Jump to content

Live Search Virus


Recommended Posts

I use MalwareBytes every week or so to scan my computer and have TrendMicro OfficeScan loaded. I have some type of virus (from searching it seems pretty common problem that is being addressed here) that redirects me when google searching through FireFox. TrendMicro typically stops any page from loading up when it redirects me but it is still frustrating and I'm sure could be causing other issues.

Logs are attached.

mbam-log-2012-12-09 (18-26-59).txt

attach.txt

dds.txt

Link to post
Share on other sites

Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable (.exe) every time you run them

with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

---------

Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.

aswmbrscan.jpg

Click the image to enlarge it

----------

Link to post
Share on other sites

Hi Jeff,

Thank you for your attention and I apologize for the delay in my reply. I guess I did not correctly mark the email notification for this thread.

I am having trouble uploading the log (presumably because I am at work but I have not encoutered this before so I am not positive).

Is it fine if I post the log?

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software

Run date: 2012-12-10 12:13:08

-----------------------------

12:13:08.749 OS Version: Windows 5.1.2600 Service Pack 3

12:13:08.749 Number of processors: 4 586 0x2A07

12:13:08.749 ComputerName: W72C-4CZ13306Z3 UserName: shipp00j

12:13:09.921 Initialize success

12:14:50.860 AVAST engine defs: 12121000

12:16:18.580 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

12:16:18.580 Disk 0 Vendor: Hitachi_ ECBO Size: 238475MB BusType: 3

12:16:18.580 Disk 0 MBR read successfully

12:16:18.580 Disk 0 MBR scan

12:16:18.673 Disk 0 Windows XP default MBR code found via API

12:16:18.673 Disk 0 unknown MBR code

12:16:18.673 Disk 0 MBR hidden

12:16:18.673 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS 238472 MB offset 63

12:16:18.673 Disk 0 scanning sectors +488392065

12:16:18.720 Disk 0 MBR [possible unknown bootkit@MBR] **ROOTKIT**

12:16:18.720 Disk 0 trace - called modules:

12:16:18.720 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys iaStor.sys

12:16:18.720 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b2e29f0]

12:16:19.220 3 CLASSPNP.SYS[b98f8fd7] -> nt!IofCallDriver -> [0x8b2e2020]

12:16:19.220 5 hpdskflt.sys[b9b415ae] -> nt!IofCallDriver -> \Device\00000086[0x8b2fd880]

12:16:19.220 7 ACPI.sys[b977f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8b2f9028]

12:16:20.048 AVAST engine scan C:\WINNT

12:16:20.127 AVAST engine scan C:\WINNT\system32

12:16:20.189 AVAST engine scan C:\WINNT\system32\drivers

12:16:20.220 AVAST engine scan C:\Documents and Settings\shipp00j

12:16:20.267 AVAST engine scan C:\Documents and Settings\All Users

12:16:20.267 Scan finished successfully

12:18:17.690 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\shipp00j\Desktop\VirusRemoval\MBR.dat"

12:18:17.690 The log file has been saved successfully to "C:\Documents and Settings\shipp00j\Desktop\VirusRemoval\aswMBR.txt"

Link to post
Share on other sites

Hi,

Of course...it's just fine that you post the logs to the replies. :)

-------

After seeing that aswMBR log I would like to run one more tool before we begin cleaning...

Please download TDSSKiller

  • Double click TDSSKiller.exe
  • Press Start Scan
  • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  • Do Not Attempt To Fix Anything Now. We just need to look over the report and be sure we are removing the correct
    items.
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------

Link to post
Share on other sites

Here is the report from TDS Killer, it did not point out any malicious objects

13:38:54.0157 6000 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35

13:38:56.0157 6000 ============================================================

13:38:56.0157 6000 Current date / time: 2012/12/10 13:38:56.0157

13:38:56.0157 6000 SystemInfo:

13:38:56.0157 6000

13:38:56.0157 6000 OS Version: 5.1.2600 ServicePack: 3.0

13:38:56.0157 6000 Product type: Workstation

13:38:56.0157 6000 ComputerName: W72C-4CZ13306Z3

13:38:56.0157 6000 UserName: shipp00j

13:38:56.0157 6000 Windows directory: C:\WINNT

13:38:56.0157 6000 System windows directory: C:\WINNT

13:38:56.0157 6000 Processor architecture: Intel x86

13:38:56.0157 6000 Number of processors: 4

13:38:56.0157 6000 Page size: 0x1000

13:38:56.0157 6000 Boot type: Normal boot

13:38:56.0157 6000 ============================================================

13:38:56.0751 6000 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050

13:38:56.0751 6000 ============================================================

13:38:56.0751 6000 \Device\Harddisk0\DR0:

13:38:56.0751 6000 MBR partitions:

13:38:56.0751 6000 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1C4542

13:38:56.0751 6000 ============================================================

13:38:56.0766 6000 Initialize success

13:38:56.0766 6000 ============================================================

13:41:13.0827 5564 ============================================================

13:41:13.0827 5564 Scan started

13:41:13.0827 5564 Mode: Manual;

13:41:13.0827 5564 ============================================================

13:41:13.0843 5564 ================ Scan system memory ========================

13:41:15.0780 5564 System memory - ok

13:41:15.0780 5564 ================ Scan services =============================

13:41:15.0796 5564 Abiosdsk - ok

13:41:15.0796 5564 abp480n5 - ok

13:41:15.0796 5564 Accelerometer - ok

13:41:15.0796 5564 ACPI - ok

13:41:15.0796 5564 ACPIEC - ok

13:41:15.0796 5564 adpu160m - ok

13:41:15.0811 5564 aec - ok

13:41:15.0811 5564 AES-256 - ok

13:41:15.0811 5564 AESTAud - ok

13:41:15.0811 5564 AFD - ok

13:41:15.0811 5564 AgereModemAudio - ok

13:41:15.0811 5564 AgereSoftModem - ok

13:41:15.0811 5564 Aha154x - ok

13:41:15.0811 5564 aic78u2 - ok

13:41:15.0811 5564 aic78xx - ok

13:41:15.0827 5564 aksfridge - ok

13:41:15.0827 5564 akshasp - ok

13:41:15.0827 5564 akshhl - ok

13:41:15.0827 5564 aksusb - ok

13:41:15.0827 5564 Alerter - ok

13:41:15.0827 5564 ALG - ok

13:41:15.0827 5564 AliIde - ok

13:41:15.0827 5564 amsint - ok

13:41:15.0843 5564 AppMgmt - ok

13:41:15.0843 5564 Arp1394 - ok

13:41:15.0843 5564 asc - ok

13:41:15.0843 5564 asc3350p - ok

13:41:15.0843 5564 asc3550 - ok

13:41:15.0843 5564 aspnet_state - ok

13:41:15.0843 5564 AsyncMac - ok

13:41:15.0858 5564 atapi - ok

13:41:15.0858 5564 Atdisk - ok

13:41:15.0858 5564 Atmarpc - ok

13:41:15.0858 5564 AudioSrv - ok

13:41:15.0858 5564 audstub - ok

13:41:15.0858 5564 Beep - ok

13:41:15.0858 5564 BITS - ok

13:41:15.0858 5564 Browser - ok

13:41:15.0858 5564 BTKRNL - ok

13:41:15.0858 5564 btwdins - ok

13:41:15.0874 5564 BTWUSB - ok

13:41:15.0874 5564 catchme - ok

13:41:15.0874 5564 CatSystemSvc - ok

13:41:15.0874 5564 CBBS - ok

13:41:15.0874 5564 cbidf2k - ok

13:41:15.0874 5564 CCDECODE - ok

13:41:15.0874 5564 CcmExec - ok

13:41:15.0874 5564 cd20xrnt - ok

13:41:15.0874 5564 Cdaudio - ok

13:41:15.0889 5564 Cdfs - ok

13:41:15.0889 5564 Cdrom - ok

13:41:15.0889 5564 Changer - ok

13:41:15.0889 5564 CiSvc - ok

13:41:15.0889 5564 ClipSrv - ok

13:41:15.0889 5564 clr_optimization_v2.0.50727_32 - ok

13:41:15.0889 5564 clr_optimization_v4.0.30319_32 - ok

13:41:15.0889 5564 CmBatt - ok

13:41:15.0889 5564 CmdIde - ok

13:41:15.0889 5564 Compbatt - ok

13:41:15.0905 5564 COMSysApp - ok

13:41:15.0905 5564 Cpqarray - ok

13:41:15.0905 5564 CryptSvc - ok

13:41:15.0905 5564 dac2w2k - ok

13:41:15.0905 5564 dac960nt - ok

13:41:15.0905 5564 DcomLaunch - ok

13:41:15.0905 5564 Dhcp - ok

13:41:15.0905 5564 Disk - ok

13:41:15.0905 5564 Diskeeper - ok

13:41:15.0921 5564 dmadmin - ok

13:41:15.0921 5564 dmboot - ok

13:41:15.0921 5564 dmio - ok

13:41:15.0921 5564 dmload - ok

13:41:15.0921 5564 dmserver - ok

13:41:15.0921 5564 DMusic - ok

13:41:15.0921 5564 Dnscache - ok

13:41:15.0921 5564 Dot3svc - ok

13:41:15.0921 5564 dpti2o - ok

13:41:15.0921 5564 drmkaud - ok

13:41:15.0921 5564 DRVXUSB - ok

13:41:15.0936 5564 dsNcAdpt - ok

13:41:15.0936 5564 dsNcService - ok

13:41:15.0952 5564 e1cexpress - ok

13:41:15.0952 5564 Eacfilt - ok

13:41:15.0952 5564 EapHost - ok

13:41:15.0952 5564 ERSvc - ok

13:41:15.0952 5564 Eventlog - ok

13:41:15.0952 5564 EventSystem - ok

13:41:15.0952 5564 ExtranetAccess - ok

13:41:15.0952 5564 Fastfat - ok

13:41:15.0952 5564 FastUserSwitchingCompatibility - ok

13:41:15.0952 5564 Fdc - ok

13:41:15.0968 5564 Fips - ok

13:41:15.0968 5564 FLEXnet Licensing Service - ok

13:41:15.0968 5564 Flpydisk - ok

13:41:15.0968 5564 FltMgr - ok

13:41:15.0968 5564 FontCache3.0.0.0 - ok

13:41:15.0968 5564 Fs_Rec - ok

13:41:15.0968 5564 FTDIBUS - ok

13:41:15.0968 5564 Ftdisk - ok

13:41:15.0968 5564 FTSER2K - ok

13:41:15.0968 5564 Gpc - ok

13:41:15.0983 5564 hardlock - ok

13:41:15.0983 5564 hasplms - ok

13:41:15.0983 5564 Haspnt - ok

13:41:15.0983 5564 HDAudBus - ok

13:41:15.0983 5564 helpsvc - ok

13:41:15.0983 5564 HidServ - ok

13:41:15.0983 5564 HidUsb - ok

13:41:15.0983 5564 hkmsvc - ok

13:41:15.0983 5564 hpdskflt - ok

13:41:15.0983 5564 hpn - ok

13:41:15.0999 5564 HTTP - ok

13:41:15.0999 5564 HTTPFilter - ok

13:41:15.0999 5564 i2omgmt - ok

13:41:15.0999 5564 i2omp - ok

13:41:15.0999 5564 i8042prt - ok

13:41:15.0999 5564 ialm - ok

13:41:15.0999 5564 iastor - ok

13:41:15.0999 5564 IDriverT - ok

13:41:15.0999 5564 idsvc - ok

13:41:15.0999 5564 IFXTPM - ok

13:41:16.0014 5564 Imapi - ok

13:41:16.0014 5564 ImapiService - ok

13:41:16.0014 5564 ini910u - ok

13:41:16.0014 5564 IntcDAud - ok

13:41:16.0014 5564 IntelIde - ok

13:41:16.0014 5564 intelppm - ok

13:41:16.0014 5564 Ip6Fw - ok

13:41:16.0014 5564 IpFilterDriver - ok

13:41:16.0014 5564 IpInIp - ok

13:41:16.0030 5564 IpNat - ok

13:41:16.0030 5564 IPSec - ok

13:41:16.0030 5564 IPSECEXT - ok

13:41:16.0030 5564 IPSECSHM - ok

13:41:16.0030 5564 IRENUM - ok

13:41:16.0030 5564 isapnp - ok

13:41:16.0030 5564 JavaQuickStarterService - ok

13:41:16.0030 5564 JMCR - ok

13:41:16.0030 5564 johci - ok

13:41:16.0030 5564 Kbdclass - ok

13:41:16.0046 5564 kmixer - ok

13:41:16.0046 5564 KSecDD - ok

13:41:16.0046 5564 LanmanServer - ok

13:41:16.0046 5564 lanmanworkstation - ok

13:41:16.0046 5564 lbrtfdc - ok

13:41:16.0046 5564 LmHosts - ok

13:41:16.0046 5564 LOS Service - ok

13:41:16.0046 5564 MBEService - ok

13:41:16.0046 5564 MDM - ok

13:41:16.0061 5564 MEI - ok

13:41:16.0061 5564 Messenger - ok

13:41:16.0061 5564 mnmdd - ok

13:41:16.0061 5564 mnmsrvc - ok

13:41:16.0061 5564 Modem - ok

13:41:16.0061 5564 Mouclass - ok

13:41:16.0061 5564 mouhid - ok

13:41:16.0061 5564 MountMgr - ok

13:41:16.0061 5564 MozillaMaintenance - ok

13:41:16.0061 5564 mraid35x - ok

13:41:16.0061 5564 MRxDAV - ok

13:41:16.0077 5564 MRxSmb - ok

13:41:16.0077 5564 MSDTC - ok

13:41:16.0077 5564 Msfs - ok

13:41:16.0077 5564 MSIServer - ok

13:41:16.0077 5564 MSKSSRV - ok

13:41:16.0077 5564 MSPCLOCK - ok

13:41:16.0077 5564 MSPQM - ok

13:41:16.0077 5564 mssmbios - ok

13:41:16.0093 5564 MSTEE - ok

13:41:16.0093 5564 Multi-user Cleanup Service - ok

13:41:16.0093 5564 Mup - ok

13:41:16.0093 5564 NABTSFEC - ok

13:41:16.0093 5564 napagent - ok

13:41:16.0093 5564 NDIS - ok

13:41:16.0093 5564 NdisIP - ok

13:41:16.0093 5564 NdisTapi - ok

13:41:16.0093 5564 Ndisuio - ok

13:41:16.0093 5564 NdisWan - ok

13:41:16.0093 5564 NDProxy - ok

13:41:16.0108 5564 NetBIOS - ok

13:41:16.0108 5564 NetBT - ok

13:41:16.0108 5564 NetDDE - ok

13:41:16.0108 5564 NetDDEdsdm - ok

13:41:16.0108 5564 Netlogon - ok

13:41:16.0108 5564 Netman - ok

13:41:16.0108 5564 NetTcpPortSharing - ok

13:41:16.0108 5564 NETwNx32 - ok

13:41:16.0108 5564 NIC1394 - ok

13:41:16.0108 5564 Nla - ok

13:41:16.0124 5564 NMSAccess - ok

13:41:16.0124 5564 Npfs - ok

13:41:16.0124 5564 Ntfs - ok

13:41:16.0124 5564 NtLmSsp - ok

13:41:16.0124 5564 NtmsSvc - ok

13:41:16.0124 5564 ntrtscan - ok

13:41:16.0124 5564 Null - ok

13:41:16.0124 5564 NwlnkFlt - ok

13:41:16.0124 5564 NwlnkFwd - ok

13:41:16.0124 5564 odserv - ok

13:41:16.0139 5564 ohci1394 - ok

13:41:16.0139 5564 ose - ok

13:41:16.0139 5564 Parport - ok

13:41:16.0139 5564 PartMgr - ok

13:41:16.0139 5564 ParVdm - ok

13:41:16.0139 5564 PCI - ok

13:41:16.0139 5564 PCIDump - ok

13:41:16.0139 5564 PCIIde - ok

13:41:16.0139 5564 Pcmcia - ok

13:41:16.0139 5564 PDCOMP - ok

13:41:16.0155 5564 PDFRAME - ok

13:41:16.0155 5564 PDRELI - ok

13:41:16.0155 5564 PDRFRAME - ok

13:41:16.0155 5564 perc2 - ok

13:41:16.0155 5564 perc2hib - ok

13:41:16.0155 5564 PlugPlay - ok

13:41:16.0155 5564 PolicyAgent - ok

13:41:16.0155 5564 PptpMiniport - ok

13:41:16.0171 5564 prepdrvr - ok

13:41:16.0171 5564 ProtectDeviceSvc - ok

13:41:16.0171 5564 ProtectedStorage - ok

13:41:16.0171 5564 Ptilink - ok

13:41:16.0171 5564 ql1080 - ok

13:41:16.0171 5564 Ql10wnt - ok

13:41:16.0171 5564 ql12160 - ok

13:41:16.0171 5564 ql1240 - ok

13:41:16.0171 5564 ql1280 - ok

13:41:16.0171 5564 RasAcd - ok

13:41:16.0186 5564 RasAuto - ok

13:41:16.0186 5564 Rasl2tp - ok

13:41:16.0186 5564 RasMan - ok

13:41:16.0186 5564 RasPppoe - ok

13:41:16.0186 5564 Raspti - ok

13:41:16.0186 5564 Rdbss - ok

13:41:16.0186 5564 RDPCDD - ok

13:41:16.0186 5564 rdpdr - ok

13:41:16.0186 5564 RDPWD - ok

13:41:16.0202 5564 RDSessMgr - ok

13:41:16.0202 5564 redbook - ok

13:41:16.0202 5564 RemoteAccess - ok

13:41:16.0202 5564 RemoteRegistry - ok

13:41:16.0202 5564 RpcLocator - ok

13:41:16.0202 5564 RpcSs - ok

13:41:16.0202 5564 RSVP - ok

13:41:16.0202 5564 SamSs - ok

13:41:16.0202 5564 SCardSvr - ok

13:41:16.0202 5564 Schedule - ok

13:41:16.0202 5564 SCR3XX2K - ok

13:41:16.0218 5564 sdbus - ok

13:41:16.0218 5564 Secdrv - ok

13:41:16.0218 5564 seclogon - ok

13:41:16.0218 5564 SENS - ok

13:41:16.0218 5564 serenum - ok

13:41:16.0218 5564 Serial - ok

13:41:16.0218 5564 sffdisk - ok

13:41:16.0233 5564 sffp_sd - ok

13:41:16.0233 5564 Sfloppy - ok

13:41:16.0233 5564 SgeCtl - ok

13:41:16.0233 5564 SgeFlt - ok

13:41:16.0233 5564 SharedAccess - ok

13:41:16.0233 5564 ShellHWDetection - ok

13:41:16.0233 5564 Simbad - ok

13:41:16.0233 5564 SIMService - ok

13:41:16.0233 5564 sit-WinVNC4 - ok

13:41:16.0233 5564 SLIP - ok

13:41:16.0249 5564 smsmdd - ok

13:41:16.0249 5564 smstsmgr - ok

13:41:16.0249 5564 Sparrow - ok

13:41:16.0249 5564 splitter - ok

13:41:16.0249 5564 Spooler - ok

13:41:16.0249 5564 sr - ok

13:41:16.0249 5564 srservice - ok

13:41:16.0249 5564 Srv - ok

13:41:16.0249 5564 SSDPSRV - ok

13:41:16.0264 5564 STacSV - ok

13:41:16.0264 5564 StarOpen - ok

13:41:16.0264 5564 STHDA - ok

13:41:16.0264 5564 stisvc - ok

13:41:16.0264 5564 streamip - ok

13:41:16.0264 5564 swenum - ok

13:41:16.0264 5564 swmidi - ok

13:41:16.0264 5564 SwPrv - ok

13:41:16.0264 5564 symc810 - ok

13:41:16.0264 5564 symc8xx - ok

