Zone: trymedia.com TCP: {0EF1749B-D7EE-4B29-B02B-B10087DDA8C3} = 68.87.69.146,68.87.85.98 FF - ProfilePath - c:\documents and settings\Daniel Chan\Application Data\Mozilla\Firefox\Profiles\85m73iz6.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - prefs.js: network.proxy.type - 4 . - - - - ORPHANS REMOVED - - - - . AddRemove-Musette_is1 - c:\program files\Musette\unins000.exe AddRemove-Switch - c:\program files\NCH Swift Sound\Switch\uninst.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-26 22:40 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: FUJITSU_MHV2160BT_PL rev.0000004F -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e . device: opened successfully user: MBR read successfully error: Read A device attached to the system is not functioning. kernel: MBR read successfully detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x874DF57B user & kernel MBR OK . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1800) c:\windows\system32\WININET.dll c:\windows\system32\VESWinlogon.dll . - - - - - - - > 'lsass.exe'(1860) c:\windows\system32\WININET.dll . - - - - - - - > 'explorer.exe'(6388) c:\windows\system32\WININET.dll c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\windows\system32\rundll32.exe c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe c:\windows\system32\nvsvc32.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Sony\VAIO Event Service\VESMgr.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe c:\program files\Apoint\Apntex.exe c:\program files\AIM6\aolsoftware.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe c:\program files\Microsoft Office\Office10\msoffice.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe c:\program files\Logitech\QuickCam10\COCIManager.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe . ************************************************************************** . Completion time: 2011-04-26 22:56:30 - machine was rebooted ComboFix-quarantined-files.txt 2011-04-27 04:56 . Pre-Run: 120,385,732,608 bytes free Post-Run: 120,687,607,808 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 7B2FD2996495170112D2ADBD254DF1FA
  11. Hello all, Sorry, but this is yet another person with a redirect virus. On the 21st I managed to be infected with three(?) viruses: XP Security 2011-unofficial version, Antimalware doctor, and a browser redirect. Following some online tutorials, I think I have managed to remove the XP security and Antimalware Dr., but I have not had any success with the browser redirect. Main problem: The browser redirect appears to affect both Firefox and Internet Explorer while performing searches in Google and Bing, however, it does not always redirect me. It tends to happen more often when I search for computer/antivirus related material. When I click on search result links, I first redirected to a blank page with a random address bar, then am again redirected to a real computer/antivirus website, but the address has some strange additions. Scanning with MBAM usually finds some infection and removes them. It does not detect anything again, even after restart, until I go online and am redirected (so redirect virus was not fixed). Random files get created in Temp Folder and (sometimes) in System32 Folder; inside is a .exe file. Scanning shows these to be trojans. I think they might be coming from the redirect pages. When the random folder is created, I get a popup that looks like a Command Prompt window with the new file extension. After looking around online, I thought the redirect might be a rootkit problem so I got the Kaspersky TDSS Killer, but it initializes to 80% and quits. Redownloading and renaming the file did not work and I cannot boot in Safemode. Other issues: I am unsure if these are related to the infection, but I will post in case they are helpful. -I am getting "Generic Host Process for Win32 Services" error that I did not get before. -Sometimes the computer has trouble starting Firefox or IE. Task Manager shows the processes are running, but they otherwise never show up. -I tried to follow the instructions in the pinned thread, but I cannot run GMER. In starts and scans for a long time, but eventually I check on it and I find that the computer restarted and tells me I had a blue-screen error. I have tried twice. I also cannot tell if defogger was successful. I run it and get the "Finished" message, but it does not tell me to restart the computer. -On April 10th, I was infected with a blaster worm virus, but I think I deleted it successfully. I did not have any problems until the 21st. Prior, I cannot recall having any problems with this computer. -Since I have been trying to get rid of the virus on my own, there is a chance that I may have deleted a file that the computer need to run thus causing some of these problems. I'm afraid I'm not very good with computers (and maybe shouldn't have tried fixing it on my own, but I digress...). Thank you in advance for your help. Happy Easter Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6435 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/24/2011 5:45:46 PM mbam-log-2011-04-24 (17-45-46).txt Scan type: Quick scan Objects scanned: 169701 Time elapsed: 19 minute(s), 22 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) . DDS (Ver_11-03-05.01) - NTFSx86 Run by Daniel Chan at 20:48:57.90 on Sat 04/23/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.215 [GMT -6:00] . AV: Norton 360 *Disabled/Outdated* {A5F1BC7C-EA33-4247-961C-0217208396C4} FW: Norton 360 *Disabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe svchost.