Jump to content

Recommended Posts

Hi,

I have a Windows XP system which redirects browser URLs, a SVCHOST.EXE process stays at 50%, and DDS SCR freezes even in safe mode.

The available logs are attached or pasted here.

Thanks in anticipation.

Bob

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6122

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

21/03/2011 21:58:58

mbam-log-2011-03-21 (21-58-58).txt

Scan type: Quick scan

Objects scanned: 186696

Time elapsed: 19 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ark.zip

Link to post
Share on other sites

post-32477-1261866970.gif

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

aswmbrscan.gif

Click the "Scan" button to start scan

aswmbrsavelog.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

Link to post
Share on other sites

Hi LDTate,

Thanks for your reply, here is the aswMBR log.

Bob

aswMBR version 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-03-22 17:28:20

-----------------------------

17:28:20.828 OS Version: Windows 5.1.2600 Service Pack 3

17:28:20.828 Number of processors: 2 586 0xF06

17:28:20.828 ComputerName: ZANE UserName:

17:28:21.578 Initialize success

17:28:24.328 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0

17:28:24.328 Disk 0 Vendor: FUJITSU_MHV2060BH_PL 0000002A Size: 57231MB BusType: 3

17:28:24.328 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHV2060BH_PL____________________0000002A#5&27de33fc&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found

17:28:24.343 Device \Driver\atapi -> DriverStartIo 8a80b41f

17:28:26.359 Disk 0 MBR read successfully

17:28:26.375 Disk 0 MBR scan

17:28:26.375 Disk 0 TDL4@MBR code has been found

17:28:26.390 Disk 0 MBR hidden

17:28:26.390 Disk 0 MBR [TDL4] **ROOTKIT**

17:28:26.406 Disk 0 trace - called modules:

17:28:26.406 ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x8a80b5d9]<<

17:28:26.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8b4ab8]

17:28:26.437 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\THPDRV[0x8a864908]

17:28:26.453 5 thpdrv.sys[f764971d] -> nt!IofCallDriver -> \Device\00000081[0x8a865138]

17:28:26.453 7 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x8a8aed98]

17:28:26.468 \Driver\atapi[0x8a9144e8] -> IRP_MJ_CREATE -> 0x8a80b5d9

17:28:26.484 Scan finished successfully

Link to post
Share on other sites

Thanks again,

In my enthusiasm I forgot to save the result of the Fix for TDL4 which was reported as fixed.

I ran aswMBR again to collect a log showing no ROOTKIT -

aswMBR version 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-03-22 21:23:19

-----------------------------

21:23:19.328 OS Version: Windows 5.1.2600 Service Pack 3

21:23:19.328 Number of processors: 2 586 0xF06

21:23:19.328 ComputerName: ZANE UserName:

21:23:30.312 Initialize success

21:23:37.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

21:23:37.046 Disk 0 Vendor: FUJITSU_MHV2060BH_PL 0000002A Size: 57231MB BusType: 3

21:23:39.109 Disk 0 MBR read successfully

21:23:39.125 Disk 0 MBR scan

21:23:41.250 Disk 0 scanning sectors +117210240

21:23:41.375 Disk 0 scanning C:\WINDOWS\system32\drivers

21:24:12.968 Service scanning

21:24:14.359 Disk 0 trace - called modules:

21:24:14.390

21:24:14.390 Scan finished successfully

Thanks

Bob

Link to post
Share on other sites

Good job thumbup.gif

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*] WOT , Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    Green to go

    Yellow for caution

    Red to stop

    WOT has an addon available for both Firefox and IE.

    [*] JAVA Click this link and click on the Free JAVA Download

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.