13:41:16.0280 5564 sym_hi - ok

13:41:16.0280 5564 sym_u3 - ok

13:41:16.0280 5564 SynTP - ok

13:41:16.0280 5564 sysaudio - ok

13:41:16.0280 5564 SysmonLog - ok

13:41:16.0280 5564 T3Srv - ok

13:41:16.0280 5564 TapiSrv - ok

13:41:16.0280 5564 Tcpip - ok

13:41:16.0280 5564 TDPIPE - ok

13:41:16.0280 5564 TDTCP - ok

13:41:16.0296 5564 TermDD - ok

13:41:16.0296 5564 TermService - ok

13:41:16.0296 5564 Themes - ok

13:41:16.0296 5564 TlntSvr - ok

13:41:16.0296 5564 tmactmon - ok

13:41:16.0296 5564 TMBMServer - ok

13:41:16.0296 5564 tmcomm - ok

13:41:16.0296 5564 tmevtmgr - ok

13:41:16.0296 5564 TmFilter - ok

13:41:16.0311 5564 tmlisten - ok

13:41:16.0311 5564 TmPreFilter - ok

13:41:16.0311 5564 TmProxy - ok

13:41:16.0311 5564 tmtdi - ok

13:41:16.0311 5564 TosIde - ok

13:41:16.0311 5564 TrkWks - ok

13:41:16.0311 5564 Udfs - ok

13:41:16.0311 5564 ultra - ok

13:41:16.0311 5564 Update - ok

13:41:16.0327 5564 upnphost - ok

13:41:16.0327 5564 UPS - ok

13:41:16.0327 5564 usbaudio - ok

13:41:16.0327 5564 usbccgp - ok

13:41:16.0327 5564 usbehci - ok

13:41:16.0327 5564 usbhub - ok

13:41:16.0327 5564 usbscan - ok

13:41:16.0327 5564 USBSTOR - ok

13:41:16.0327 5564 usbvideo - ok

13:41:16.0327 5564 VgaSave - ok

13:41:16.0343 5564 ViaIde - ok

13:41:16.0343 5564 VolSnap - ok

13:41:16.0343 5564 VSApiNt - ok

13:41:16.0343 5564 VSS - ok

13:41:16.0343 5564 W32Time - ok

13:41:16.0343 5564 Wanarp - ok

13:41:16.0343 5564 Wdf01000 - ok

13:41:16.0343 5564 WDICA - ok

13:41:16.0343 5564 wdmaud - ok

13:41:16.0343 5564 WebClient - ok

13:41:16.0358 5564 winmgmt - ok

13:41:16.0358 5564 WinRM - ok

13:41:16.0374 5564 WksCfgSrv - ok

13:41:16.0374 5564 WmdmPmSN - ok

13:41:16.0374 5564 Wmi - ok

13:41:16.0389 5564 WmiAcpi - ok

13:41:16.0389 5564 WmiApSrv - ok

13:41:16.0389 5564 WMPNetworkSvc - ok

13:41:16.0389 5564 WpdUsb - ok

13:41:16.0389 5564 WPFFontCache_v0400 - ok

13:41:16.0389 5564 WS2IFSL - ok

13:41:16.0389 5564 wscsvc - ok

13:41:16.0389 5564 WSTCODEC - ok

13:41:16.0389 5564 wuauserv - ok

13:41:16.0389 5564 WudfPf - ok

13:41:16.0405 5564 WudfRd - ok

13:41:16.0405 5564 WudfSvc - ok

13:41:16.0405 5564 WZCSVC - ok

13:41:16.0405 5564 xmlprov - ok

13:41:16.0405 5564 ================ Scan global ===============================

13:41:16.0405 5564 [Global] - ok

13:41:16.0405 5564 ================ Scan MBR ==================================

13:41:16.0421 5564 [ 3AFCA8BE50730706CFA4D432ADEFF53F ] \Device\Harddisk0\DR0

13:41:16.0421 5564 Suspicious mbr (Forged): \Device\Harddisk0\DR0

13:41:17.0249 5564 \Device\Harddisk0\DR0 - ok

13:41:17.0249 5564 ================ Scan VBR ==================================

13:41:17.0264 5564 [ 3AD22F40730C4C741339605C4E352E71 ] \Device\Harddisk0\DR0\Partition1

