Jump to content

Recommended Posts

My system was infected by a Trojan Virus. Malwarebytes found several problems from this virus and supposedly "cleaned" it from my system. But the system still does not work correctly. MWAM keeps popping up a message that reads, "Successfully Blocked Access to a Malicious Website 146.185.250.210". Several other IP addresses will frequently pop up as well. There is something attached to my system that keeps trying to contact outside IP addresses. How can I fix this???!!!

attach.txt

dds.txt

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.5512

Run by Tornillo at 20:01:27 on 2011-11-27

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3054.2464 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

svchost.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\ping.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Bar = hxxp://dts.search-results.com/sidebar.html?src=ssb&appid=102&systemid=406&sr=0

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://dts.search-results.com/sr?src=ieb&appid=102&systemid=406&sr=0&q={searchTerms}

mSearchAssistant = hxxp://dts.search-results.com/sr?src=ieb&appid=102&systemid=406&sr=0&q={searchTerms}

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {494c5f59-3fb6-7e07-6841-33e82d34229b} - c:\windows\system32\d3dpmeshh.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

mRun: [soundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [tsnp2uvc] c:\windows\tsnp2uvc.exe

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

TCP: DhcpNameServer = 68.87.64.150 68.87.75.198

TCP: Interfaces\{18B96D85-ED0C-452A-BB2E-3720FD4BEABB} : DhcpNameServer = 68.87.64.150 68.87.75.198

TCP: Interfaces\{EE09753D-64A3-43BC-9F89-AF985A5EB37E} : DhcpNameServer = 10.177.2.111 10.177.2.121 10.177.0.19

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxdev.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\tornillo\application data\mozilla\firefox\profiles\g7kib51l.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

.

============= SERVICES / DRIVERS ===============

.

R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-7-1 24304]

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-7-1 13480]

R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-7-1 132456]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-27 366152]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-7-1 53248]

R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-7-1 63928]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-27 22216]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-7-1 45496]

S3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [2010-7-1 81280]

S3 SG320 Video Capture;SG320 Video Capture;c:\windows\system32\drivers\SGCam3UVC.sys [2011-10-21 2503832]

S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [2007-4-10 72576]

S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [2007-1-12 102144]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

.

=============== Created Last 30 ================

.

2011-11-28 00:44:34 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys

2011-11-28 00:43:58 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll

2011-11-28 00:42:59 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll

2011-11-28 00:41:58 28032 -c--a-w- c:\windows\system32\dllcache\perm3.sys

2011-11-28 00:40:59 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys

2011-11-28 00:39:58 75520 -c--a-w- c:\windows\system32\dllcache\mxport.sys

2011-11-28 00:38:58 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys

2011-11-28 00:37:55 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll

2011-11-28 00:36:59 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll

2011-11-28 00:35:59 324608 -c--a-w- c:\windows\system32\dllcache\hpojwia.dll

2011-11-28 00:34:58 441728 -c--a-w- c:\windows\system32\dllcache\fpcmbase.sys

2011-11-28 00:33:59 19996 -c--a-w- c:\windows\system32\dllcache\em556n4.sys

2011-11-28 00:32:59 256512 -c--a-w- c:\windows\system32\dllcache\devcon32.dll

2011-11-28 00:31:50 37888 -c--a-w- c:\windows\system32\dllcache\bthmodem.sys

2011-11-28 00:30:59 42368 -c--a-w- c:\windows\system32\dllcache\agp440.sys

2011-11-27 23:58:42 -------- d-----w- c:\documents and settings\tornillo\application data\ElevatedDiagnostics

2011-11-27 23:02:12 -------- d-----w- c:\windows\system32\2003

2011-11-27 22:15:14 -------- d-----w- c:\program files\common files\Bitdefender

2011-11-27 22:14:28 -------- d-----w- c:\documents and settings\tornillo\application data\QuickScan

2011-11-27 20:52:28 -------- d-----w- c:\documents and settings\tornillo\application data\Malwarebytes

2011-11-27 20:52:20 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-27 20:52:17 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-27 20:52:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-27 18:30:22 -------- d-----w- c:\program files\PC Tools Security

2011-11-27 18:29:17 -------- d-----w- c:\documents and settings\all users\application data\PC Tools

2011-11-27 17:16:39 111616 ----a-w- c:\documents and settings\all users\application data\L3r2j7JN.exe

2011-11-21 02:26:09 -------- d-----w- c:\documents and settings\tornillo\application data\searchquband