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Sony\VAIO Event Service\VESMgr.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Sony\VAIO Power Management\SPMgr.exe C:\Program Files\Sony\ISB Utility\ISBMgr.exe C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe C:\Program Files\Brownie\BrstsWnd.exe C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Napster\napster.exe C:\Program Files\Common Files\AOL\1162857249\ee\AOLSoftware.exe C:\Program Files\DISC\DISCover.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\Brownie\brpjp04a.exe C:\Program Files\DISC\DiscStreamHub.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Documents and Settings\Daniel Chan\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 3.0\aoltb.dll uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll mWinlogon: Userinit=userinit.exe BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 3.0\aoltb.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 3.0\aoltb.dll TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File uRun: [ssAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [sonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe" mRun: [iSBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe" mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe" mRun: [brStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [osCheck] "c:\program files\norton 360\osCheck.exe" mRun: [LVCOMSX] "c:\program files\common files\logitech\lcommgr\LVComSX.exe" mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [NapsterShell] c:\program files\napster\napster.exe /systray mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide mRun: [HostManager] c:\program files\common files\aol\1162857249\ee\AOLSoftware.exe mRun: [DISCover] c:\program files\disc\DISCover.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cuvpnc~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-us\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 3.0\aoltb.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL Trusted Zone: trymedia.com DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://0-site.ebrary.com.nell.boulder.lib.co.us/lib/boulder/support/plugins/ebraryRdr.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: {0EF1749B-D7EE-4B29-B02B-B10087DDA8C3} = 68.87.69.146,68.87.85.98 Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Notify: igfxcui - igfxdev.dll Notify: VESWinlogon - VESWinlogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\daniel~1\applic~1\mozilla\firefox\profiles\85m73iz6.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - prefs.js: network.proxy.type - 4 FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll . ============= SERVICES / DRIVERS =============== . R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352] R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352] R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-10 102448] R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-8-7 30080] R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-1-3 1245064] R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-8-7 226304] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888] S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091230.035\NAVENG.SYS [2009-12-30 84912] S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091230.035\NAVEX15.SYS [2009-12-30 1323568] S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-4-23 11520] . =============== Created Last 30 ================ . 2011-04-23 21:47:55 11520 ----a-r- c:\windows\system32\drivers\wdcsam.sys 2011-04-23 05:55:02 -------- d-----w- c:\windows\system32\drivers\etc 2011-04-22 22:43:20 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2011-04-22 22:43:19 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll 2011-04-22 22:43:19 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll 2011-04-22 22:43:19 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll 2011-04-22 22:43:19 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll 2011-04-22 22:43:19 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll 2011-04-22 22:43:19 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll 2011-04-22 22:43:19 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll 2011-04-22 22:07:16 54016 ----a-w- c:\windows\system32\drivers\iihl.sys 2011-04-22 08:35:17 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2011-04-22 08:34:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro 2011-04-18 01:17:05 -------- d-----w- c:\program files\common files\ODBC 2011-04-14 09:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll 2011-04-14 09:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll 2011-04-10 23:06:21 -------- d-----w- c:\windows\pss . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec 2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-03 03:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-03 01:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe . =================== ROOTKIT ==================== . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: FUJITSU_MHV2160BT_PL rev.0000004F -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85A72C18]<< _asm { PUSH EBP; CALL 0x6; } 1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x87539968] error: Read A device attached to the system is not functioning. kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [sI], CH; JL 0x2d; JNZ 0x3b; } detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x874E157B user & kernel MBR OK . ============= FINISH: 20:51:05.89 =============== Attach.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.