Jump to content

Recommended Posts

Good Afternoon,

I have been trying to fight this rootkit virus for a few days now and i can seem to get rid of it. I was able to run malwarebytes on it and spybot and allowed it to clean up the infections it found. I also tried using the combofix and it says that it found the rootkit and elminated it but I'm still getting tons of redirection and pop-ups. I have the logs below according the forum instructions and attached the required DDS file. Thank you in advance for the help!

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6612

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/18/2011 3:26:53 PM

mbam-log-2011-05-18 (15-26-53).txt

Scan type: Quick scan

Objects scanned: 208577

Time elapsed: 7 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

************************************************* DDS Log ********************************************************

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Administrator at 15:32:56.49 on Wed 05/18/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1647 [GMT -7:00]

.

AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Sophos\AutoUpdate\almon.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe

C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files\Sophos\Remote Management System\RouterNT.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.EXE

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\SearchIndexer.exe

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\Shoreline Communications\ShoreWare Client\STCLogin.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Administrator.JCHASE-RWC\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [TpShocks] TpShocks.exe

mRun: [sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {3AC3D009-2E89-4F1E-9F51-04D4FBD50122} - hxxp://palo-phone/shorewareremote/clientinstall/ShoretelClientInstall.ocx

DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://vpn.btcommercial.com/NELX.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://vnc.webex.com/client/wbs27-vzbprodcn/webex/ieatgpc.cab

DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://pro.realquest.com/mapviewer/mapviewer.cab

Notify: AtiExtEvent - Ati2evxx.dll

Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll

Notify: psfus - psqlpwd.dll

Notify: tpfnf2 - notifyf2.dll

Notify: tphotkey - tphklock.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\admini~1.jch\applic~1\mozilla\firefox\profiles\5tqgdooh.default\

FF - prefs.js: browser.search.selectedEngine - Search

FF - prefs.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

.

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Search

FF - user.js: browser.search.order.1 - Search

FF - user.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=

============= SERVICES / DRIVERS ===============

.

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2010-8-20 153344]

R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2010-8-20 24064]

R2 PrivateDisk;PrivateDisk;c:\program files\lenovo\safeguard privatedisk\privatediskm.sys [2006-3-13 58368]

R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2011-1-25 163056]

R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2011-1-25 97520]

R2 smi2;smi2;c:\program files\smi2\smi2.sys [2006-7-14 3968]

R2 smihlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2006-4-25 3456]

R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2011-1-25 282624]

R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2011-1-25 230640]

R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2011-1-25 806912]

R2 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2011-1-25 1541360]

R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2007-10-23 19376]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-27 136176]

S2 McciServiceHost;McciServiceHost;"c:\program files\common files\motive\mcciservicehost.exe" --> c:\program files\common files\motive\McciServiceHost.exe [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-27 136176]

S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2010-8-20 23928]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-8-20 14976]

.

=============== Created Last 30 ================

.

2011-05-18 20:34:28 -------- d-----w- c:\docume~1\admini~1.jch\applic~1\IObit

2011-05-18 19:47:30 -------- d-----w- c:\docume~1\admini~1.jch\applic~1\Malwarebytes

2011-05-18 17:49:10 -------- d-sha-r- C:\cmdcons

2011-05-18 17:42:42 89088 ----a-w- c:\windows\MBR.exe

2011-05-18 17:42:40 256512 ----a-w- c:\windows\PEV.exe

2011-05-18 17:42:40 161792 ----a-w- c:\windows\SWREG.exe

2011-05-18 17:42:39 98816 ----a-w- c:\windows\sed.exe

2011-05-18 17:39:31 -------- d-----w- c:\docume~1\admini~1.jch\locals~1\applic~1\Mozilla

2011-05-16 19:53:05 -------- d-----w- c:\program files\ESET

2011-05-16 19:45:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\WSTB

2011-05-12 18:17:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-12 18:17:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-12 18:17:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-11 21:11:20 0 ----a-w- c:\windows\Vyopo.bin

.

==================== Find3M ====================

.

2011-03-28 17:25:52 37027 ----a-w- c:\windows\atmoUn.exe

.

============= FINISH: 15:34:44.19 ===============

Attach.zip

Link to post
Share on other sites

No need for help....

I was able to run TDSS killer and that got rid of it. Also had to run ATF cleaner prior to running TDSS and computer is now working like a charm! Ran some windows security updates and both malwarebytes, spybot and sophos are not reporting anything anymore.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.