2011-11-21 02:26:09 -------- d-----w- c:\documents and settings\tornillo\AppData

2011-11-21 02:24:47 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess

2011-11-20 21:08:20 -------- d-----w- c:\program files\iLivid

2011-11-15 01:49:26 -------- d-----w- c:\documents and settings\tornillo\application data\OfficeRecovery

2011-11-11 18:16:47 -------- d-----w- c:\program files\oDesk

2011-11-11 18:16:40 -------- d-----w- c:\documents and settings\tornillo\local settings\application data\oDesk

2011-11-05 13:38:20 -------- d-----w- c:\documents and settings\tornillo\local settings\application data\Help

.

==================== Find3M ====================

.

2011-11-24 14:53:18 60 ----a-w- c:\windows\wpd99.drv

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-22 17:29:58 51716 ----a-w- c:\windows\system32\pdf995mon.dll

2011-09-22 17:29:58 249856 ----a-w- c:\windows\system32\pdfmona.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-09-05 13:56:22 667136 ----a-w- c:\windows\system32\wininet.dll

2011-09-05 13:56:22 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-09-05 13:56:21 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-09-05 12:35:09 369664 ----a-w- c:\windows\system32\html.iec

.

============= FINISH: 20:02:10.23 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 9/13/2011 7:48:42 PM

System Uptime: 11/27/2011 7:47:03 PM (1 hours ago)

.

Motherboard: LENOVO | | 7663B15

Processor: Intel® Core2 Duo CPU T7300 @ 2.00GHz | None | 1995/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 90 GiB total, 54.686 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1: 9/13/2011 7:48:44 PM - System Checkpoint

RP2: 9/13/2011 5:25:49 PM - Installed Microsoft Office XP Professional

RP3: 9/13/2011 5:31:22 PM - Installed Microsoft Publisher 2002

RP4: 9/13/2011 5:51:17 PM - Software Distribution Service 3.0

RP5: 9/13/2011 5:56:35 PM - Software Distribution Service 3.0

RP6: 9/14/2011 6:00:12 AM - Software Distribution Service 3.0

RP7: 9/14/2011 10:03:42 AM - Installed iTunes

RP8: 9/14/2011 11:34:04 AM - Removed Productivity Center

RP9: 9/14/2011 11:34:30 AM - Removed ThinkVantage Active Protection System.

RP10: 9/14/2011 11:35:07 AM - Removed ThinkVantage Access Connections

RP11: 9/14/2011 3:31:44 PM - Installed PowerDVD

RP12: 9/14/2011 3:36:49 PM - Configured PowerDVD

RP13: 9/16/2011 2:00:41 PM - Installed Adobe Reader X (10.1.1).

RP14: 9/17/2011 3:00:15 AM - Software Distribution Service 3.0

RP15: 9/18/2011 9:22:50 AM - Software Distribution Service 3.0

RP16: 9/19/2011 8:03:29 AM - Software Distribution Service 3.0

RP17: 9/20/2011 11:27:10 AM - System Checkpoint

RP18: 9/21/2011 7:33:04 AM - Software Distribution Service 3.0

RP19: 9/21/2011 10:48:18 AM - Software Distribution Service 3.0

RP20: 9/22/2011 9:45:09 AM - Software Distribution Service 3.0

RP21: 9/22/2011 11:08:38 AM - Printer Driver Microsoft XPS Document Writer Installed

