Jump to content

Various trojans and a rootkit


Recommended Posts

Hello,

I have recently been having problems with my computer. It appears I have a rootkit infection and my anti-virus/malware has been picking up various trojans. I seem to have gotten rid of all visible symptoms of the infection on my computer (my browser was being redirected but that is resolved now, and I am getting no new detections from the AV software), but I want to be sure that it is actually clean. i would very much appreciate any help I can get.

I have attached the DDS logs as requested.

Thank you.

Here are the logs pasted for your convenience:

Attach:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 2/27/2008 12:32:14 PM

System Uptime: 3/30/2012 10:10:45 AM (0 hours ago)

.

Motherboard: Dell Inc. | | 0TY565

Processor: Intel® Core™2 CPU 6300 @ 1.86GHz | Microprocessor | 1862/1066mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 74 GiB total, 52.814 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: Symbol USB ActiveSync RNDIS

Device ID: USB\VID_05E0&PID_200D\01A9760F-4634-2181-6800-0050BF7A60E2

Manufacturer:

Name: Symbol USB ActiveSync RNDIS

PNP Device ID: USB\VID_05E0&PID_200D\01A9760F-4634-2181-6800-0050BF7A60E2

Service:

.

==== System Restore Points ===================

.

RP1: 2/16/2012 11:21:13 AM - System Checkpoint

RP2: 2/17/2012 12:06:29 PM - System Checkpoint

RP3: 2/18/2012 1:05:24 PM - System Checkpoint

RP4: 2/19/2012 2:05:24 PM - System Checkpoint

RP5: 2/20/2012 3:47:55 PM - System Checkpoint

RP6: 2/21/2012 5:44:48 PM - System Checkpoint

RP7: 2/22/2012 6:10:19 PM - System Checkpoint

RP8: 2/23/2012 7:05:24 PM - System Checkpoint

RP9: 2/24/2012 8:05:24 PM - System Checkpoint

RP10: 2/25/2012 9:01:10 PM - System Checkpoint

RP11: 2/26/2012 9:52:41 PM - System Checkpoint

RP12: 2/27/2012 10:45:22 PM - System Checkpoint

RP13: 2/28/2012 11:38:05 PM - System Checkpoint

RP14: 3/1/2012 12:30:46 AM - System Checkpoint

RP15: 3/2/2012 1:22:13 AM - System Checkpoint

RP16: 3/3/2012 2:14:56 AM - System Checkpoint

RP17: 3/4/2012 3:06:19 AM - System Checkpoint

RP18: 3/5/2012 3:59:01 AM - System Checkpoint

RP19: 3/6/2012 4:56:34 AM - System Checkpoint

RP20: 3/7/2012 5:56:34 AM - System Checkpoint

RP21: 3/8/2012 6:56:35 AM - System Checkpoint

RP22: 3/9/2012 7:56:35 AM - System Checkpoint

RP23: 3/10/2012 8:53:36 AM - System Checkpoint

RP24: 3/11/2012 11:03:42 AM - System Checkpoint

RP25: 3/12/2012 11:51:41 AM - System Checkpoint

RP26: 3/13/2012 12:33:54 PM - System Checkpoint

RP27: 3/14/2012 12:51:42 PM - System Checkpoint

RP28: 3/15/2012 1:51:42 PM - System Checkpoint

RP29: 3/16/2012 2:51:42 PM - System Checkpoint

RP30: 3/17/2012 2:53:32 PM - System Checkpoint

RP31: 3/18/2012 3:53:15 PM - System Checkpoint

RP32: 3/19/2012 4:53:15 PM - System Checkpoint

RP33: 3/20/2012 4:59:51 PM - System Checkpoint

RP34: 3/21/2012 5:58:43 PM - System Checkpoint

RP35: 3/22/2012 6:58:43 PM - System Checkpoint

RP36: 3/23/2012 5:27:32 PM - Installed HiJackThis

RP37: 3/24/2012 5:58:43 PM - System Checkpoint

RP38: 3/25/2012 6:58:43 PM - System Checkpoint

RP39: 3/26/2012 6:59:06 PM - System Checkpoint

RP40: 3/27/2012 12:05:39 PM - Restore Operation

RP41: 3/27/2012 12:16:28 PM - Restore Operation

RP42: 3/28/2012 12:29:55 PM - System Checkpoint

RP43: 3/29/2012 1:29:55 PM - System Checkpoint

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Reader 8.3.1

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Display Driver

Broadcom Gigabit Integrated Controller

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Common

Catalyst Control Center Localization All

ccc-core-preinstall

ccc-core-static

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help English

CCC Help French

CCC Help German

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Portuguese

CCC Help Spanish

CCC Help Turkish

Dell ETS Factory Installation

Google Chrome

High Definition Audio Driver Package - KB835221

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Intel® Graphics Media Accelerator Driver

Intel® Matrix Storage Manager

Intel® PRO Alerting Agent

Intel® PRO Network Connections 12.1.12.4

Intel® Active Management Technology

J2SE Runtime Environment 5.0 Update 6

Java™ 6 Update 11

LiveUpdate 3.3 (Symantec Corporation)

Malwarebytes Anti-Malware version 1.60.1.1000

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2656353)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Excel MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Small Business 2007

Microsoft Office Word MUI (English) 2007

Microsoft Software Update for Web Folders (English) 12

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6 Service Pack 2 (KB954459)

Pervasive System Analyzer

Pervasive.SQL 9 SP2 Workgroup for Windows (9.5)

PowerDVD

PrintServer Utilities

Roxio Creator Audio

Roxio Creator BDAV Plugin

Roxio Creator Copy

Roxio Creator Data

Roxio Creator DE

Roxio Creator Tools

Roxio Drag-to-Disc

Roxio Express Labeler

Roxio Update Manager

SearchAssist

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB2553089)

Security Update for 2007 Microsoft Office System (KB2553090)

Security Update for 2007 Microsoft Office System (KB2584063)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Security Update for Microsoft Windows (KB2564958)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982665)

Skins

Sonic Activation Module

Spybot - Search & Destroy

Symantec Endpoint Protection

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2597998) 32-Bit Edition

Update for Microsoft Office 2007 System (KB2539530)

Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition

Update for Microsoft Office Outlook 2007 (KB2583910)

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows Internet Explorer 8 (KB975364)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2641690)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

URL Assistant

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows XP Service Pack 3

Windward System Five

Windward Wireless Server

.

==== Event Viewer Messages From Past Week ========

.

3/30/2012 10:11:21 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SrtETmp' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

3/27/2012 12:26:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor

3/27/2012 12:26:19 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

3/23/2012 5:33:50 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service helpsvc with arguments "" in order to run the server: {833E4010-AFF7-4AC3-AAC2-9F24C1457BCE}

.

==== End Of File ===========================

DDS:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Rob at 10:26:03 on 2012-03-30

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1421 [GMT -7:00]

.

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Intel\AMT\UNS.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Intel\AMT\atchk.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PVSW\bin\w3dbsmgr.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.ca/

uSearch Page = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca

uSearch Bar = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca

uDefault_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=3080104

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=3080104

mSearchAssistant = hxxp://www.google.ca/hws/sb/dell-row-rel/en/side.html?channel=ca

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\rob\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Obesewymx] "c:\documents and settings\rob\application data\elogs\ygiw.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"

mRun: [atchk] "c:\program files\intel\amt\atchk.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\starta~1.lnk - c:\wireless\UNWISE.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

TCP: DhcpNameServer = 64.59.144.18 64.59.144.19

TCP: Interfaces\{5717351F-E4AC-480D-84AC-C424383BAC36} : DhcpNameServer = 64.59.144.18 64.59.144.19

TCP: Interfaces\{805148BD-DDAB-49FB-92D2-1CDEC86A02B5} : DhcpNameServer = 192.168.1.1

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

.

============= SERVICES / DRIVERS ===============

.

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-9-11 2436536]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-1-4 2521880]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-15 106104]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120327.025\NAVENG.SYS [2012-3-27 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120327.025\NAVEX15.SYS [2012-3-27 1576312]

S3 b6yzwxa.sys;b6yzwxa.sys;\??\c:\windows\system32\drivers\b6yzwxa.sys --> c:\windows\system32\drivers\b6yzwxa.sys [?]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

S3 EraserUtilDrv11120;EraserUtilDrv11120;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11120.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11120.sys [?]

S3 EraserUtilDrv11122;EraserUtilDrv11122;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11122.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11122.sys [?]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-3-27 24064]

S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]

S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]

.

=============== Created Last 30 ================

.

2012-03-27 19:18:40 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-03-27 18:24:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-03-27 18:16:44 -------- d-----w- C:\TDSSKiller_Quarantine

2012-03-24 00:31:12 388096 ----a-r- c:\documents and settings\rob\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2012-03-24 00:27:35 -------- d-----w- c:\program files\Trend Micro

2012-03-23 21:18:28 -------- d-----w- c:\program files\Spybot - Search & Destroy

2012-03-23 21:18:28 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2012-03-21 17:20:32 -------- d-----w- c:\documents and settings\rob\local settings\application data\Identities

2012-03-21 17:20:26 -------- d-----w- c:\documents and settings\rob\application data\Ukom

2012-03-21 17:20:26 -------- d-----w- c:\documents and settings\rob\application data\Ikmelu

2012-03-21 17:20:26 -------- d-----w- c:\documents and settings\rob\application data\Elogs

2012-03-20 19:30:03 -------- d--h--w- c:\windows\PIF

.

==================== Find3M ====================

.

2012-02-16 19:10:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys

2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll

.

