Jump to content

Google redirects, pop-ups, "generic host process" error, Trojan Hiloti

warehouse
 Share

Recommended Posts

warehouse

warehouse

Posted
Posted

Hey all,

I have been experiencing google redirects, pop-ups, and an annoying "generic host process" error that seems to shut down my audio a few minutes after windows starts. During the first few runs of MBAM, Trojan Hiloti was found, but my symptoms keep worsening. Recent few scans with MBAM have been clean. I also recently uninstalled AVG and am now running Avira.

A million thanks for your help. It is unbelievable what you guys do here.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6404

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

4/20/2011 6:08:55 AM

mbam-log-2011-04-20 (06-08-55).txt

Scan type: Quick scan

Objects scanned: 159550

Time elapsed: 6 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Vamos Rafa at 6:11:32.10 on Wed 04/20/2011

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21

.

============== Running Processes ===============

.

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Razer\DeathAdder\razerhid.exe

C:\Program Files\Razer\DeathAdder\razertra.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Razer\DeathAdder\razerofa.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Documents and Settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Vamos Rafa\My Documents\New2\OC\Core Temp.exe

C:\Documents and Settings\Vamos Rafa\Desktop\dds.scr

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\svchost.exe -k netsvcs

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

mWinlogon: Userinit=userinit.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll

uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear

uRun: [Google Update] "c:\documents and settings\vamos rafa\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [nwiz] nwiz.exe /install

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [instaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm

IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxvpn.cab#version=6030,2008,904,1951

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/f5tunsrv.cab#version=6030,2008,904,1947

DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\docume~1\vamosr~1\locals~1\temp\ixp000.tmp\InstallerControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {8E49176D-5B2E-4391-AA56-212161D660DE} - hxxp://pacs.hscs.virginia.edu/plugin/JavaSettings.exe

DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxshost.cab#version=6030,2008,904,1945

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://uplink.healthsystem.virginia.edu/vdesk/terminal/urxhost.cab#version=6030,2008,904,1940

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\vamosr~1\applic~1\mozilla\firefox\profiles\6320ji3r.default\

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: network.proxy.type - 0

FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll

FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll

FF - plugin: c:\documents and settings\vamos rafa\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\vamos rafa\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\vamos rafa\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\j2re1.4.2_05\bin\NPJPI142_05.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll

.

============= SERVICES / DRIVERS ===============

.

R? AVGIDSDriver;AVGIDSDriver

R? AVGIDSEH;AVGIDSEH

R? AVGIDSFilter;AVGIDSFilter

R? AVGIDSShim;AVGIDSShim

R? f5ipfw;F5 Networks StoneWall Filter

R? npggsvc;nProtect GameGuard Service

R? SASENUM;SASENUM

R? TfFsMon;TfFsMon

R? TfNetMon;TfNetMon

R? TfSysMon;TfSysMon

R? urvpndrv;F5 Networks VPN Adapter

S? ALSysIO;ALSysIO

S? AntiVirSchedulerService;Avira AntiVir Scheduler

S? AntiVirService;Avira AntiVir Guard

S? avgio;avgio

S? avgntflt;avgntflt

S? DAdderFltr;DeathAdder Mouse

S? Envy24HFS;ICE Envy24 Family Audio Controller WDM

S? SASDIFSV;SASDIFSV

S? SASKUTIL;SASKUTIL

S? vsdatant;vsdatant

.

=============== Created Last 30 ================

.

2011-04-20 07:32:58 -------- d-----w- c:\docume~1\vamosr~1\applic~1\Avira

2011-04-20 02:57:38 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-04-20 02:57:37 -------- d-----w- c:\program files\Avira

2011-04-20 02:57:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2011-04-19 03:40:16 175616 ----a-w- c:\windows\system32\unrar.dll

2011-04-19 03:40:14 -------- d-----w- c:\program files\K-Lite Codec Pack

2011-04-18 04:55:09 0 ----a-w- c:\windows\Ssexohoqusi.bin

2011-04-18 04:55:08 -------- d-----w- c:\docume~1\vamosr~1\locals~1\applic~1\{91EC9C83-8975-4713-BE75-2B9CF5E8E2F2}

2011-04-18 04:53:48 -------- d-----w- c:\docume~1\vamosr~1\applic~1\3027DCEB6FF29DEB4472D78FD4EFABF5

2011-03-24 05:58:23 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-03-24 05:58:23 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-03-24 05:58:23 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

2011-03-24 05:58:23 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-03-24 05:58:23 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-03-24 05:58:23 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-03-24 05:58:23 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-03-24 05:58:23 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-03-23 15:57:31 -------- d-----w- C:\P?ogram Files

.

