beeonline Posted July 10, 2011 ID:451792 Share Posted July 10, 2011 I am new.MBAM Protection blocks attempted access to a number of potentially dangerous sites.MBAM Scan reveals malware.trace.Removes threat.Threats re appear.Attempted accesses to dangerous sites continue.Google searches are redirected to unassociated sites.Please Help Link to post Share on other sites More sharing options...
Elise Posted July 10, 2011 ID:451793 Share Posted July 10, 2011 Hello and We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pif[*]Double click on the DDS icon, allow it to run.[*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.[*]Notepad will open with the results.[*]Follow the instructions that pop up for posting the results.[*]Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE Link to post Share on other sites More sharing options...
beeonline Posted July 11, 2011 Author ID:452144 Share Posted July 11, 2011 unable to download dds.pifdownloaded dds.scr to desktop.stopped av (f-prot)when dds.scr runs notepad opens with lots of unreadable textat top says cannot be run in dosno instructions visible.next step? Link to post Share on other sites More sharing options...
beeonline Posted July 11, 2011 Author ID:452178 Share Posted July 11, 2011 2nd try had success.Contents of dds.txt below + aatach.zip attached.I await your reply.Thankyou.DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 8.0.6001.18702Run by user at 13:07:40 on 2011-07-11Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.315 [GMT 10:00].AV: F-PROT Antivirus for Windows *Disabled/Updated* {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}.============== Running Processes ===============.C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exe -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Nero\Nero 7\InCD\InCDsrv.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe"C:\WINDOWS\system32\svchost.exe"C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exeC:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exeC:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exeC:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\WINDOWS\system32\dumprep.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Microsoft ActiveSync\wcescomm.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\PROGRA~1\MICROS~3\rapimgr.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Microsoft Office\Office10\WINWORD.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://bee.com.au/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}uInternet Connection Wizard,ShellNext = iexploreuSearchURL,(Default) = hxxp://www.google.com/keyword/%sBHO: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - Adobe PDF Reader Link HelperBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - TB: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dlluRun: [EFI Job Monitor] c:\windows\system32\rundll32.exe c:\windows\system32\spool\drivers\w32x86\3\EFJM.dll,runuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [F-PROT Antivirus Tray application] c:\program files\frisk software\f-prot antivirus for windows\FProtTray.exemRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttraymRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kdRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\comman~1.lnk - c:\program files\fiery\command workstation 4\CWS 4.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exeIE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.htmlDPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/b/e/5/be592e3e-4442-4588-b01e-8fe3a2e104ac/LegitCheckControl.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cabNotify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLLNotify: AtiExtEvent - Ati2evxx.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLLHosts: 192.168.1.55 plutoHosts: 192.168.1.60 mino.================= FIREFOX ===================.FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\qts5r0xp.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.startup.homepage - hxxp://bee.com.auFF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.2.6&q=FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dllFF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dllFF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll.============= SERVICES / DRIVERS ===============.R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [2008-8-22 700632]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-5-14 12872]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 67656]R2 hl_mull;hl_mull;c:\windows\system32\drivers\hl_mull.sys [2008-3-14 199168]R2 KeyP;KeyP;c:\windows\system32\drivers\KEYP.SYS [2002-6-17 18720]R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-6 366640]R2 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [2007-9-5 2171904]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-6 22712]S2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\frisk software\f-prot antivirus for windows\FPAVServer.exe [2010-11-3 83624]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-9 136176]S2 