RP22: 9/22/2011 1:27:49 PM - Printer Driver PDF995 Printer Driver Installed

RP23: 9/22/2011 1:29:32 PM - Printer Driver PDF995 Printer Driver Installed

RP24: 9/22/2011 1:30:02 PM - Printer Driver PDF995 Printer Driver Installed

RP25: 9/23/2011 8:16:28 AM - Software Distribution Service 3.0

RP26: 9/29/2011 12:50:49 PM - Software Distribution Service 3.0

RP27: 10/2/2011 3:55:04 PM - System Checkpoint

RP28: 10/13/2011 8:08:51 AM - Software Distribution Service 3.0

RP29: 10/13/2011 8:38:51 AM - Software Distribution Service 3.0

RP30: 10/13/2011 8:49:00 AM - Installed Java 6 Update 26

RP31: 10/17/2011 4:41:11 PM - Installed 1300

RP32: 10/17/2011 4:41:18 PM - Installed 1300Tour

RP33: 10/17/2011 4:41:24 PM - Installed 1300_Help

RP34: 10/17/2011 4:41:27 PM - Installed 1300Trb

RP35: 10/19/2011 7:16:26 AM - Software Distribution Service 3.0

RP36: 10/20/2011 5:36:08 AM - Software Distribution Service 3.0

RP37: 10/20/2011 8:44:00 AM - Software Distribution Service 3.0

RP38: 10/21/2011 7:51:19 PM - Installed Sigmachip USB Camera Driver

RP39: 10/22/2011 12:22:09 PM - Removed Skype Click to Call

RP40: 10/22/2011 12:22:37 PM - Removed Skype™ 5.5

RP41: 10/27/2011 8:03:44 PM - System Checkpoint

RP42: 11/2/2011 8:00:45 PM - System Checkpoint

RP43: 11/10/2011 5:34:21 AM - Software Distribution Service 3.0

RP44: 11/12/2011 7:23:34 AM - Software Distribution Service 3.0

RP45: 11/14/2011 8:49:20 PM - Installed FreeUndelete 2.1.36867.1

RP46: 11/16/2011 7:24:46 AM - System Checkpoint

RP47: 11/20/2011 9:26:14 PM - Removed Softonic Toolbar.

RP48: 11/22/2011 8:50:29 AM - System Checkpoint

RP49: 11/23/2011 3:49:48 PM - System Checkpoint

RP50: 11/25/2011 3:42:00 AM - System Checkpoint

RP51: 11/26/2011 1:12:06 PM - System Checkpoint

RP52: 11/27/2011 2:07:44 PM - Removed FreeUndelete 2.1.36867.1

RP53: 11/27/2011 7:26:09 PM - Installed Java 6 Update 29

.

==== Installed Programs ======================

.

ACDSee Classic

Adobe Reader X (10.1.1)

AiO_Scan

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Bonjour

Copy

CreativeProjects

Director

DocProc

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

HP Image Zone 4.2

HP PSC & OfficeJet 4.2

HP Software Update

hpmdtab

HPSystemDiagnostics

HyperCam 2

InstantShare

Integrated Camera

Intel PROSet Wireless

Intel® Graphics Media Accelerator Driver

Intel® PROSet/Wireless WiFi Software

InterVideo WinDVD

iTunes

Lenovo System Interface Driver

Malwarebytes' Anti-Malware version 1.51.2.1300

Memories Disc Creator 2.0

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2572067)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Kernel-Mode Driver Framework Feature Pack 1.9

Microsoft Office XP Professional

Microsoft Publisher 2002

Microsoft Visual C++ 2005 Redistributable

Mozilla Firefox 8.0.1 (x86 en-US)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NVIDIA Drivers

oDesk Team

On Screen Display

Pdf995

PhotoGallery

PIXresizer

Presentation Director

Productivity Center Supplement for ThinkPad

QFolder

QuickProjects

QuickTime

RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02

Scan

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544521)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2559049)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2586448)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982665)

Sierra Wireless MC57xx Package for Access Connections

Sigmachip USB Camera Driver

SkinsHP1

SkinsHP2

Skype™ 5.5

Sonic Express Labeler

Sonic RecordNow!

Sonic Update Manager

Sothink FLV Player

Sothink SWF Decompiler

Sothink SWF Editor version 1.0

SoundMAX

Spybot - Search & Destroy

ThinkPad EasyEject Utility

ThinkPad FullScreen Magnifier

ThinkPad Hotkey Features Integration Setup

ThinkPad Keyboard Customizer Utility

ThinkPad Modem

ThinkPad Power Management Driver

ThinkPad Power Manager

ThinkPad UltraNav Driver

ThinkPad UltraNav Utility

TrayApp

UMPlayer 0.98 [P4]

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2616676-v2)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB898461)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebFldrs XP

WebReg

Windows Genuine Advantage Validation Tool (KB892130)

Windows Media Format Runtime

Windows PowerShell 1.0

WinRAR 4.01 (32-bit)

XML Paper Specification Shared Components Pack 1.0

.

==== Event Viewer Messages From Past Week ========

.

11/27/2011 7:45:35 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.

11/27/2011 7:02:33 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

11/27/2011 5:18:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: TfFsMon TFSysMon

11/27/2011 4:19:45 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

11/27/2011 12:42:11 PM, error: Service Control Manager [7034] - The Intel® PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).

11/27/2011 12:37:44 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).

11/27/2011 12:34:36 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.

