Ghostrider 7

Rootkit Infection!!!! - Google.com/webhp redirect

Recommended Posts

Problem last Sunday with Antivirus XP attack (ave.exe) & unable to run MBAM.exe. I followed Metallica's

"Removal instructions for XP Internet Security" (topic 43987) by renaming MBAM.exe to MBAM.com & I

was able to get rid of the malware.

But today, I had a webpage suddenly pop open. The address of the webpage was Google.com/webhp,

which I knew wasn't the real Goggle website, plus I don't use Google very often. I searched the net

for this & that is where I found out that there could be a rootkit infection. I have ran MBAM today & it

didn't find anything. Refer to all the logs below for MBAM, DDS & GMER. NOTE: I tried to run GMER the

other day per AdvancedSetup's "I'm infected - What do I do now?" psot (topic 9573) but it hung. I left

the pc on all night & during the day & when I got back from work it was still hung, so I had held the on/off

button until the pc shutdown.

1st, are the MBAM logs for clearing the Antivirus XP malware on 4/21 (2), then followed by MBAM log for 4/22,

then MBAM log for 4/23, DDS & GMER.

********************************************************************

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4005

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/21/2010 6:46:48 PM

mbam-log-2010-04-21 (18-46-48).txt

Scan type: Quick scan

Objects scanned: 148864

Time elapsed: 13 minute(s), 47 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

C:\Documents and Settings\Dad\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Dad\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Dad\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

*******************************************************************

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4019

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/21/2010 8:59:45 PM

mbam-log-2010-04-21 (20-59-45).txt

Scan type: Full scan (C:\|)

Objects scanned: 312465

Time elapsed: 1 hour(s), 33 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

****************************************************

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4019

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/22/2010 3:26:00 PM

mbam-log-2010-04-22 (15-26-00).txt

Scan type: Quick scan

Objects scanned: 149523

Time elapsed: 13 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

************************************************

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4027

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/23/2010 6:34:51 PM

mbam-log-2010-04-23 (18-34-51).txt

Scan type: Quick scan

Objects scanned: 151073

Time elapsed: 8 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*******************************************************

DDS (Ver_10-03-17.01) - NTFSx86

Run by Dad at 18:55:47.34 on Fri 04/23/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2056 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\dllhost.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\WINDOWS\LTMSG.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\HP\KBD\KBD.EXE

C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\dcmsvc\dcmsvc.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.my.yahoo.com/

uInternet Settings,ProxyOverride = 127.0.0.1;localhost

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [Acme.PCHButton] c:\progra~1\hpinst~1\pavilion\xpenabf3en\plugin\bin\PCHButton.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

mRun: [sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe

mRun: [LTMSG] LTMSG.exe 7

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe

mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\unload\hpqcmon.exe

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [<NO NAME>]

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [dcmsvc] c:\program files\dcmsvc\dcmsvc.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\docume~1\dad\startm~1\programs\startup\warner~1.lnk - c:\program files\warner bros. digital copy manager\Warner Bros. Digital Copy Manager.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe

DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106426461718

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244917522140

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CBBD6FA7-2384-11D1-A8C9-0040C7116154} - hxxp://sna.coair.com/HFACTX/HFDSP.CAB

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-10 64160]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]

R1 NEOFLTR_500_8897;Juniper Networks TDI Filter Driver (NEOFLTR_500_8897);c:\windows\system32\drivers\NEOFLTR_500_8897.sys [2005-7-27 56038]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-7-19 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-7-19 359952]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-10-20 99328]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-7-19 144704]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-19 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-19 35272]

S2 CX88XBAR;Conexant 2388x Crossbar Dual Input;c:\windows\system32\drivers\cx88xbardual.sys --> c:\windows\system32\drivers\CX88XBARDUAL.sys [?]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-7-19 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-7-19 40552]

S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2006-6-30 32000]

S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2006-6-30 28057]

S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2006-6-30 21081]

S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-7-19 606736]

=============== Created Last 30 ================

2010-07-20 01:05:01 11403 ----a-w- c:\windows\system32\Config.MPF

2010-07-20 01:01:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-07-20 01:01:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2010-07-20 01:01:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-07-20 01:01:49 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-07-20 01:01:08 0 d-----w- c:\program files\McAfee.com

2010-07-20 01:01:08 0 d-----w- c:\program files\common files\McAfee

2010-07-20 01:00:46 0 d-----w- c:\program files\McAfee

2010-07-20 00:58:30 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2010-07-19 23:15:38 0 d-----w- c:\program files\ATT-RC