==================== Find3M ====================

.

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2008-04-08 17:46:28 680 ----a-w- c:\program files\mpc2.reg

2008-04-08 17:46:28 596 ----a-w- c:\program files\mpc1.reg

2008-04-08 17:46:28 4608 ----a-w- c:\program files\mpc4.reg

2008-04-08 17:46:28 3476 ----a-w- c:\program files\mpc7.reg

2008-04-08 17:46:28 3026 ----a-w- c:\program files\mpc3.reg

2008-04-08 17:46:28 27260 ----a-w- c:\program files\ffdssetts.reg

2008-04-08 17:46:28 24316 ----a-w- c:\program files\ffdsvsetts.reg

2008-04-08 17:46:28 18156 ----a-w- c:\program files\mpc6.reg

2008-04-08 17:46:28 16486 ----a-w- c:\program files\mpc5.reg

2008-04-08 17:46:28 1292 ----a-w- c:\program files\ffdsasetts.reg

2008-02-14 22:23:12 231944 ----a-w- c:\program files\gwflash.exe

2007-09-22 03:42:42 19008 ----a-w- c:\program files\markfun.a64

2007-08-22 03:49:28 17912 ----a-w- c:\program files\markfun.w32

2007-03-02 12:48:50 240448 ----a-w- c:\program files\gwf32.exe

2006-11-24 07:47:50 207680 ----a-w- c:\program files\BIOS_Run.exe

2005-04-28 03:40:26 6800 ----a-w- c:\program files\W95_HUA.vxd

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST3320620AS rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-12

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89B444F0]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89b4a7d0]; MOV EAX, [0x89b4a84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x89BA6AB8]

3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000081[0x89BBA9E8]

5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x89BAB940]

\Driver\atapi[0x89B74B40] -> IRP_MJ_CREATE -> 0x89B444F0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x89B4433B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 6:15:11.96 ===============

attach.zip

Link to post
Share on other sites
Kenny94

Kenny94

Posted
Posted

Hi warehouse and Welcome to Malwarebytes!

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

Please download aswMBR from here

  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below

aswMBR_Scan.jpg

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

  • Once the scan finishes click Save log to save the log to your Desktop
    aswMBR_SaveLog.png
  • Copy and paste the contents of aswMBR.txt back here for review

Link to post
Share on other sites
warehouse

warehouse

Posted
  • Author
Posted

Hi Kenny,

Thanks for the quick reply. Below is the log from aswMBR.

aswMBR version 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-04-20 17:53:33

-----------------------------

17:53:33.046 OS Version: Windows 5.1.2600 Service Pack 3

17:53:33.046 Number of processors: 4 586 0xF0B

17:53:33.046 ComputerName: HIEU UserName:

17:53:33.765 Initialize success

17:53:37.203 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-12

17:53:37.203 Disk 0 Vendor: ST3320620AS 3.AAE Size: 305244MB BusType: 3

17:53:37.203 Device \Driver\atapi -> DriverStartIo 89b4433b

17:53:37.203 Disk 0 MBR read error

17:53:37.203 Disk 0 MBR scan

17:53:37.218 MBR BIOS signature not found 0

17:53:37.218 Disk 0 scanning sectors +625121280

17:53:37.218 Disk 0 scanning C:\WINDOWS\system32\drivers

17:53:52.671 Service scanning

17:53:53.562 Disk 0 trace - called modules:

17:53:53.562 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89b444f0]<<

17:53:53.562 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89ba6ab8]

17:53:53.562 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000081[0x89bba9e8]

17:53:53.562 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x89bab940]

17:53:53.578 \Driver\atapi[0x89b74b40] -> IRP_MJ_CREATE -> 0x89b444f0

17:53:53.578 Scan finished successfully

Link to post
Share on other sites
Kenny94

Kenny94

Posted
Posted

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites
warehouse

warehouse

Posted
  • Author
Posted

Kenny,

Find below my Combofix log.

Not sure if this is helpful or relevant, but a few things I noticed:

1) When Combofix was starting up, a message came up saying I was not using Windows XP (which I am) and that Combofix only works with Windows XP/2000

2) An error message came up while Combofix was running saying that my Malwarebytes "Quarantine" folder was corrupt and that I need to run ChkDsk

3) ChkDsk ran when my computer was rebooted. I don't think any errors were found, and Windows started up normally.

4) Still getting pop-ups. Also, it seems that I can no longer hit the "enter" key in the Firefox address bar. Rather, I need to click the "go" button to go to web pages. The enter key appears to be working fine everywhere else.

Thanks for your help.

ComboFix 11-04-20.01 - Vamos Rafa 04/20/2011 18:48:32.11.4 - x86

Running from: c:\documents and settings\Vamos Rafa\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Vamos Rafa\Application Data\Adobe\plugs

c:\documents and settings\Vamos Rafa\Application Data\Adobe\shed

c:\documents and settings\Vamos Rafa\Application Data\FFSJ

c:\documents and settings\Vamos Rafa\Application Data\FFSJ\FFSJ.cfg

c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{91EC9C83-8975-4713-BE75-2B9CF5E8E2F2}

c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{91EC9C83-8975-4713-BE75-2B9CF5E8E2F2}\chrome.manifest

c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{91EC9C83-8975-4713-BE75-2B9CF5E8E2F2}\chrome\content\_cfg.js

c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{91EC9C83-8975-4713-BE75-2B9CF5E8E2F2}\chrome\content\overlay.xul

c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{91EC9C83-8975-4713-BE75-2B9CF5E8E2F2}\install.rdf

c:\hijackthis\HijackThis.exe

c:\windows\system32\drivers\etc\lmhosts

c:\windows\system32\pthreadVC.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-03-20 to 2011-04-20 )))))))))))))))))))))))))))))))

.

.

2011-04-20 07:32 . 2011-04-20 07:32 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\Avira

2011-04-20 02:57 . 2011-03-04 20:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-04-20 02:57 . 2011-03-04 18:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-04-20 02:57 . 2010-06-17 18:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-04-20 02:57 . 2010-06-17 18:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-04-20 02:57 . 2011-04-20 02:57 -------- d-----w- c:\program files\Avira

2011-04-20 02:57 . 2011-04-20 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-04-19 03:40 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll

2011-04-19 03:40 . 2011-04-19 03:40 -------- d-----w- c:\program files\K-Lite Codec Pack

2011-04-18 05:05 . 2011-04-18 05:05 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-04-18 04:55 . 2011-04-18 04:55 0 ----a-w- c:\windows\Ssexohoqusi.bin

2011-04-18 04:53 . 2011-04-18 04:54 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\3027DCEB6FF29DEB4472D78FD4EFABF5

2011-03-27 01:13 . 2011-03-27 01:13 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\Leadertech

2011-03-24 05:58 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-03-24 05:58 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-03-24 05:58 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-03-24 05:58 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-03-24 05:58 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-03-24 05:58 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-03-24 05:58 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll

2011-03-24 05:58 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll

2011-03-23 15:57 . 2011-03-23 15:57 -------- d-----w-gram Files C:\POGRAM~1

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2008-03-20 16:32 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2004-08-04 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 13:51 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 13:51 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 13:51 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:37 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32 . 2009-04-17 06:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2011-02-02 07:58 . 2008-03-20 16:30 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2008-03-20 16:30 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2008-04-08 17:46 . 2008-04-08 17:46 1292 ----a-w- c:\program files\ffdsasetts.reg

2008-04-08 17:46 . 2008-04-08 17:44 680 ----a-w- c:\program files\mpc2.reg

2008-04-08 17:46 . 2008-04-08 17:44 596 ----a-w- c:\program files\mpc1.reg

2008-04-08 17:46 . 2008-04-08 17:44 4608 ----a-w- c:\program files\mpc4.reg

2008-04-08 17:46 . 2008-04-08 17:44 3476 ----a-w- c:\program files\mpc7.reg

2008-04-08 17:46 . 2008-04-08 17:44 3026 ----a-w- c:\program files\mpc3.reg

2008-04-08 17:46 . 2008-04-08 17:44 27260 ----a-w- c:\program files\ffdssetts.reg