11/27/2011 12:05:15 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm lenovo.smi TPHKDRV TPPWRIF TSMAPIP

11/27/2011 12:04:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

11/27/2011 12:04:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

11/27/2011 11:32:40 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).

11/27/2011 11:31:39 AM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

11/27/2011 11:30:28 AM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

11/27/2011 11:26:03 AM, error: Service Control Manager [7034] - The Intel® PROSet/Wireless WiFi Service service terminated unexpectedly. It has done this 1 time(s).

11/27/2011 11:25:07 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

11/27/2011 11:24:34 AM, error: Service Control Manager [7034] - The Updater Service for StartNow Toolbar service terminated unexpectedly. It has done this 1 time(s).

11/27/2011 1:08:09 PM, error: Service Control Manager [7034] - The On Screen Display service terminated unexpectedly. It has done this 1 time(s).

11/27/2011 1:07:55 PM, error: Service Control Manager [7034] - The IBM KCU Service service terminated unexpectedly. It has done this 1 time(s).

11/27/2011 1:07:18 PM, error: Service Control Manager [7034] - The Lenovo Doze Mode Service service terminated unexpectedly. It has done this 1 time(s).

11/27/2011 1:03:39 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

11/27/2011 1:03:23 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

11/27/2011 1:02:41 PM, error: Service Control Manager [7034] - The Power Manager DBC Service service terminated unexpectedly. It has done this 1 time(s).

11/25/2011 3:12:01 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 00215C01079F has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

.

==== End Of File ===========================

Link to post
Share on other sites

Welcome to Malwarebytes mtornillo,

The logs show some hijacked search setting, but the error logs suggest more malware may still exist there. Let's make some changes, then check in more detail.

To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

---------

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Bar"=-
"SearchAssistant"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"SearchAssistant"=-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
@=""

Open Notepad (Start - Run, type Notepad then press OK), and copy the text inside the box above and paste it into the open Notepad textbox.

Save this to your desktop as "fixer.reg"

Be sure to include the "" quotes in the name.

Then right click fixer.reg, select Merge, and allow it to merge the new information with the Registry.

---------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.

Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Note - If Gmer shows it has located infection once it's opening scan completes, do not click the Scan button. We don't want hidden malware settings to cause any problems. Instead, just click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download aswMBR ( 511KB ) to your desktop.

  • Double click the aswMBR.exe icon to run it
  • Decline a download of avast itself if offered
  • If avast! antivirus is already installed, go to the dropdown next to AV engine: and select (none)
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Link to post
Share on other sites

  • 2 weeks later...

Hi Jintan,

I've got the same problem as mtornillo. I've followed your steps, here's my log

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-12-09 23:39:23

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST9320423AS rev.0002SDM1

Running: mvcf49dn.exe; Driver: C:\DOCUME~1\MATTPE~1\LOCALS~1\Temp\kfeoqkod.sys

---- System - GMER 1.0.15 ----

SSDT spcl.sys ZwCreateKey [0xB9EAB0E0]

SSDT spcl.sys ZwEnumerateKey [0xB9EC8CA2]

SSDT spcl.sys ZwEnumerateValueKey [0xB9EC9030]

SSDT spcl.sys ZwOpenKey [0xB9EAB0C0]

SSDT spcl.sys ZwQueryKey [0xB9EC9108]

SSDT spcl.sys ZwQueryValueKey [0xB9EC8F88]

SSDT spcl.sys ZwSetValueKey [0xB9EC919A]

INT 0x62 ? 8A6D0BF8

INT 0x63 ? 8A6D0BF8

INT 0x63 ? 8A6D0BF8

INT 0x63 ? 8A6D0BF8

INT 0x84 ? 8A660BF8

INT 0xA4 ? 8A660BF8

INT 0xA4 ? 8A660BF8

INT 0xA4 ? 8A660BF8

INT 0xB4 ? 8A660BF8

INT 0xB4 ? 8A660BF8

INT 0xB4 ? 8A660BF8

INT 0xB4 ? 8A660BF8

---- Kernel code sections - GMER 1.0.15 ----

? spcl.sys The system cannot find the file specified. !

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8E9A380, 0x2F18C7, 0xE8000020]

.text USBPORT.SYS!DllUnload B8E7A8AC 5 Bytes JMP 8A6601D8

? C:\WINDOWS\System32\Drivers\SCDEmu.SYS suspicious PE modification

? c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7F91E286-C3CF-4C12-926A-6DD2D84A0237}\MpKsl0c4f1a86.sys The system cannot find the file specified. !

.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB2887400, 0x7A186, 0xE8000020]

.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xB2925A20] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xB2925A20]

.protectÿÿÿÿhardlockunknown last code section [0xB2925800, 0x5041, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB2925800, 0x5041, 0xE0000020]

? C:\WINDOWS\system32\drivers\mbamswissarmy.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[628] USER32.dll!DialogBoxIndirectParamAorW 7E4249D0 5 Bytes [33, C0, C2, 18, 00] {XOR EAX, EAX; RET 0x18}

.text C:\program files\real\realplayer\update\realsched.exe[1756] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

.text C:\WINDOWS\system32\SearchIndexer.exe[2896] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [b9EAC040] spcl.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [b9EAC13C] spcl.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [b9EAC0BE] spcl.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [b9EAC7FC] spcl.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [b9EAC6D2] spcl.sys

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [b9EBBD92] spcl.sys

---- Devices - GMER 1.0.15 ----

Device 8A65F1F8

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

Device 8A260500

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

Device Sftfsxp.sys (Microsoft Application Virtualization File System/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8A5921F8

Device \Driver\usbuhci \Device\USBPDO-1 8A5921F8

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6611F8

Device \Driver\dmio \Device\DmControl\DmConfig 8A6611F8

Device \Driver\dmio \Device\DmControl\DmPnP 8A6611F8

Device \Driver\dmio \Device\DmControl\DmInfo 8A6611F8

Device \Driver\usbehci \Device\USBPDO-2 8A4951F8

Device \Driver\usbuhci \Device\USBPDO-3 8A5921F8

Device \Driver\usbuhci \Device\USBPDO-4 8A5921F8

Device \Driver\usbuhci \Device\USBPDO-5 8A5921F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{1A960EF2-E639-4D67-B7F0-8A44CCE5DCDF} 8A2D41F8

Device \Driver\usbehci \Device\USBPDO-6 8A4951F8

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6D11F8

Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6D11F8

Device \Driver\Cdrom \Device\CdRom0 8A3AA1F8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [b9DFFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort0 [b9DFFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort1 [b9DFFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort2 [b9DFFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort3 [b9DFFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [b9DFFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\Ftdisk \Device\HarddiskVolume3 8A6D11F8

Device \Driver\NetBT \Device\NetBt_Wins_Export 8A2D41F8

Device \Driver\NetBT \Device\NetbiosSmb 8A2D41F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{F1FAF71A-A36E-4A3F-9297-1653B56FA2D3} 8A2D41F8

Device \Driver\usbuhci \Device\USBFDO-0 8A5921F8

Device \Driver\usbuhci \Device\USBFDO-1 8A5921F8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A356500

Device \Driver\usbehci \Device\USBFDO-2 8A4951F8

Device 8A356500

Device \Driver\usbuhci \Device\USBFDO-3 8A5921F8

Device \Driver\usbuhci \Device\USBFDO-4 8A5921F8

Device \Driver\Ftdisk \Device\FtControl 8A6D11F8

Device \Driver\usbuhci \Device\USBFDO-5 8A5921F8

Device \Driver\usbehci \Device\USBFDO-6 8A4951F8

Device \FileSystem\Cdfs \Cdfs 8A2DD500

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) B5421000-B5438000 (94208 bytes)

Module (noname) (*** hidden *** ) BA228000-BA235000 (53248 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:892] B5425E90

Thread System [4:896] B5425E90

Thread System [4:900] BA22EBB0

Thread System [4:904] BA22EBB0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4C 0x8B 0xDF 0xEF ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4C 0x8B 0xDF 0xEF ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C0B96239-B8E0-C01A-1F0A-AF1D5CEE8E0E}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C0B96239-B8E0-C01A-1F0A-AF1D5CEE8E0E}@pamifegmegcbokmonlflnegbbpljfcgg 0x69 0x61 0x61 0x65 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C0B96239-B8E0-C01A-1F0A-AF1D5CEE8E0E}@abcillhpadblojbpngnckmpadocpmiffll 0x69 0x61 0x61 0x65 ...

---- EOF - GMER 1.0.15 ----

Any help is appreciated

Link to post
Share on other sites

Other than a welcome to Malwarebytes Mattio, I need to direct your attention to here, so you can begin the procedures to set up for posting a new request here (Start New Topic). Someone will then reply to your new request, as time permits. We don't want your issues to distract from mtornillo's, when he replies in this thread.

Link to post
Share on other sites

  • 2 weeks later...
  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.