2010-04-23 22:08:28 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-21 23:21:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-21 23:21:40 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 23:42:55 0 ----a-w- c:\documents and settings\dad\defogger_reenable

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-02 03:44:35 15688 ----a-w- c:\windows\system32\lsdelete.exe

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

2005-01-22 01:56:30 0 -csha-w- c:\windows\sminst\HPCD.sys

2009-04-11 00:16:13 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009041020090411\index.dat

============= FINISH: 18:57:48.03 ===============

***********************************************************

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit quick scan 2010-04-23 17:49:07

Windows 5.1.2600 Service Pack 3

Running: ksioy6ev.exe; Driver: C:\DOCUME~1\Dad\LOCALS~1\Temp\uxldapob.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF7B28CA2]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF7B28C78]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF7B28C8C]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF7B28D4F]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7B28D7B]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF7B28DE9]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF7B28DD3]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF7B28DFF]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7B28CE2]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF7B28D25]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7B28C14]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7B28C28]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF7B28CB6]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF7B28E53]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF7B28DBD]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF7B28DA7]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF7B28D65]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF7B28E3F]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF7B28E2B]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF7B28C64]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF7B28C50]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7B28D11]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF7B28E15]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7B28CF8]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7B28CCC]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip NEOFLTR_500_8897.SYS (NetBIOS Redirector/Neoteris)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp NEOFLTR_500_8897.SYS (NetBIOS Redirector/Neoteris)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp NEOFLTR_500_8897.SYS (NetBIOS Redirector/Neoteris)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp NEOFLTR_500_8897.SYS (NetBIOS Redirector/Neoteris)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A584AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

The only other programs I ran before the above were Ad-Aware AE & Spybot Search & Destroy with no items found.

I left the pc is currently disconnected from the internet. I also had arootkit infection last April & AdvancedSetup help

me clear that infection.

Thanks!

NeedhelpinTX

I eagerly await my next instructions.

Share this post


Link to post
Share on other sites

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • 1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

It may be helpful for you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I need to get a new report from GMER please note the changes below as I need some different information from the log.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until we have finished the cleaning of this computer.

I would like you to delete the Gmer you have now and download this version from here.

GMER:

I would like you to download this "special version of gmer." and save it to your desktop.

  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..

GMER_2.png

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • devices(don't miss this one) <--this one is different than the picture
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*]Then click the Scan button & wait for it to finish.

    [*]Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If Gmer runs then please give me the log and pass on the next step.

If Gmer still does not run and Only if it don't run please do the following.

I would like you to try and run Gmer in Safe mode to enter safe mode do the following.

Boot into Safe Mode

Reboot your computer in Safe Mode.

  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

If Gmer does run to the end please send me the log in your next reply and If it still does not run please let me know and we will try something else

"information and logs"

  • In your next post I need the following
  1. log from Gmer
  2. let me know of any problems you may have had

Gringo

Share this post


Link to post
Share on other sites

Hello Gringo,

First, let me thank you for helping me. I have been extremely busy today (brake changes on two cars) & I have run out

of time to work on the computer today. I will do as instructed first thing tomorrow morning & I will post the log. I'm on

another pc, so the infected pc has been disconnected from the internet. I assume that I need to close or deactivate AT&T

McAfee Security Suite while performing scans. I will download the special GMER as requested & run it. Yesterday I tried

the version of GMER that I have in Safe Mode & it hung. Also, whenI used Defogger yesterday, it never asked me to reboot

the machine, I had to click the "X" button to exit Defogger, then I manually rebooted the pc.

Thanks again & I'm sorry that I couldn't post any logs tonight.

Regards,

NeedhelpinTX

Share this post


Link to post
Share on other sites

Hello Gringo,

I did as requested. I let Defogger do it's thing, but I got the Defogger_disable. Here is the log:

**********************************************

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 06:40 on 25/04/2010 (Dad)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

**********************************************

I ran GMER in regular mode & it was running fine. I started shortly before 7 am CDT & I had to leave the house

at 10:30 for a little over an hour & when I got back to check the scan I had the Blue Screen of Death" (see attached jpg).

I got back between 11:45 & 12:00 & my wife said she walked by around 10 minutes before I got home & the pc looked ok.

Nobody touched the pc while I was gone & nobody was watching it, so I don't know what happened & of course there isn't

an ark.txt to paste here. GMER had been running for about 3 1/2 hrs before I left the house.

I am running GMER again & this time I'll stay with it the whole time.

Regards,

NHITX

post-12162-1272215187_thumb.jpg

Share this post


Link to post
Share on other sites

Greetings

Please try tunning GMER in safe mode if it still gives you problems

Reboot your computer in Safe Mode.

  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

If Gmer does run to the end please send me the log in your next reply and If it still does not run please let me know and we will try something else

"information and logs"

  • In your next post I need the following
  1. log from Gmer
  2. let me know of any problems you may have had
  3. How is the computer doing now?

Share this post


Link to post
Share on other sites

Hello Gringo,

I started GMER in regular mode at 12:20 CDT & I've been sitting here babysitting it. So far, it is still running, it's been

almost 4 1/2 hrs. I've been keeping track of the file locations it has been running through & it appears to be running ok.

Hopefully it will be done before to long. I'm not sure, but it may of stopped the first time because the monitor went into

sleep mode. As soon as it is done I'll send the ark.txt. I fthis doesn't work then I'll go to safe mode.

NHITX

Share this post


Link to post
Share on other sites

Hey Gringo,

It's still scanning, no problems with GMER, it's just still scanning.

It started with SOFTWARE\Classes, then SOFTWARE\Microsoft, etc.

Then into Document and Settings. then C:\hp, etc. Now it's in C:\I386, etc.

Working on the 7th hour. I unchecked the items in the right pane as instructed.

The only ones checked are: System, Sections, Modules, Processes, Threads, Libraries, Services, Registry, Files, C:\ & ADS.

It's ticking away fairly good. Guess we/re going to see who out lasts who!

Tired NHITX

Share this post


Link to post
Share on other sites

Finally started scanning C:\Program Files\, but it's still in the A's. At thid rate it may be another 8 hours before its done.

:)

Share this post


Link to post
Share on other sites

HOLY FRICKEN HELL!!!

I got the blue screen of death at 23:00 CDT, 10 hrs & 40 minutes after I started the GMER scan at 12:20 CDT.

I was all the way to C:\Program Files\Turbo Tax when the monitor started to go to sleep & I wasn't fast enough

to move the mouse & stop it from hibernating. I then got the BSOD almost immediately! (see jpg below).

During the 10+ hours of watching the monitor, I would move the mouse everytime the monitor would try to go

to sleep & GMER kept scanning. The two times I witnessed the BSOD, was when the monitor tried to turn off.

I rebooted the pc, went into Power Options Properties & selected "Turn off monitor" to never. "Turn off hard disks" &

"System standby" were already selected as never. I also made sure that the "Enable hibernation" box wasn't checked.

NOW! I'm going to start GMER again & go to bed. I'll check it when I get up for work at 04:00 & hopefully it is still

running, if so, I'll have my son look at it before he leaves in the morning & I'll check it when I get home from work

around 14:00 CDT.

HOPEFULLY!!! I will have a ark.txt for you shortly thereafter.

I'M GOING TO BED, I'M TIRED!

STILL NeedhelpinTX

post-12162-1272256683_thumb.jpg

Share this post


Link to post
Share on other sites

WELL, that didn't take long! Just got my 3rd BSOD, this time only after about 3 minutes.

This time the scan started in C:\Windows\System32\, then went to C:\ DOCUMENTS\ I can't remember the rest, stayed

there without moving for 1-2 minutes, then back to C:\Windows\System32\, then the BSOD. (See BSOD#3 jpg below).

Now, I'm going for Safe Mode!

post-12162-1272258524_thumb.jpg

Share this post


Link to post
Share on other sites

Greetings NeedhelpinTX

Ok do this instead.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

  • Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the report in your next post:

C:\ComboFix.txt

"information and logs"

  • In your next post I need the following
  1. Log from Combofix
  2. let me know of any problems you may have had
  3. How is the computer doing now?

Gringo

Share this post


Link to post
Share on other sites

Good Morning Gringo,

GMER was running ok in safe mode when I went to bed at 00:30 & it was still running when I left the house at 04:30 CDT.

My wife said it looked like it was done at 07:30 & at 09:15 my son said that it had stopped running & GMER was till open,

but there was a pop-up from McAfee saying that the computer wasn't protected & it needed t be fixed. Without seeing it,

the pop-up sounds like the normal McAfee pop-up because I disabled McAfee to not fix itself until all the malware work

was done. When I get home I'll save an ark.txt & post it.

You still want me to run CombFix after I send you the ark.txt?

Regards,

NHITX

Share this post


Link to post
Share on other sites

Ok Gringo, I think we maybe getting somewhere!

Here's the ark.txt ran in safe mode.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-26 14:17:41

Windows 5.1.2600 Service Pack 3

Running: bgetwgg9.exe; Driver: C:\DOCUME~1\Dad\LOCALS~1\Temp\uxldapob.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF780F300]

---- EOF - GMER 1.0.15 ----

Isn't this a TDSS Rootkit infection? And in Lavasoft?

I'll be awaiting my next instructions.

Regards,

NHITX :)

Share this post


Link to post
Share on other sites

Greetings

yes we are getting somewhere now. thanks for the logs - it should be easier from here on out.

Isn't this a TDSS Rootkit infection - yes it is but I can't get into much more than that.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

  • Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the report in your next post:

C:\ComboFix.txt

"information and logs"

  • In your next post I need the following
  1. Log from Combofix
  2. let me know of any problems you may have had
  3. How is the computer doing now?

Gringo

Share this post


Link to post
Share on other sites

Here ya go!

ComboFix 10-04-26.02 - Dad 04/26/2010 15:42:20.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1820 [GMT -5:00]

Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Dad\Local Settings\Temporary Internet Files\2EMF1388d.jpg

c:\documents and settings\Dad\Local Settings\Temporary Internet Files\3VF8nBB8.jpg

c:\documents and settings\Dad\Local Settings\Temporary Internet Files\8h8Vs6O.jpg

c:\documents and settings\Dad\Local Settings\Temporary Internet Files\R71jH.jpg

c:\windows\system32\inf

c:\windows\system32\inf\H1e10220.inf

Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected

Restored copy from - Kitty had a snack :o

.

((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))

.

2010-07-20 01:01 . 2009-11-11 16:14 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-07-20 01:01 . 2009-11-11 16:14 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2010-07-20 01:01 . 2009-11-11 16:14 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-07-20 01:01 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-07-20 01:01 . 2010-07-20 01:01 -------- d-----w- c:\program files\Common Files\McAfee

2010-07-20 01:01 . 2010-07-20 01:01 -------- d-----w- c:\program files\McAfee.com

2010-07-20 01:00 . 2010-04-22 20:28 -------- d-----w- c:\program files\McAfee

2010-07-20 00:58 . 2009-11-11 16:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2010-07-20 00:54 . 2010-07-20 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-07-19 23:15 . 2010-07-19 23:15 -------- d-----w- c:\program files\ATT-RC

2010-04-25 16:26 . 2010-04-25 16:26 -------- d-----w- C:\spoolerlogs

2010-04-23 22:08 . 2010-04-23 22:08 503808 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6a1ecaab-n\msvcp71.dll

2010-04-23 22:08 . 2010-04-23 22:08 499712 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6a1ecaab-n\jmc.dll

2010-04-23 22:08 . 2010-04-23 22:08 348160 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6a1ecaab-n\msvcr71.dll

2010-04-23 22:08 . 2010-04-23 22:08 61440 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-581a95a1-n\decora-sse.dll

2010-04-23 22:08 . 2010-04-23 22:08 12800 ----a-w- c:\documents and settings\Dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-581a95a1-n\decora-d3d.dll

2010-04-23 22:08 . 2010-04-23 22:08 -------- d-----w- c:\program files\Common Files\Java

2010-04-23 22:08 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-21 23:21 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-21 23:21 . 2010-03-29 20:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-19 23:53 . 2003-08-16 05:29 -------- d-----w- c:\program files\PC-Doctor for Windows

2010-07-19 23:53 . 2003-08-16 04:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-26 20:32 . 2004-08-10 19:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys

2010-04-23 22:08 . 2009-04-09 22:42 -------- d-----w- c:\program files\Java

2010-04-22 00:24 . 2008-12-17 23:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-19 00:18 . 2009-08-22 17:58 -------- d-----w- c:\program files\Coupons

2010-03-11 03:43 . 2010-03-09 23:45 -------- d-----w- c:\program files\ATT-SST

2010-03-11 03:43 . 2006-10-23 23:56 -------- d-----w- c:\program files\Common Files\Motive

2010-03-11 00:13 . 2003-08-16 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive

2010-03-10 06:15 . 2004-08-10 19:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-09 23:58 . 2005-01-23 05:07 -------- d-----w- c:\documents and settings\Dad\Application Data\Motive

2010-02-25 06:24 . 2004-08-10 19:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2004-08-10 19:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-23 01:11 . 2010-02-23 01:11 50354 ----a-w- c:\documents and settings\Dad\Application Data\Facebook\uninstall.exe

2010-02-17 22:34 . 2009-12-25 21:53 38784 ----a-w- c:\documents and settings\Dad\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-02-17 22:34 . 2009-12-25 21:53 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-02-17 03:53 . 2010-01-30 04:49 6314784 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-02-16 14:08 . 2004-08-10 19:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2004-08-10 19:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2004-08-10 19:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Dad\Application Data\Facebook\axfbootloader.dll

2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Dad\Application Data\Facebook\npfbplugin_1_0_1.dll

2005-01-22 01:56 . 2005-01-22 00:56 0 -csha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Acme.PCHButton"="c:\progra~1\HPINST~1\Pavilion\XPENABF3EN\plugin\bin\PCHButton.exe" [2003-08-16 155648]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LTMSG"="LTMSG.exe 7" [X]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-07-10 114688]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-20 4583424]

"nwiz"="nwiz.exe" [2004-09-20 921600]

"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]

"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-02 524632]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-22 98304]

"dcmsvc"="c:\program files\dcmsvc\dcmsvc.exe" [2009-04-07 30440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\

AutoTBar.exe [2003-6-18 53248]

mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

c:\documents and settings\Dad\Start Menu\Programs\Startup\

Warner Bros.lnk - c:\program files\Warner Bros. Digital Copy Manager\Warner Bros. Digital Copy Manager.exe [2009-12-25 95232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=sysaudio.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2005-01-22 23:09 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

2003-08-19 07:01 110592 -c--a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]

2004-05-11 00:40 64512 -c--a-w- c:\program files\WildTangent\Apps\CDA\CDAEngine0400.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

2005-08-15 21:24 3092480 ----a-w- c:\program files\Yahoo!\Messenger\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Western Digital\\WD Discovery Software\\WD Discovery.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/10/2009 9:44 PM 64160]

R1 NEOFLTR_500_8897;Juniper Networks TDI Filter Driver (NEOFLTR_500_8897);c:\windows\system32\drivers\NEOFLTR_500_8897.sys [7/27/2005 8:32 PM 56038]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [7/19/2010 8:04 PM 93320]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 6:31 AM 92008]

S2 CX88XBAR;Conexant 2388x Crossbar Dual Input;c:\windows\system32\drivers\CX88XBARDUAL.sys --> c:\windows\system32\drivers\CX88XBARDUAL.sys [?]

S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [6/30/2006 5:55 PM 32000]

S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [6/30/2006 5:56 PM 28057]

S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [6/30/2006 5:56 PM 21081]

.

Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:44]

2010-07-20 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-07-20 17:22]

2010-02-05 c:\windows\Tasks\{0E71A998-55BF-44C3-828D-3E422D0F2561}_DEN_Administrator.job

- c:\windows\system32\mobsync.exe [2004-08-10 00:12]

2010-04-23 c:\windows\Tasks\{2038B94A-6254-4988-A85D-8118BC8D2482}_DEN_Administrator.job

- c:\windows\system32\mobsync.exe [2004-08-10 00:12]

2010-04-23 c:\windows\Tasks\{F98E5278-55E0-4992-8DC0-BFF9E90747B8}_DEN_Administrator.job

- c:\windows\system32\mobsync.exe [2004-08-10 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://att.my.yahoo.com/

uInternet Settings,ProxyOverride = 127.0.0.1;localhost

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-AVG Anti-Spyware Guard

MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

AddRemove-MUSICMATCH Radio - c:\windows\MMRadioUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-26 16:00

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A694AC8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28

\Driver\ACPI -> ACPI.sys @ 0xf75aecb8

\Driver\atapi -> atapi.sys @ 0xf74a0852

IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7858bb0

PacketIndicateHandler -> NDIS.sys @ 0xf7847a0d

SendHandler -> NDIS.sys @ 0xf785bb40

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1040)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1108)

c:\windows\system32\WININET.dll

.