2008-04-08 17:46 . 2008-04-08 17:44 24316 ----a-w- c:\program files\ffdsvsetts.reg

2008-04-08 17:46 . 2008-04-08 17:44 18156 ----a-w- c:\program files\mpc6.reg

2008-04-08 17:46 . 2008-04-08 17:44 16486 ----a-w- c:\program files\mpc5.reg

2008-02-14 22:23 . 2008-02-14 22:23 231944 ----a-w- c:\program files\gwflash.exe

2007-09-22 03:42 . 2007-09-22 03:42 19008 ----a-w- c:\program files\markfun.a64

2007-08-22 03:49 . 2007-08-22 03:49 17912 ----a-w- c:\program files\markfun.w32

2007-03-02 12:48 . 2007-03-02 12:48 240448 ----a-w- c:\program files\gwf32.exe

2006-11-24 07:47 . 2006-11-24 07:47 207680 ----a-w- c:\program files\BIOS_Run.exe

2005-04-28 03:40 . 2005-04-28 03:40 6800 ----a-w- c:\program files\W95_HUA.vxd

2011-03-18 17:53 . 2011-03-24 05:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

.

Cryptography Services Error !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"nwiz"="nwiz.exe" [2009-03-28 1657376]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-4-23 6144]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\EA Games\\Ultima Online 2D Client\\client.exe"=

"c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=

"c:\\Program Files\\GIGABYTE\\@BIOS\\update.exe"=

"c:\\Program Files\\gwflash.exe"=

"c:\\WINDOWS\\system32\\dxdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\GIGABYTE\\@BIOS\\BIOS_Run.exe"=

"c:\\Documents and Settings\\Vamos Rafa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Vamos Rafa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\ijji\\ENGLISH\\u_gunz.exe"=

"c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=

"c:\\Program Files\\FlashGet\\flashget.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\ijji\\ijji REACTOR\\REACTOR.exe"=

"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=

"c:\\Program Files\\Razer\\DeathAdder\\razertra.exe"=

"c:\\Program Files\\Razer\\DeathAdder\\razerofa.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\jameshieu@yahoo.com\\counter-strike\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\jameshieu@yahoo.com\\dark messiah might and magic multi-player\\mm.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Kodak\\PACS\\uvapa\\mv_client\\LoaderExe.exe"=

"c:\\Program Files\\Kodak\\PACS\\uvapa\\mv_client\\mp.exe"=

"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=

"c:\\Program Files\\StarCraft II\\Versions\\Base17326\\SC2.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\StarCraft II\\Versions\\Base18092\\SC2.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"17327:TCP"= 17327:TCP:utorrent

"38511:TCP"= 38511:TCP:utorrent

"2104:TCP"= 2104:TCP:Kodak DirectView Port 2104

"2105:TCP"= 2105:TCP:Kodak DirectView Port 2105

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [x]

R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2008-09-04 10744]

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-04-27 2870429]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-10-13 7408]

R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]

R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpndrv.sys [2008-09-04 33400]

R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-03-21 715248]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-10-13 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-10-13 74480]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]

S3 ALSysIO;ALSysIO;c:\docume~1\VAMOSR~1\LOCALS~1\Temp\ALSysIO.sys [x]

S3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2007-08-03 22784]

S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2007-12-01 651712]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - ALSYSIO

*NewlyCreated* - ASWMBR

*Deregistered* - aswMBR

*Deregistered* - pxtdipob

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1292428093-725345543-1003Core1cbff877ea096b4.job

- c:\documents and settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-28 01:54]

.

