Jump to content

Please help me get rid of this malware


pallgood
 Share

Recommended Posts

My computer keeps restarting before I'm able save the results ot the rootkit scanner but below is most recent Malwarebytes log, dds.txt, and attach.txt:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5128

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/17/2010 10:40:39 AM

mbam-log-2010-11-17 (10-40-39).txt

Scan type: Full scan (C:|)

Objects scanned: 294860

Time elapsed: 2 hour(s), 1 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerno

folderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:Documents and SettingsPam AllgoodApplication Datasdfsdfgdsfgh.bat (Malware.Trace) -> Quarantined and deleted successfully.

DDS (Ver_10-11-10.01) - NTFSx86

Run by Pam Allgood at 12:17:35.71 on Wed 11/17/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1255 [GMT -5:00]

AV: Total Protection Service *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}

FW: Total Protection Service *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch

svchost.exe

C:WINDOWSSystem32svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:WINDOWSsystem32LEXBCES.EXE

C:WINDOWSsystem32spoolsv.exe

svchost.exe

C:WINDOWSsystem32LEXPPS.EXE

C:Program FilesAdobePhotoshop Elements 6.0PhotoshopElementsFileAgent.exe

C:WINDOWSsystem32cisvc.exe

C:Program FilesMcAfeeManaged VirusScanVScanEngineServer.exe

C:Program FilesCommon FilesIntuitUpdate ServiceIntuitUpdateService.exe

C:Program FilesJavajre6binjqs.exe

C:Program FilesMalwarebytes' Anti-Malwarembamservice.exe

C:Program FilesMcAfeeSiteAdvisor EnterpriseMcSACore.exe

C:PROGRA~1McAfeeMANAGE~1VScanMcShield.exe

C:Program FilesMcAfeeMPFMPFSrv.exe

C:Program FilesMcAfeeManaged VirusScanAgentmyAgtSvc.exe

C:WINDOWSExplorer.EXE

C:WINDOWSsystem32ofps.exe

C:WINDOWSsystem32PSIService.exe

C:Program FilesCommon FilesSageLS1ServiceHost1.1Sage.LS1.ServiceHost.exe

C:Program FilesCommon FilesSageServiceHostSage.ServiceHost.Host.exe

C:WINDOWSsystem32svchost.exe -k imgsvc

C:WINDOWSsystem32fxssvc.exe

C:WINDOWSsystem32SearchIndexer.exe

C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe

C:WINDOWSsystem32igfxpers.exe

C:WINDOWSRTHDCPL.EXE

C:WINDOWSsystem32igfxsrvc.exe

C:Program FilesMcAfeeManaged VirusScanDesktopUIXTray.exe

C:Program FilesCommon FilesJavaJava Updatejusched.exe

C:WINDOWSsystem32dllhost.exe

C:Program FilesMalwarebytes' Anti-Malwarembamgui.exe

C:Program FilesUpromisedca-ua.exe

C:Program FilesUpromiseUpromiseTray.exe

C:Program FilesReplay AV 8ReplayAV.exe

C:WINDOWSsystem32ctfmon.exe

C:Documents and SettingsAll UsersApplication DataFLEXnetConnect11ISUSPM.exe

C:Program FilesDigital Line DetectDLG.exe

C:Program FilesMcAfee Security Scan2.0.181SSScheduler.exe

C:Program FilesWindows Desktop SearchWindowsSearch.exe

C:Program FilesAmerican SystemsPrint Screen Deluxepsdeluxe.exe

C:WINDOWSsystem32cidaemon.exe

C:WINDOWSsystem32cidaemon.exe

c:Program FilesMicrosoft Silverlight4.0.50917.0agcp.exe

C:Program FilesMozilla Firefoxfirefox.exe

C:WINDOWSsystem32SearchProtocolHost.exe

C:Documents and SettingsPam AllgoodDesktopdds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sn126w.snt126.mail.live.com/default.aspx?wa=wsignin1.0

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filesadobeacrobat 7.0acrobatAcroIEFavClient.dll

TB: Upromise TurboSaver: {06e58e5e-f8cb-4049-991e-a41c03bd419e} - c:program filesupromiseupromisetoolbar.dll

TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File

TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:program filesnuancepdf create 5binZeonIEFavClient.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:program filesmcafeesiteadvisor enterpriseMcIEPlg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [upromise Update] c:program filesupromisedca-ua.exe

uRun: [upromise Tray] c:program filesupromiseUpromiseTray.exe

uRun: [Replay AV] "c:program filesreplay av 8ReplayAV.exe" -quiet

uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe

uRun: [iSUSPM] c:documents and settingsall usersapplication dataflexnetconnect11ISUSPM.exe -scheduler

uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"

mRun: [igfxTray] c:windowssystem32igfxtray.exe

mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe

mRun: [Persistence] c:windowssystem32igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Nuance OmniPage 17-reminder] "c:program filesnuanceomnipage17eregereg.exe" -r "c:documents and settingsall usersapplication datascansoftomnipage 17eregEreg.ini"

mRun: [MVS Splash] "c:program filesmcafeemanaged virusscandesktopuiXTray.exe" /LOGON

mRun: [sunJavaUpdateSched] "c:program filescommon filesjavajava updatejusched.exe"

mRun: [Malwarebytes' Anti-Malware] "c:program filesmalwarebytes' anti-malwarembamgui.exe" /starttray