13:41:17.0264 5564 \Device\Harddisk0\DR0\Partition1 - ok

13:41:17.0264 5564 ============================================================

13:41:17.0264 5564 Scan finished

13:41:17.0264 5564 ============================================================

13:41:17.0280 4636 Detected object count: 0

13:41:17.0280 4636 Actual detected object count: 0

Link to post
Share on other sites

Hi Jeff,

Here are the results for the scan. There was a checkbox that said "List BCD", I left this unchecked since that is how it opened by default

ListParts by Farbar Version: 30-10-2012

Ran by shipp00j (administrator) on 10-12-2012 at 16:31:34

Windows XP (X86)

Running From: C:\Documents and Settings\shipp00j\Desktop

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 48%

Total physical RAM: 3014.29 MB

Available physical RAM: 1542.13 MB

Total Pagefile: 4899.5 MB

Available Pagefile: 2882.54 MB

Total Virtual: 2047.88 MB

Available Virtual: 1997.14 MB

======================= Partitions =========================

1 Drive c: (W72C-4CZ13306Z3) (Fixed) (Total:232.88 GB) (Free:110.07 GB) NTFS ==>[Drive with boot components (Windows XP)]

2 Drive h: (USORL00P211-G) (Network) (Total:1800 GB) (Free:944.27 GB) NTFS

3 Drive l: (SORL00061) (Network) (Total:3426.24 GB) (Free:488.16 GB) NTFS

4 Drive n: (SORL00062) (Network) (Total:15.89 GB) (Free:12.53 GB) NTFS

5 Drive s: (USORL00P002-D) (Network) (Total:112.11 GB) (Free:7.46 GB) NTFS

6 Drive u: (W72C-4CZ13306Z3) (Fixed) (Total:232.88 GB) (Free:110.07 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 233 GB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 233 GB 32 KB

======================================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C W72C-4CZ133 NTFS Partition 233 GB Healthy System (partition with boot components)

======================================================================================================

****** End Of Log ******

Link to post
Share on other sites

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

4. If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.

----------

Link to post
Share on other sites

I have TrendMicro Officescan. When I go to unload it is forcing me to enter a password. Unfortunately this must have happened within the past few months with an update as I previously did not need to do this : ( I will need to check with my support to see what the password is since it is not any of my normal system passwords

Link to post
Share on other sites

Hi Jeff,

No problem on your delay. Sorry for the one on my part.

I did initially recognize those websites, but upon looking I do. I sometimes am required to do web-based compliance training for work through Skillsoft, it appears that is where the smartforce.com comes from. I sometimes contract for a German company so I am not surprised to see a .de website, but I am not familiar with sbs.de

Link to post
Share on other sites

Please go to: VirusTotal

On the page you'll find a "Choose File" button.

Click on the Choose File button.

In the Choose File to Upload window which opens, copy and paste this into the File Name box.

c:\winnt\Installer\{EC2A42EE-CC1D-4A37-AF1E-D339751D23A8}\Icon_BugShooting.exe

Next, click the Open button.

Then click the "Scan It!" button just below.

This will scan the file. Please be patient.

If you get a message saying File has already been analyzed: click Reanalyze file now

Once scanned, copy and paste the link to the results page in your next reply.

----------

Link to post
Share on other sites

Out of curiosity...did you just install something with Siemens? There are all kinds of Trusted Sites now?

---------

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    ClearJavaCache::
    DDS::
    Trusted Zone: sbs.de
    Trusted Zone: smartforce.com
    Trusted Zone: sbs.de
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

----------

Let me know about the question I asked and also how your system is running.

Link to post
Share on other sites

I see that your Java software is out of date. Please go to Start >> Control Panel >> Programs and Features >> uninstall all versions of Java.

Now download and install the newest version from here >> http://java.com/en/download/index.jsp

-------------

Clear Java Cache

See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked

    • Downloaded Applets
      Downloaded Applications
      Other Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Java Control Panel.

----------

Malwarebytes

Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

----------

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

----------

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.