2011-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1292428093-725345543-1003UA.job

- c:\documents and settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-28 01:54]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm

IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {8E49176D-5B2E-4391-AA56-212161D660DE} - hxxp://pacs.hscs.virginia.edu/plugin/JavaSettings.exe

FF - ProfilePath - c:\documents and settings\Vamos Rafa\Application Data\Mozilla\Firefox\Profiles\6320ji3r.default\

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-HijackThis - c:\hijackthis\HijackThis.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-20 19:21

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.13245 81 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.13596 80 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.14272 118 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.14341 121 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.16326 118 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.16637 117 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.16909 83 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.17175 79 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.17740 112 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.18149 85 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.18481 123 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.19242 70 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.20580 83 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.20893 80 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.21522 97 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.22031 78 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.22638 155 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.23124 120 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.24051 66 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP1.25760 84 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.11174 173 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.11393 129 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.16421 167 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.24170 169 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.24611 280 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.28474 210 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.28738 166 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.28878 178 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.30290 119 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.34847 166 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.34918 156 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.43906 171 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.44883 191 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.47514 215 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.47629 190 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.59695 125 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.60216 234 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.60772 126 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.61274 150 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.61960 180 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.65952 201 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.68802 167 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\BACKUP4.68915 122 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.80609 62 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.80686 217 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.81433 1390 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.81848 243 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.85718 149 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.86571 227 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.86818 193 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.91933 155 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.92536 149 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.97945 1124 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.98691 1458 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.99392 356 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.99541 64 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.86179 10240 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.86727 32768 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.90256 0 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.91528 67584 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.91629 110592 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.92196 93696 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.92879 181105 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.92907 100864 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.93066 134656 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.95756 0 bytes

c:\documents and settings\Vamos Rafa\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.98802 9728 bytes

.

scan completed successfully

hidden files: 67

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST3320620AS rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-12

.

device: opened successfully

user: MBR read successfully

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x89B4433B

user & kernel MBR OK

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\controlset004\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1004)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\System32\dimsntfy.dll

.

Completion time: 2011-04-20 19:29:39

ComboFix-quarantined-files.txt 2011-04-20 23:29

.

Pre-Run: 95,919,706,112 bytes free

Post-Run: 96,015,224,832 bytes free

.

Current=4 Default=4 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - 5F10CAAB2BE8DFC0382BB3E7A96B3FC5

Link to post
Share on other sites
Kenny94

Kenny94

Posted
Posted

Thanks for the update.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Link to post
Share on other sites
Kenny94

Kenny94

Posted
Posted

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Log into an account with administrative priviliges.

Then run TDSSKiller and post the log please.

Link to post
Share on other sites
Kenny94

Kenny94

Posted
Posted

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot, if not, do this yourself to ensure a complete clean

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Next

Drag ComboFix icon into the Recycle Bin. Download a fresh copy:

  1. Download ComboFix from below:
    Combofix download

When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply

Link to post
Share on other sites
warehouse

warehouse

Posted
  • Author
Posted

Just a brief update:

Unfortunately, XP Security 2011 just popped up on my computer. I have not taken any action against it. Not sure what brought on this seemingly new infection, but I will limit my use of this computer as much as possible from now on.

Thanks.

Link to post
Share on other sites
Kenny94

Kenny94

Posted
Posted

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17327:TCP"=- 
"38511:TCP"=-
"2104:TCP"=-
"2105:TCP"=-

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt and MBAM log in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Next

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites
warehouse

warehouse

Posted
  • Author
Posted

Combofix and MBAM ran without issue. Logs are below.

ComboFix 11-04-21.02 - Vamos Rafa 04/22/2011 13:20:46.13.4 - x86

Running from: c:\documents and settings\Vamos Rafa\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Vamos Rafa\Desktop\CFScript.txt

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Vamos Rafa\Application Data\Adobe\plugs

c:\documents and settings\Vamos Rafa\Application Data\Adobe\shed

c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{5216FE70-4D3D-48E9-813B-0D41ECEB5E76}

c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{5216FE70-4D3D-48E9-813B-0D41ECEB5E76}\chrome.manifest

c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{5216FE70-4D3D-48E9-813B-0D41ECEB5E76}\chrome\content\_cfg.js

c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{5216FE70-4D3D-48E9-813B-0D41ECEB5E76}\chrome\content\overlay.xul

c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{5216FE70-4D3D-48E9-813B-0D41ECEB5E76}\install.rdf

c:\documents and settings\Vamos Rafa\Local Settings\Application Data\gfx.exe

c:\windows\psdponc.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 )))))))))))))))))))))))))))))))

.

.