StartupFolder: c:docume~1pamall~1startm~1programsstartupmicros~1.lnk - c:windowsinstaller{91120000-0013-0000-0000-0000000ff1ce}outicon.exe

StartupFolder: c:docume~1pamall~1startm~1programsstartupprints~1.lnk - c:program filesamerican systemsprint screen deluxepsdeluxe.exe

StartupFolder: c:docume~1alluse~1startm~1programsstartupdigita~1.lnk - c:program filesdigital line detectDLG.exe

StartupFolder: c:docume~1alluse~1startm~1programsstartupmcafee~2.lnk - c:program filesmcafee security scan2.0.181SSScheduler.exe

StartupFolder: c:docume~1alluse~1startm~1programsstartupmcafee~1.lnk - c:program filesmcafee security scan1.0.150SSScheduler.exe

StartupFolder: c:docume~1alluse~1startm~1programsstartupwindow~1.lnk - c:program fileswindows desktop searchWindowsSearch.exe

uPolicies-explorer: NoSMMyPictures = 1 (0x1)

uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)

uPolicies-explorer: NoFolderOptions = 1 (0x1)

IE: Google Sidewiki... - c:program filesgooglegoogle toolbarcomponentGoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:program fileswidcommbluetooth softwarebtsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe

IE: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - c:program filesupromiseupromisetoolbar.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL

Trusted Zone: ecollege.comsecure

Trusted Zone: fcci-group.comappweb

Trusted Zone: //about.htm/

Trusted Zone: //Exclude.htm/

Trusted Zone: //FWEvent.htm/

Trusted Zone: //LanguageSelection.htm/

Trusted Zone: //Message.htm/

Trusted Zone: //MyAgttryCmd.htm/

Trusted Zone: //MyAgttryNag.htm/

Trusted Zone: //MyNotification.htm/

Trusted Zone: //NOCLessUpdate.htm/

Trusted Zone: //quarantine.htm/

Trusted Zone: //ScanNow.htm/

Trusted Zone: //strings.vbs/

Trusted Zone: //Template.htm/

Trusted Zone: //Update.htm/

Trusted Zone: //VirFound.htm/

Trusted Zone: mcafee.com*

Trusted Zone: mcafeeasap.combetavscan

Trusted Zone: mcafeeasap.comvs

Trusted Zone: mcafeeasap.comwww

DPF: {00130000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://napaaccount.com/rfmweb/LTOCX13N.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {163A949D-2A1F-4B4C-AE46-83D0F59BE189} - file:///C:/Program%20Files/DVR/DVR%202400%20Remote%20Viewer/Remote%20Viewer/XHD.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab

DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.7.cab

DPF: {4BEF854E-6531-40D8-825E-5228A12861F3} - hxxps://sagesoftware.thruinc.net/Components/PowerUpload.cab

DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxp://66.133.171.94/rcm/VMRCActiveXClient1.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

DPF: {4FDF3696-5078-4952-868C-CEEB9683B8C4} - hxxp://10.0.1.253/cab/DownloadFile.cab

DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} - hxxp://10.0.1.253/cab/Live.cab

DPF: {7EC687F9-9EFB-4FA3-A5BA-197C3461448A} - file:///C:/Program%20Files/DVR/DVR%202400%20Remote%20Viewer/Remote%20Viewer/RM.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} - hxxp://www.eomniform.com/OF5/nsplugins/OFMailX.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://lsics.webex.com/client/T26L10NSP49EP2/webex/ieatgpc.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

TCP: {BDB85D65-A695-4AD2-97D1-F794D81E1C3B} = 64.238.96.12,66.180.96.12

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:program filesmcafeesiteadvisor enterpriseMcIEPlg.dll

Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:program filesmcafeemanaged virusscanagentMyRmProt5.0.0.811.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:program filesmcafeesiteadvisor enterpriseMcIEPlg.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:program fileswindows desktop searchMSNLNamespaceMgr.dll

LSA: Authentication Packages = msv1_0 nwprovau relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:docume~1pamall~1applic~1mozillafirefoxprofilesz83u6h8i.default

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Softonic-Eng7 Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://sn126w.snt126.mail.live.com/default.aspx?wa=wsignin1.0

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:program filesmozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

==================== Find3M ====================

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST3160815AS rev.3.ADA -> Harddisk0DR0 -> DeviceIdeIdePort0 P0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A81C446]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a822504]; MOV EAX, [0x8a822580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> DeviceHarddisk0DR0[0x8A863AB8]

3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> Device\00000079[0x8A8B3698]

5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A869940]

Driveratapi[0x8A813030] -> IRP_MJ_CREATE -> 0x8A81C446

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; }

detected disk devices:

DeviceIdeIdeDeviceP0T0L0-3 -> ??IDE#DiskST3160815AS_____________________________3.ADA___#5&16f139c2&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

Driveratapi DriverStartIo -> 0x8A81C292

user != kernel MBR !!!

sectors 312499998 (+255): user != kernel

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 12:31:19.28 ===============

I tried rootkit scanner again but I'm still unable to do a complete scan. I did, however, get a partial scan because I copied and pasted before the blue screen popped up with the message PFN_LIST_CORRUPT and your computer has been shut down to prevent damage.....

Attach.zip

Attach.txt

Link to post
Share on other sites

Hi,

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.