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-7-9 136176]S2 gvmnsuri;gvmnsuri;c:\windows\system32\drivers\gvmnsuri.sys [2011-6-3 96256]S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-7-9 20552]S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-6 39984]S3 MSSQL$MPSC_DB;MSSQL$MPSC_DB;c:\program files\microsoft sql server\mssql$mpsc_db\binn\sqlservr.exe -smpsc_db --> c:\program files\microsoft sql server\mssql$mpsc_db\binn\sqlservr.exe -sMPSC_DB [?]S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 12872]S3 SQLAgent$MPSC_DB;SQLAgent$MPSC_DB;c:\program files\microsoft sql server\mssql$mpsc_db\binn\sqlagent.exe -i mpsc_db --> c:\program files\microsoft sql server\mssql$mpsc_db\binn\sqlagent.EXE -i MPSC_DB [?]S3 UFBFilte;UFBFilte;c:\windows\system32\drivers\UFBFilte.sys [2010-9-23 4818]S4 AdLM;Autodesk License Manager;c:\windows\system32\AD_ELMD.EXE [2006-6-27 194048]S4 BvrpKrnl;BvrpKrnl;c:\program files\faxtools expert network\BvrpKrnl.exe [2008-2-2 544768].=============== Created Last 30 ================.2011-07-10 04:06:47 -------- d-s---w- C:\ComboFix2011-07-10 03:07:23 108 ----a-w- C:\fixme.reg2011-07-09 11:27:21 359296 ----a-w- c:\temp\MSFRLDA.exe2011-07-09 08:41:18 355056 ----a-w- c:\temp\SSUPDATE.EXE2011-07-09 07:52:39 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys2011-07-09 07:49:17 -------- d-----w- c:\program files\Hitman Pro 3.52011-07-09 07:46:17 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro2011-07-09 07:34:53 1458992 ----a-w- C:\TDSSKiller.exe2011-07-09 05:04:26 -------- d-----w- c:\documents and settings\all users\application data\Driver Boost2011-07-09 02:19:16 -------- d-----w- c:\documents and settings\user\local settings\application data\Deployment2011-07-09 01:58:05 -------- dc-h--w- c:\windows\ie82011-07-08 10:08:35 71680 ----a-w- c:\temp\GLB40.tmp2011-07-08 07:50:27 -------- d-----w- c:\windows\system32\wbem\repository\FS2011-07-08 07:50:27 -------- d-----w- c:\windows\system32\wbem\Repository2011-07-08 07:17:25 -------- d-----w- c:\program files\Realtek2011-07-08 02:55:01 90161 ----a-w- c:\temp\jobmonitor\harmony_core.dll2011-07-08 02:55:01 479280 ----a-w- c:\temp\jobmonitor\harmony_efi.dll2011-07-08 02:55:00 442414 ----a-w- c:\temp\jobmonitor\harmony10.dll2011-07-08 02:55:00 368691 ----a-w- c:\temp\jobmonitor\harmony_bridge.dll2011-07-08 02:54:59 704512 ----a-w- c:\temp\jobmonitor\JobMonitor.exe2011-07-06 10:19:23 -------- d-sha-r- C:\cmdcons2011-07-06 10:08:48 208896 ----a-w- c:\windows\MBR.exe2011-07-06 10:08:47 98816 ----a-w- c:\windows\sed.exe2011-07-06 10:08:47 518144 ----a-w- c:\windows\SWREG.exe2011-07-06 10:08:47 256000 ----a-w- c:\windows\PEV.exe2011-07-06 07:27:23 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-07-06 07:27:18 22712 ----a-w- c:\windows\system32\drivers\mbam.sys2011-07-06 07:27:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-07-06 06:36:04 -------- d-----w- C:\Inetpub2011-07-06 06:36:03 -------- d-----w- c:\windows\system32\Logfiles2011-07-06 06:13:59 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll2011-07-06 06:13:58 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll2011-07-06 06:13:58 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll2011-07-06 06:13:58 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll2011-07-06 06:13:58 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll2011-07-06 06:13:58 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll2011-07-06 06:13:58 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll2011-07-06 06:13:58 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll2011-07-06 06:13:58 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe2011-07-06 06:13:58 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll2011-07-06 03:09:42 135680 ----a-w- c:\windows\system32\explorer.exe2011-06-29 09:48:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-06-16 10:04:10 105472 -c----w- c:\windows\system32\dllcache\mup.sys.==================== Find3M ====================.2011-07-05 06:14:39 9728 ---h--w- c:\documents and settings\user\application data\desktop.ini2011-07-05 06:14:39 55808 ---h--w- c:\documents and settings\user\application data\ntuser.dat2011-06-03 01:06:36 96256 ----a-w- c:\windows\system32\drivers\gvmnsuri.sys2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys.============= FINISH: 13:13:42.20 ===============attach.zip Link to post Share on other sites More sharing options...
Elise Posted July 11, 2011 ID:452235 Share Posted July 11, 2011 Hi, it looks like you have run combofix. Please post me the log at c:\combofix.txtLets also check for rootkits.Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Double-click on TDSSKiller.exe to run the tool for known TDSS variants.Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.Click the Start Scan button.Do not use the computer during the scanIf the scan completes with nothing found, click Close to exit.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).Copy and paste the contents of that file in your next reply. Link to post Share on other sites More sharing options...