2011-04-22 17:51 . 2011-04-22 17:51 -------- d-----w- c:\documents and settings\Vamos Rafa\Local Settings\Application Data\{D69CED78-B9A6-42D9-BB6C-B156110BD0C6}

2011-04-20 07:32 . 2011-04-20 07:32 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\Avira

2011-04-20 02:57 . 2011-03-04 20:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-04-20 02:57 . 2011-03-04 18:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-04-20 02:57 . 2010-06-17 18:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-04-20 02:57 . 2010-06-17 18:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-04-20 02:57 . 2011-04-20 02:57 -------- d-----w- c:\program files\Avira

2011-04-20 02:57 . 2011-04-20 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-04-19 03:40 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll

2011-04-19 03:40 . 2011-04-19 03:40 -------- d-----w- c:\program files\K-Lite Codec Pack

2011-04-18 05:05 . 2011-04-18 05:05 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-04-18 04:55 . 2011-04-22 17:09 0 ----a-w- c:\windows\Ssexohoqusi.bin

2011-04-18 04:53 . 2011-04-22 01:19 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\3027DCEB6FF29DEB4472D78FD4EFABF5

2011-03-27 01:13 . 2011-03-27 01:13 -------- d-----w- c:\documents and settings\Vamos Rafa\Application Data\Leadertech

2011-03-24 05:58 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-03-24 05:58 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-03-24 05:58 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-03-24 05:58 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-03-24 05:58 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-03-24 05:58 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-03-24 05:58 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll

2011-03-24 05:58 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2008-03-20 16:32 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2004-08-04 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 13:51 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 13:51 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 13:51 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:37 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32 . 2009-04-17 06:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2011-02-02 07:58 . 2008-03-20 16:30 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2008-03-20 16:30 677888 ----a-w- c:\windows\system32\mstsc.exe

2008-04-08 17:46 . 2008-04-08 17:46 1292 ----a-w- c:\program files\ffdsasetts.reg

2008-04-08 17:46 . 2008-04-08 17:44 680 ----a-w- c:\program files\mpc2.reg

2008-04-08 17:46 . 2008-04-08 17:44 596 ----a-w- c:\program files\mpc1.reg

2008-04-08 17:46 . 2008-04-08 17:44 4608 ----a-w- c:\program files\mpc4.reg

2008-04-08 17:46 . 2008-04-08 17:44 3476 ----a-w- c:\program files\mpc7.reg

2008-04-08 17:46 . 2008-04-08 17:44 3026 ----a-w- c:\program files\mpc3.reg

2008-04-08 17:46 . 2008-04-08 17:44 27260 ----a-w- c:\program files\ffdssetts.reg

2008-04-08 17:46 . 2008-04-08 17:44 24316 ----a-w- c:\program files\ffdsvsetts.reg

2008-04-08 17:46 . 2008-04-08 17:44 18156 ----a-w- c:\program files\mpc6.reg

2008-04-08 17:46 . 2008-04-08 17:44 16486 ----a-w- c:\program files\mpc5.reg

2008-02-14 22:23 . 2008-02-14 22:23 231944 ----a-w- c:\program files\gwflash.exe

2007-09-22 03:42 . 2007-09-22 03:42 19008 ----a-w- c:\program files\markfun.a64

2007-08-22 03:49 . 2007-08-22 03:49 17912 ----a-w- c:\program files\markfun.w32

2007-03-02 12:48 . 2007-03-02 12:48 240448 ----a-w- c:\program files\gwf32.exe

2006-11-24 07:47 . 2006-11-24 07:47 207680 ----a-w- c:\program files\BIOS_Run.exe

2005-04-28 03:40 . 2005-04-28 03:40 6800 ----a-w- c:\program files\W95_HUA.vxd

2011-03-18 17:53 . 2011-03-24 05:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot_2011-04-21_23.07.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-04-22 17:49 . 2011-04-22 17:49 16384 c:\windows\temp\Perflib_Perfdata_5d0.dat

+ 2011-04-22 17:50 . 2011-04-22 17:50 16384 c:\windows\temp\Perflib_Perfdata_138.dat

+ 2004-08-04 12:00 . 2008-04-14 00:12 394240 c:\windows\edejufan.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"nwiz"="nwiz.exe" [2009-03-28 1657376]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]