Completion time: 2010-04-26 16:06:08

ComboFix-quarantined-files.txt 2010-04-26 21:06

ComboFix2.txt 2009-04-08 22:25

ComboFix3.txt 2009-04-08 03:18

Pre-Run: 50,514,784,256 bytes free

Post-Run: 50,585,747,456 bytes free

- - End Of File - - C73226800391EC41A0107325A00C4FCB

#2 - I didn't have any problems running ComboFix

#3 - The computer was running fine before, it was the unwanted, non-requested websites that would pop-up.

I still haven't reconnected to the internet. I did activate McAfee. I decided to open a webpage knowing that the

pc's not connected to the web. I cancelled the navigation to the webpage, then I got a pop-up from IE with the

Exclamation point yellow triangle stating, "Internet Explorer is not currently your default browser. Would you like

make it your default browser? (Check mark) Always perform this check when starting Internet Explorer".

IE has always been my internet explorer, my homepage is Yahoo.com. Is this why I got the pop-up?

Let me know when you want me to connect to the internet.

NHITX

Share this post


Link to post
Share on other sites

Hello

yes run in normal mode

if it wants to reboot let it.

FYI,

I could not shutdown safe mode by selecting "Shutdown" or "Restart".

Had to go for the kill switch?

this is strange

let me know of any more problems

gringo

Share this post


Link to post
Share on other sites

Greetings

"Internet Explorer is not currently your default browser. Would you like

make it your default browser? (Check mark) Always perform this check when starting Internet Explorer".

part of the tools we have used will do this

Yes connect to the internet and let me know if you still have the redirects or popups.

extra combofix report

I need to see one of the extra reports combofix makes

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box

C:\Qoobox\Add-Remove Programs.txt

  • click ok
  • copy and paste the report into this topic for me to review

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

"information and logs"

  • In your next post I need the following
  1. the report from combofix
  2. the report from MBAM
  3. connect to internet and let me know about redirects
  4. let me know of any problems you may have had
  5. How is the computer doing now?

Gringo

Share this post


Link to post
Share on other sites

FYI,

1. extra combofix report

1300

1300_Help

1300Tour

1300Trb

Acrobat.com

Ad-Aware

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Reader 9.3.2

AiO_Scan

AIOMinimal

AiOSoftware

Amazing Windows XP Screen Saver 1.2

Anark Client 1.0

AnswerWorks 4.0 Runtime - English

AnswerWorks 5.0 English Runtime

ArcSoft ShowBiz 2

AT&T Yahoo! Applications

ATT-PRT22

ATT-RC Self Support Tool

Audacity 1.2.6

Audit Support Center 1.0

Copy

CreativeProjects

Critical Update for Windows Media Player 11 (KB959772)

dcmsvc 1.0

Director

DocProc

Enhanced Multimedia Keyboard Solution

Facebook Plug-In

Fax

GdiplusUpgrade

Google Earth

Hewlett-Packard Multimedia Keyboard/Mouse Solution

HighMAT Extension to Microsoft Windows XP CD Writing Wizard

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

HP Deskjet Preloaded Printer Drivers

HP Instant Support

HP Photo & Imaging 3.1

HP Photo and Imaging 2.0 - Photosmart Cameras

HP Product Detection

HP PSC & OfficeJet 3.0

HP Update

HPImageZone

HPIZ Fix2

hpmdtab

HpSdpAppCoreApp

HPSystemDiagnostics

InstantShare

Intel® Extreme Graphics 2 Driver

InterActual Player

InterVideo WinDVD Player

ItsDeductible Express

Java Auto Updater

Java 6 Update 20

Juniper Networks Network Connect 5.0.0

Malwarebytes' Anti-Malware

McAfee SecurityCenter

Media Library Management Wizard

Memories Disc Creator 2.0

Microsoft .NET Framework 1.0 Hotfix (KB953295)

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Data Access Components KB870669

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Money 2003

Microsoft Money 2003 System Pack

Microsoft National Language Support Downlevel APIs

Microsoft Office Standard Edition 2003

Microsoft Plus! Digital Media Edition

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual J# .NET Redistributable Package 1.1

Microsoft Visual J# .NET Redistributable Package(ENU) v1.0.4205

Microsoft Web Publishing Wizard 1.52

Microsoft Works 7.0

Movie Maker Background Music Files

Movie Maker Sound Effects

Movie Maker Title Images

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB933579)

Multimedia Card Reader

MUSICMATCH Media Center

MUSICMATCH

post-12162-1272322504_thumb.jpg

post-12162-1272322572_thumb.jpg

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.