============= FINISH: 10:26:43.00 ===============

dds.txt

attach.txt

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

I don't notice any strange behavior with my computer. It appears to behave normally. I was having trouble with my browser redirecting. In particular, I was unable to visit this site, and every time I tried to go here I would be redirected to Google home page. This was resolved after I used TDSSkiller and Mbam, which removed a rootkit and various trojans.

Here is the scan result:

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.04.06.05

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Rob :: ROBDESKTOP [administrator]

4/6/2012 8:55:56 AM

mbam-log-2012-04-06 (08-55-56).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 280710

Time elapsed: 20 minute(s), 8 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Thanks!

Link to post
Share on other sites

I think that's just a leftover

Download aswMBR.exe ( 511KB ) to your desktop.

•Double clickaswMBR.exe to run it.

•Click Yes to the prompt to download Avast! virus definitions.

(Please be patient whilst the virus definitions download)

•With the AVscan set to Quick Scan, click the Scan button.

(Please be patient whilst your computer is scanned.)

•When the scan reports "Scan finished successfully", click Save log & save the log to your desktop.

•Click OK

•Two files will be created, aswMBR.txt & a file named MBR.dat

•Save MBR.dat to to a form of removable media. (CD, DVD, USB flash drive etc) - This is a backup of your MBR. Do not delete this file.

•NOTE: Do not click to fix anything at this stage!

•Click EXIT.

•Copy & Paste the contents of aswMBR.txt into your next reply.

Link to post
Share on other sites

<p>Here's the log</p>

<p> </p>

<p> </p>

<div>aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software</div>

<div>Run date: 2012-04-06 14:09:14</div>

<div>-----------------------------</div>

<div>14:09:14.729    OS Version: Windows 5.1.2600 Service Pack 3</div>

<div>14:09:14.729    Number of processors: 2 586 0xF02</div>

<div>14:09:14.729    ComputerName: ROBDESKTOP  UserName: Rob</div>

<div>14:09:15.135    Initialize success</div>

<div>14:09:20.010    AVAST engine defs: 12040601</div>

<div>14:09:22.682    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3</div>

<div>14:09:22.682    Disk 0 Vendor: WDC_WD800JD-75MSA3 10.01E04 Size: 76293MB BusType: 3</div>

<div>14:09:22.729    Disk 0 MBR read successfully</div>

<div>14:09:22.729    Disk 0 MBR scan</div>

<div>14:09:22.760    Disk 0 Windows XP default MBR code</div>

<div>14:09:22.760    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0       54 MB offset 63</div>

<div>14:09:22.791    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        76230 MB offset 112455</div>

<div>14:09:22.807    Disk 0 scanning sectors +156232125</div>

<div>14:09:22.870    Disk 0 malicious Win32:MBRoot code @ sector 156232128 !</div>

<div>14:09:22.979    Disk 0 scanning C:\WINDOWS\system32\drivers</div>

<div>14:10:08.354    Service scanning</div>

<div>14:10:26.885    Modules scanning</div>

<div>14:11:03.431    Disk 0 trace - called modules:</div>

<div>14:11:03.463    ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS </div>

<div>14:11:03.463    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a697ab8]</div>

<div>14:11:03.463    3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a643d98]</div>

<div>14:11:03.791    AVAST engine scan C:\WINDOWS</div>

<div>14:11:32.884    AVAST engine scan C:\WINDOWS\system32</div>

<div>14:19:27.694    AVAST engine scan C:\WINDOWS\system32\drivers</div>

<div>14:20:29.022    AVAST engine scan C:\Documents and Settings\Rob</div>

<div>14:24:33.473    File: C:\Documents and Settings\Rob\Local Settings\Temp\09fd45ae.tmp  **INFECTED** Win32:Crypt-MCM [Trj]</div>

<div>14:28:02.519    AVAST engine scan C:\Documents and Settings\All Users</div>

<div>14:32:51.548    Scan finished successfully</div>

<div>15:14:13.941    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Rob\Desktop\MBR.dat"</div>

<div>15:14:13.957    The log file has been saved successfully to "C:\Documents and Settings\Rob\Desktop\aswMBR.txt"</div>

<div> </div>

<div> </div>

Link to post
Share on other sites

C:\Documents and Settings\Rob\Local Settings\Temp\09fd45ae.tmp <--Delete this temp file

Matter of fact go to: C:\Documents and Settings\Rob\Local Settings\Temp <--Delete all tmp files in this folder.

Next:

Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

Link to post
Share on other sites

You should be good to go:

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

  • Securing Your Web Browser
    This paper will help you configure your web browser for safer internet surfing.
  • Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
    •Free browser plug-in for Internet Explorer and Firefox
    •Real-time safety ratings
    •Ideal for Facebook, Twitter and LinkedIn
  • JAVA Click this link and click on the Free JAVA Download
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.