cmz Posted January 4, 2012 ID:513378 Share Posted January 4, 2012 Hoping I followed directions right.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26Run by Student at 10:38:11 on 2012-01-04Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.421 [GMT -10:00].AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}AV: McAfee VirusScan Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}.============== Running Processes ===============.C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exe 4svchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Network Associates\Common Framework\udaterui.exeC:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exeC:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exeC:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\SUPERAntiSpyware\6810774a-f6e8-4cf4-9950-da5ccb500942.comsvchost.exe 4C:\Documents and Settings\Student\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exeC:\Documents and Settings\Student\Local Settings\Application Data\RockMelt\Update\1.2.189.1\RockMeltCrashHandler.exesvchost.exeC:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exeC:\Program Files\SUPERAntiSpyware\SASCORE.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\system32\basfipm.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Dell\OpenManage\Client\Iap.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\Program Files\McAfee\VirusScan Enterprise\mcshield.exeC:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Network Associates\Common Framework\McTray.exeC:\WINDOWS\system32\dwwin.exeC:\PWPro\pwpro.EXEC:\Documents and Settings\Student\Local Settings\Application Data\RockMelt\Application\rockmelt.exeC:\Documents and Settings\Student\Local Settings\Application Data\RockMelt\Application\rockmelt.exeC:\Documents and Settings\Student\Local Settings\Application Data\RockMelt\Application\rockmelt.exeC:\Documents and Settings\Student\Local Settings\Application Data\RockMelt\Application\rockmelt.exeC:\WINDOWS\system32\rundll32.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.google.com/uDefault_Page_URL = hxxp://www.dell.commDefault_Page_URL = hxxp://www.dell.commStart Page = hxxp://www.dell.comuInternet Connection Wizard,ShellNext = iexploreuInternet Settings,ProxyOverride = <local>uInternet Settings,ProxyServer = http=127.0.0.1:5555uSearchURL,(Default) = hxxp://www.google.com/keyword/%sBHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No FileBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dllTB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No FileEB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgrounduRun: [Aim6] uRun: [Google Update] "c:\documents and settings\student\local settings\application data\google\update\GoogleUpdate.exe" /cuRun: [sUPERAntiSpyware] c:\program files\superantispyware\6810774a-f6e8-4cf4-9950-da5ccb500942.comuRun: [RockMelt Update] "c:\documents and settings\student\local settings\application data\rockmelt\update\RockMeltUpdate.exe" /cmRun: [igfxTray] "c:\windows\system32\igfxtray.exe"mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKeymRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office 2002\programs\QFSCHD100.EXE"mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startupmRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONEmRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXEmRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNCmRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNCmRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMENamemRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silentdRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\corelc~1.lnk - c:\windows\installer\{f73e7b59-f951-11d4-884d-00902761a46d}\I_26dadCC.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exeIE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLLDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cabTCP: DhcpNameServer = 10.30.0.10 10.30.0.9 10.30.0.35TCP: Interfaces\{CDBE40A3-163C-4BC7-B4B0-7BDE6CD26320} : DhcpNameServer = 10.30.0.10 10.30.0.9 10.30.0.35Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLLNotify: igfxcui - igfxsrvc.dllAppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLLSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLLLSA: Notification Packages = scecli scecli.================= FIREFOX ===================.FF - ProfilePath - c:\documents and settings\student\application data\mozilla\firefox\profiles\ww384ug0.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - plugin: c:\documents and settings\student\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dllFF - plugin: c:\documents and settings\student\local settings\application data\rockmelt\update\1.2.189.1\npRockMeltOneClick8.dllFF - plugin: c:\progra~1\mozill~1\plugins\NPOFFICE.DLLFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dllFF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dllFF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff.============= SERVICES / DRIVERS ===============.R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-6-8 31848]R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-5-23 58464]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2009-1-16 103744]R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-6-8 144704]R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-6-8 54608]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-27 24652]R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2010-1-29 73512]R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2010-1-29 34408]R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2010-1-29 177864]S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\student\my documents\downloads\sabkutil.sys --> c:\documents and settings\student\my documents\downloads\SABKUTIL.sys [?]S3 c611C;c611C;c:\windows\system32\c611C.sys [2010-2-8 54624]S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-6-24 30192]S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\13.tmp --> c:\windows\system32\13.tmp [?]S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-5-23 108256].=============== Created Last 30 ================.2012-01-04 20:08:04 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes2012-01-04 20:08:03 20464 ----a-w- c:\windows\system32\drivers\mbam.sys2012-01-04 20:08:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware.==================== Find3M ====================.2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll.=================== ROOTKIT ====================.Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.netWindows 5.1.2600 .CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.device: opened successfullyuser: error reading MBR .Disk trace:called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86EF1EC5]<< _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86518872; SUB DWORD [EBP-0x4], 0x8651812e; PUSH EDI; CALL 0xffffffffffffdf33; }1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86F5EAB8]3 CLASSPNP[0xF768DFD7] -> nt!IofCallDriver[0x804E13B9] -> [0x86E9C838][0x86E8C460] -> IRP_MJ_CREATE -> 0x86EF1EC5kernel: MBR read successfully_asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x80; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x61e; }detected disk devices:detected hooks:\Driver\atapi DriverStartIo -> 0x86EF1AEAuser != kernel MBR !!! Warning: possible TDL4 rootkit infection !TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix..============= FINISH: 10:39:57.38 =============== Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 21, 2012 ID:529040 Share Posted February 21, 2012 Hi, Next, please run a free online scan with the ESET Online Scanner Note: You will need to use Internet Explorer for this scan.Tick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick Scan Wait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topic Next, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document. Let me know how things are running now and what issues remain. Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 24, 2012 ID:530173 Share Posted February 24, 2012 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts