Jump to content

browser redirects


Recommended Posts

hi! as of today i am using malwarebytes' 1.43 db version 3504

also i run Nod32 3.0.667.0 db 4749

both should be current

i first discovered a virus problem after my girlfriend had done online shopping ( :D ) and realized this pc was ill-equipped for virus detection. this is a school laptop and their antivirus software (probably noticeable in logs) had not updated in some time.

malwarebytes' has found a host of trojans and other malware. after deleting these i'm still getting browser redirects- the easiest method of determining that this is true is typing anything with "malwarebytes" into google.

*****These are portions of the malwarebytes' detection and removal logs*****

Files Infected:

C:\Program Files\Malware Defense\mdext.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\Documents and Settings\physics\Local Settings\Temp\richtx64.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\physics\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\malware Defense\help.ico (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

C:\Program Files\malware Defense\md.db (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

C:\Program Files\malware Defense\mdefense.exe (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

C:\Program Files\malware Defense\uninstall.exe (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

C:\Documents and Settings\physics\Start Menu\Programs\malware Defense\Malware Defense Support.lnk (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

C:\Documents and Settings\physics\Start Menu\Programs\malware Defense\Malware Defense.lnk (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

C:\Documents and Settings\physics\Start Menu\Programs\malware Defense\Uninstall Malware Defense.lnk (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

C:\Documents and Settings\physics\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Defense.lnk (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

C:\Documents and Settings\physics\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\H8SRTcrrqowyxpk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTtvxextkber.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTvgoedetkyi.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\H8SRTejiysardop.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\physics\Local Settings\Temp\H8SRTe7e4.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTcdxayyeblg.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

***** these are my DDS and GMER Rootkit logs*****

DDS (Ver_09-12-01.01) - NTFSx86

Run by physics at 13:06:49.60 on Wed 01/06/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.409 [GMT -8:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {DE172FA8-73EF-4F75-8C3C-DF914FBD5E0C}

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch

svchost.exe

C:\windows\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

svchost.exe

C:\windows\SYSTEM32\WISPTIS.EXE

C:\windows\system32\spoolsv.exe

C:\windows\System32\tabbtnu.exe

C:\windows\Explorer.EXE

C:\windows\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\Program Files\Altiris\AClient\AClntUsr.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Launchy\Launchy.exe

svchost.exe

C:\Program Files\Altiris\AClient\AClient.exe

C:\WINDOWS\system32\agrsmsvc.exe

svchost.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\rpcnet.exe

C:\windows\system32\svchost.exe -k imgsvc

c:\Program Files\Verdiem\SurveyorSD\Bin\SurveyorSD.exe

C:\windows\system32\SearchIndexer.exe

c:\Program Files\Verdiem\SurveyorSD\bin\SurveyorSession.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\windows\system32\SearchProtocolHost.exe

C:\Documents and Settings\physics\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [AClntUsr] c:\program files\altiris\aclient\AClntUsr.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://std.csusm.edu:4343/officescan/console/html/ClientInstall/WinNTChk.cab

DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://std.csusm.edu:4343/officescan/console/html/ClientInstall/setup.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242163540734

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242163525406

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

Notify: igfxcui - igfxdev.dll

Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll

Notify: TabBtnWL - TabBtnWL.dll

Notify: tpgwlnotify - tpgwlnot.dll

AppInit_DLLs: KATRACK.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\physics\applic~1\mozilla\firefox\profiles\9bwsb5ls.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Live Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-6-10 34312]

R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-6-10 468224]

R2 SurveyorSD;Verdiem Surveyor Client;c:\program files\verdiem\surveyorsd\bin\SurveyorSD.exe [2008-8-1 2200832]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-9-2 50192]

R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-8-16 225296]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-8-16 36368]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-2-28 87808]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-8-15 35968]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-26 38224]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-8-11 338960]

R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2007-1-22 34736]

S0 gpjmgwi;gpjmgwi;c:\windows\system32\drivers\uhqmi.sys --> c:\windows\system32\drivers\uhqmi.sys [?]

S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2002-10-1 3584]

S3 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [2005-3-31 15744]

S3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2008-8-11 488768]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-8-11 652552]

S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2007-7-18 14208]

=============== Created Last 30 ================

2009-12-26 08:26:35 0 d-----w- c:\docume~1\physics\applic~1\Malwarebytes

2009-12-26 08:21:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-26 08:21:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-26 08:21:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-26 08:21:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-12-26 07:00:50 0 d--h--w- C:\BJPrinter

2009-12-26 06:56:13 1435 ----a-w- C:\AClient.cfg

2009-12-26 06:51:41 5702 ---ha-w- c:\windows\nod32restoretemdono.reg

2009-12-26 06:51:41 568 ---ha-w- c:\windows\nod32fixtemdono.reg

2009-12-26 06:49:47 0 d-----w- c:\program files\ESET

2009-12-26 06:46:03 0 d-----w- c:\program files\uTorrent

2009-12-26 06:45:51 0 d-----w- c:\docume~1\physics\applic~1\uTorrent

2009-12-26 06:44:32 0 d-----w- c:\program files\Panda Security

2009-12-26 05:51:23 202 ----a-w- c:\windows\system32\srcr.dat

==================== Find3M ====================

2010-01-06 20:16:56 17408 ----a-w- c:\windows\system32\rpcnetp.exe

2010-01-06 20:16:45 56680 ----a-w- c:\windows\system32\rpcnet.dll

2010-01-06 20:16:45 17408 ----a-w- c:\windows\system32\rpcnetp.dll

2009-11-10 01:13:44 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 16:45:04 33792 ----a-w- c:\windows\system32\identprv.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2008-01-17 17:33:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 13:08:56.78 ===============

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit quick scan 2010-01-06 13:15:09

Windows 5.1.2600 Service Pack 3

Running: zhgj8jhb.exe; Driver: C:\DOCUME~1\physics\LOCALS~1\Temp\ugloipoc.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 86A1C841

---- Files - GMER 1.0.15 ----

File C:\windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

i am usually able to troubleshoot my own PC problems but this one has me baffled. hopefully one of you experts can spot the problem.

thanks,

trevor

Attach.txt

Link to post
Share on other sites

did more digging and found a similar thread which suggested combofix.

here is the log:

ComboFix 10-01-04.01 - physics 01/06/2010 15:36:15.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.570 [GMT -8:00]

Running from: c:\documents and settings\physics\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {DE172FA8-73EF-4F75-8C3C-DF914FBD5E0C}

FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk

c:\recycler\S-1-5-21-1342524632-2659382203-1970817268-500

c:\recycler\S-1-5-21-1664357980-355681926-3472957995-1006

c:\recycler\S-1-5-21-1664357980-355681926-3472957995-500

c:\recycler\S-1-5-21-220523388-2052111302-839522115-1003

c:\recycler\S-1-5-21-220523388-2052111302-839522115-1006

c:\recycler\S-1-5-21-3972142576-3104759742-4194102698-1003

c:\recycler\S-1-5-21-3972142576-3104759742-4194102698-500

c:\recycler\S-1-5-21-42470263-1556972909-348306644-1006

c:\recycler\S-1-5-21-42470263-1556972909-348306644-500

c:\recycler\S-1-5-21-525277714-1061202959-4100838827-1003

c:\recycler\S-1-5-21-525277714-1061202959-4100838827-500

c:\windows\system32\srcr.dat

.

((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))

.

2010-01-03 06:18 . 2010-01-03 06:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2009-12-26 08:26 . 2009-12-26 08:26 -------- d-----w- c:\documents and settings\physics\Application Data\Malwarebytes

2009-12-26 08:21 . 2009-12-30 22:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-26 08:21 . 2010-01-06 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-26 08:21 . 2009-12-30 22:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-26 08:21 . 2009-12-26 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-26 08:02 . 2009-12-26 08:02 -------- d-----w- c:\documents and settings\physics\Local Settings\Application Data\ESET

2009-12-26 07:09 . 2009-12-26 07:09 -------- d-----w- c:\documents and settings\Administrator

2009-12-26 07:00 . 2009-12-26 07:00 -------- d-----w- C:\BJPrinter

2009-12-26 06:51 . 2008-03-04 02:21 568 ---ha-w- c:\windows\nod32fixtemdono.reg

2009-12-26 06:51 . 2008-03-03 22:25 5702 ---ha-w- c:\windows\nod32restoretemdono.reg

2009-12-26 06:49 . 2009-12-26 06:49 -------- d-----w- c:\program files\ESET

2009-12-26 06:49 . 2009-12-26 06:49 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2009-12-26 06:46 . 2009-12-26 06:46 -------- d-----w- c:\program files\uTorrent

2009-12-26 06:45 . 2009-12-26 07:07 -------- d-----w- c:\documents and settings\physics\Application Data\uTorrent

2009-12-26 06:44 . 2009-12-26 07:04 -------- d-----w- c:\program files\Panda Security

2009-12-26 06:36 . 2009-12-26 06:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-06 23:21 . 2009-03-25 18:33 17408 ----a-w- c:\windows\system32\rpcnetp.exe

2010-01-06 23:21 . 2009-03-16 22:58 56680 ----a-w- c:\windows\system32\rpcnet.dll

2010-01-06 21:46 . 2007-07-19 00:56 874240 ----a-w- c:\windows\system32\drivers\iaStor.sys

2010-01-06 20:16 . 2009-03-25 18:34 17408 ----a-w- c:\windows\system32\rpcnetp.dll

2009-12-18 18:57 . 2007-07-19 06:18 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-12-18 18:32 . 2008-01-17 00:07 -------- d-----w- c:\program files\Bonjour

2009-12-18 18:30 . 2009-09-29 23:56 -------- d-----w- c:\program files\Google

2009-12-18 18:25 . 2009-09-27 06:35 -------- d-----w- c:\program files\VideoLAN

2009-12-12 01:27 . 2009-09-17 11:14 -------- d-----w- c:\documents and settings\physics\Application Data\Launchy

2009-12-09 14:03 . 2007-07-19 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-11-10 01:13 . 2007-08-17 00:07 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys

2009-11-08 06:58 . 2008-01-18 20:03 79728 ----a-w- c:\documents and settings\physics\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-06 01:38 . 2007-07-19 06:15 79728 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-04 11:16 . 2009-11-04 11:16 401984 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-10-29 07:45 . 2004-08-04 07:56 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 16:45 . 2008-10-10 14:57 33792 ----a-w- c:\windows\system32\identprv.dll

2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 2004-08-04 07:56 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2004-08-04 07:56 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2004-08-04 07:56 79872 ----a-w- c:\windows\system32\raschap.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2009-11-06 184320]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-11 1447168]

c:\documents and settings\iits\Start Menu\Programs\Startup\

Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2007-7-19 908248]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Launchy.lnk - c:\program files\Launchy\Launchy.exe [2009-9-17 286720]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]

2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]

2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]

2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\katrack.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PASPortal.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PASPortal.lnk

backup=c:\windows\pss\PASPortal.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^physics^Start Menu^Programs^Startup^Mozilla Firefox.lnk]

path=c:\documents and settings\physics\Start Menu\Programs\Startup\Mozilla Firefox.lnk

backup=c:\windows\pss\Mozilla Firefox.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^physics^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\physics\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AClntUsr]

2009-11-06 01:39 184320 ----a-w- c:\program files\Altiris\AClient\AClntUsr.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-01-12 02:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-06-12 09:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

2005-12-12 22:00 88203 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2008-02-16 03:46 159744 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2008-02-16 03:46 135168 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-10-29 04:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]

2009-06-30 18:37 2893064 ----a-w- c:\program files\TechSmith\Jing\Jing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyAccess]

2007-06-08 20:00 749568 ----a-w- c:\windows\keyacc32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]

2009-04-16 11:11 746792 ----a-w- c:\program files\Trend Micro\OfficeScan Client\PccNTMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2008-02-16 03:46 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]

2006-03-07 21:38 131072 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

2005-05-06 21:06 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2007-01-06 05:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2009-09-17 01:21 1217784 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurveyorSession]

2008-08-01 19:10 210176 ----a-w- c:\program files\Verdiem\SurveyorSD\Bin\SurveyorSession.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2007-09-15 09:27 1015808 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]

2007-09-15 09:29 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TabletTip]

2008-04-14 00:12 271872 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\tabtip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TabletWizard]

2008-04-14 00:12 16384 ----a-w- c:\windows\Help\splshwrp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2009-12-26 06:46 289584 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"TMBMServer"=3 (0x3)

"iPod Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"Adobe Version Cue CS3"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\keyacc32.exe"=

"c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Program Files\\Maple 12\\jre\\bin\\maple.exe"=

"c:\\Program Files\\Maple 12\\jre\\bin\\java.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

"59591:TCP"= 59591:TCP:Trend Micro OfficeScan Listener

"5353:UDP"= 5353:UDP:Bonjour

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6/10/2008 6:56 PM 34312]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6/10/2008 6:53 PM 468224]

R2 SurveyorSD;Verdiem Surveyor Client;c:\program files\Verdiem\SurveyorSD\Bin\SurveyorSD.exe [8/1/2008 11:10 AM 2200832]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [9/2/2009 3:03 PM 50192]

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [8/16/2008 2:00 AM 225296]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [8/16/2008 2:00 AM 36368]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2/28/2006 4:05 PM 87808]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [8/15/2007 8:51 PM 35968]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/11/2008 8:45 AM 338960]

R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [1/22/2007 1:09 PM 34736]

S0 gpjmgwi;gpjmgwi;c:\windows\system32\drivers\uhqmi.sys --> c:\windows\system32\drivers\uhqmi.sys [?]

S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [10/1/2002 5:00 AM 3584]

S3 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [3/31/2005 1:31 PM 15744]

S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [8/11/2008 8:42 AM 488768]

S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [8/11/2008 8:42 AM 652552]

S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [7/18/2007 3:03 PM 14208]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig?hl=en

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\physics\Application Data\Mozilla\Firefox\Profiles\9bwsb5ls.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Live Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Getting started with MacDrive - c:\program files\Mediafour\MacDrive 7\MDGetStarted.exe

MSConfigStartUp-MacDrive application - c:\program files\Mediafour\MacDrive 7\MacDrive.exe

MSConfigStartUp-Malware Defense - c:\program files\Malware Defense\mdefense.exe

MSConfigStartUp-richtx64 - c:\docume~1\physics\LOCALS~1\Temp\richtx64.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-06 15:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x86A1A841]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf760bf28

\Driver\ACPI -> ACPI.sys @ 0xf749ecb8

\Driver\atapi -> atapi.sys @ 0xf7412852

\Driver\iaStor -> iaStor.sys @ 0xf7348b58

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a

NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7248bb0

PacketIndicateHandler -> NDIS.sys @ 0xf7255a21

SendHandler -> NDIS.sys @ 0xf723387b

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1060)

c:\windows\system32\WININET.dll

.

Completion time: 2010-01-06 15:52:20

ComboFix-quarantined-files.txt 2010-01-06 23:52

Pre-Run: 20,019,261,440 bytes free

Post-Run: 20,310,523,904 bytes free

- - End Of File - - 574DC48913C0AE65F87A0238122E202C

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.