"Dpuroxolibugi"="c:\windows\edejufan.dll" [2008-04-14 394240]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-4-23 6144]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\EA Games\\Ultima Online 2D Client\\client.exe"=

"c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=

"c:\\Program Files\\GIGABYTE\\@BIOS\\update.exe"=

"c:\\Program Files\\gwflash.exe"=

"c:\\WINDOWS\\system32\\dxdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\GIGABYTE\\@BIOS\\BIOS_Run.exe"=

"c:\\Documents and Settings\\Vamos Rafa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Vamos Rafa\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\ijji\\ENGLISH\\u_gunz.exe"=

"c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=

"c:\\Program Files\\FlashGet\\flashget.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\ijji\\ijji REACTOR\\REACTOR.exe"=

"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=

"c:\\Program Files\\Razer\\DeathAdder\\razertra.exe"=

"c:\\Program Files\\Razer\\DeathAdder\\razerofa.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\jameshieu@yahoo.com\\counter-strike\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\jameshieu@yahoo.com\\dark messiah might and magic multi-player\\mm.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Kodak\\PACS\\uvapa\\mv_client\\LoaderExe.exe"=

"c:\\Program Files\\Kodak\\PACS\\uvapa\\mv_client\\mp.exe"=

"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=

"c:\\Program Files\\StarCraft II\\Versions\\Base17326\\SC2.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\StarCraft II\\Versions\\Base18092\\SC2.exe"=

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 10:24 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 10:24 PM 74480]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/19/2011 10:57 PM 135336]

R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [3/20/2008 3:15 PM 22784]

R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [3/20/2008 3:13 PM 651712]

S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S3 ALSysIO;ALSysIO;\??\c:\docume~1\VAMOSR~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\VAMOSR~1\LOCALS~1\Temp\ALSysIO.sys [?]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]

S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [1/21/2009 2:21 AM 10744]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 10:24 PM 7408]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [9/4/2008 3:53 PM 33400]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/21/2008 2:48 AM 715248]

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1292428093-725345543-1003Core1cbff877ea096b4.job

- c:\documents and settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-28 01:54]

.

2011-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1292428093-725345543-1003UA.job

- c:\documents and settings\Vamos Rafa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-28 01:54]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm

IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {8E49176D-5B2E-4391-AA56-212161D660DE} - hxxp://pacs.hscs.virginia.edu/plugin/JavaSettings.exe

FF - ProfilePath - c:\documents and settings\Vamos Rafa\Application Data\Mozilla\Firefox\Profiles\6320ji3r.default\

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: network.proxy.type - 0

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-22 13:50

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST3320620AS rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-12

.

device: opened successfully

user: MBR read successfully

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x89AFF33B

user & kernel MBR OK

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\controlset004\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1004)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

- - - - - - - > 'explorer.exe'(1552)

c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\NVIDIA Corporation\nTune\nTuneService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Razer\DeathAdder\razertra.exe

c:\program files\Razer\DeathAdder\razerofa.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-04-22 13:55:01 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-22 17:54

ComboFix2.txt 2011-04-21 23:09

ComboFix3.txt 2011-04-20 23:30

.

Pre-Run: 94,439,514,112 bytes free

Post-Run: 94,426,279,936 bytes free

.

Current=4 Default=4 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - 5A9A28D7C5E103D4E6CD9297C4F53D1F

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6420

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

4/22/2011 2:02:09 PM

mbam-log-2011-04-22 (14-02-09).txt

Scan type: Quick scan

Objects scanned: 155859

Time elapsed: 3 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Vamos Rafa\Local Settings\Application Data\gfx.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
Kenny94

Kenny94

Posted
Posted

Please give ne a update after you run this scan below:

Please click here to download Kaspersky Virus Removal Tool.

  1. Double click on the file you just downloaded and let it install.
  2. It will install to your desktop.
  3. After that leave what is selected and put a check next to My Computer.
  4. Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
  5. Then click on Start Scan.
  6. Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  7. When the scan is done no log will be produced.
  8. Click on the bottom where it says Report to open the report.
  9. Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  10. This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  11. You can save this on the desktop.
  12. Post the contents of the document in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Link to post
Share on other sites
warehouse

warehouse

Posted
  • Author
Posted

The installation halts at "Extracting files" and does not progress any further than that. Occasionally, a message pops ups reading:

"The software you are installing for this hardware: ActivityMonitor has not passed Windows Logo testing to verify its compatibility with Windows XP"

I hit "Continue Anyway," but the install is still stuck at "Extracting files."

Link to post
Share on other sites
warehouse

warehouse

Posted
  • Author
Posted

The log from Kaspersky Virus Remover Tool is below.

An update on my computer symptoms:

I am still getting google redirects and pop-ups. Svchost.exe also goes active randomly, consuming CPU/memory usage. I also get the same problem with a "generic host process" error that seems to mess with my audio drivers/codecs. When I restart my computer, my sound is working fine, but within 20-30 minutes, an error message pops saying "Generic host process for Win32 services has encounterd a problem and needs to close" and my sound no longer works for video files. There also seems to be some issue with the Nvidia control panel detecting my GPU. In general the computer is very slow to shut down, restart, etc.

Thanks for your help!

Autoscan: completed 1 minute ago (events: 6, objects: 240615, time: 01:49:01)

4/23/2011 12:52:58 PM Task started

4/23/2011 1:03:25 PM Detected: Trojan.Win32.Menti.ggwd C:\Documents and Settings\Vamos Rafa\Application Data\Sun\Java\Deployment\cache\6.0\37\34981665-719c6878

4/23/2011 1:04:12 PM Deleted: Trojan.Win32.Menti.ggwd C:\Documents and Settings\Vamos Rafa\Application Data\Sun\Java\Deployment\cache\6.0\37\34981665-719c6878

4/23/2011 2:18:58 PM Detected: Trojan.Win32.Menti.ggwd C:\Qoobox\Quarantine\C\Documents and Settings\Vamos Rafa\Local Settings\Application Data\gfx.exe.vir

4/23/2011 2:19:53 PM Deleted: Trojan.Win32.Menti.ggwd C:\Qoobox\Quarantine\C\Documents and Settings\Vamos Rafa\Local Settings\Application Data\gfx.exe.vir

4/23/2011 2:41:59 PM Task completed

Link to post
Share on other sites
Kenny94

Kenny94

Posted
Posted

I bet this malware made it's way to the Router.

Router Reset

  • Please read this: Malware Silently Alters Wireless Router Settings
  • Consult this link to find out what is the default username and password of your router and note down them: Route Passwords
    I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)
    Next
    Flush the DNS cache:
  • Click the Start logo in the bottom left corner of the screen
  • Click on Run
  • In the command window copy/paste the following:
    ipconfig /flushdns


  • Then hit enter.
  • Exit the command window.

Let me know how your PC doing?

Link to post
Share on other sites
Kenny94

Kenny94

Posted
Posted

I'm 100 percent your PC has a new rootkit infection and we have a fix for this. The DDS scan did show Warning: possible TDL3 rootkit infection and Combofix show it. Also, you have two other symptoms as well.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Earlier on ComboFix installed the Recovery Console. We're going to use that now.

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"

(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

RC_BootMenu.gif

RConsole_Fixmbr.png

When you get to the above screen, take note of the number that references your operating system.

If it's '1' like the picture above, type 1 and press Enter

RConsole_A.png

Next type FIXMBR

RConsole_FixmbrB.png

If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

With that done, please post back and let me know how things are now.

Link to post
Share on other sites
warehouse

warehouse

Posted
  • Author
Posted

That seemed to do the trick! Computer is noticeably faster in starting up, opening windows, etc. I can't elicit any pop-ups/redirects on google, svchost.exe is being quiet, and my sound is working so far. I will update you if anything changes.

Only remaining issue is that there is a Windows Security alert saying automatic update is turned off when it is turned on. Annoying, but nothing too troubling.

You the man, Kenny.

Link to post
Share on other sites
Kenny94

Kenny94

Posted
Posted

I'll fix the Windows Security alert, but let's make sure we got all of this rootkit!

Drag TDSSKiller into the Recycle Bin. Download a fresh copy. TDSSKiller should run now.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Next

Please Download Rootkit Unhooker Save it to your desktop.

  • extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
      you can get a free one from here -
    http://www.7-zip.org/

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

In your next reply, please include these log(s):

1.TDSSKiller

2.RKU log

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.