beeonline Posted July 11, 2011 Author ID:452254 Share Posted July 11, 2011 Hi Elise,My previous attempts to run combofix were not successful.I have downloaded again & it is running on the infected machine now.If it is successful I will post the log, otherwise I will tell you.I have also downloaded the tootkit detector & I will run that after Combofix.BTW where are You?Whats the time there?What hours do you work?No. I'm not planning to ask you out.I'm just trying to align your times with Brisbane Australia times.It looks like Combofix is working this time.I think I'll wait..... It did warn at startup something about expiry date & running with reduced functionality.combofix.txtComboFix 11-07-05.03 - user 11/07/2011 17:22:49.4.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.502 [GMT 10:00]Running from: c:\documents and settings\user\Desktop\ComboFix.exeAV: F-PROT Antivirus for Windows *Disabled/Updated* {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}.- REDUCED FUNCTIONALITY MODE -..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\user\Application Data\ntuser.datc:\documents and settings\user\Start Menu\Programs\Windows XP Repairc:\documents and settings\user\Start Menu\Programs\Windows XP Repair\Uninstall Windows XP Repair.lnkc:\documents and settings\user\Start Menu\Programs\Windows XP Repair\Windows XP Repair.lnkc:\documents and settings\user\Systemc:\documents and settings\user\System\win_qs7.jqxc:\documents and settings\user\WINDOWSC:\Thumbs.dbc:\windows\desktopc:\windows\desktop\NRW Feecalculator.lnkc:\windows\system32\drivers\wdreg.exec:\windows\system32\explorer.exec:\windows\system32\Temp..((((((((((((((((((((((((( Files Created from 2011-06-11 to 2011-07-11 )))))))))))))))))))))))))))))))..2011-07-11 06:57 . 2011-07-11 06:57 54016 ----a-w- c:\windows\system32\drivers\dgqxg.sys2011-07-09 07:52 . 2011-07-09 11:18 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys2011-07-09 07:49 . 2011-07-09 07:49 -------- d-----w- c:\program files\Hitman Pro 3.52011-07-09 07:46 . 2011-07-09 07:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro2011-07-09 05:04 . 2011-07-09 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Boost2011-07-09 02:19 . 2011-07-09 02:19 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Deployment2011-07-09 01:58 . 2011-07-09 01:58 -------- dc-h--w- c:\windows\ie82011-07-08 07:50 . 2011-07-08 07:50 -------- d-----w- c:\windows\system32\wbem\Repository2011-07-08 07:17 . 2011-07-08 07:17 -------- d-----w- c:\program files\Realtek2011-07-06 07:27 . 2011-05-28 23:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-07-06 07:27 . 2011-07-08 09:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-07-06 07:27 . 2011-05-28 23:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys2011-07-06 06:36 . 2011-07-06 06:36 -------- d-----w- C:\Inetpub2011-07-06 06:36 . 2011-07-06 06:36 -------- d-----w- c:\windows\system32\Logfiles2011-07-06 06:13 . 2011-06-16 04:32 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll2011-07-06 06:13 . 2011-06-16 04:32 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll2011-07-06 06:13 . 2011-06-16 04:32 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll2011-07-06 06:13 . 2011-06-16 04:32 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll2011-07-06 06:13 . 2011-06-16 04:32 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll2011-07-06 06:13 . 2011-06-16 04:32 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll2011-07-06 06:13 . 2011-06-16 04:32 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe2011-07-06 06:13 . 2011-06-16 04:32 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll2011-07-06 06:13 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll2011-07-06 06:13 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll2011-06-29 09:48 . 2011-06-29 09:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-06-16 10:04 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-06-03 01:06 . 2011-06-03 01:06 96256 ----a-w- c:\windows\system32\drivers\gvmnsuri.sys2011-05-02 15:31 . 2006-04-12 06:41 692736 ----a-w- c:\windows\system32\inetcomm.dll2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll2011-04-25 16:11 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys2011-06-16 04:32 . 2011-07-06 06:13 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"EFI Job Monitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EFJM.dll" [2008-07-24 2400256]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-09 39408].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 32768]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-11-11 86016]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]"F-PROT Antivirus Tray application"="c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2010-07-05 1674032]"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-22 483328]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-28 449584]"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-28 1047656].[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360].c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-5-29 25214]Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-5-29 113664]Command WorkStation 4.lnk - c:\program files\Fiery\Command WorkStation 4\CWS 4.exe [2006-7-20 2068480]Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-5-20 114688].[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2009-09-07 06:35 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]@="Service".[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="c:\\Program Files\\WS_FTP\\WS_FTP95.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\WINDOWS\\system32\\mmc.exe"="c:\\Program Files\\KONICA MINOLTA\\PSC2\\BinPro\\MPSCFTPS.exe"="c:\\Program Files\\Internet Explorer\\iexplore.exe"="c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="c:\\WINDOWS\\system32\\sessmgr.exe"="c:\\Program Files\\FaxTools eXPert Network\\BvrpKrnl.exe"="c:\\Program Files\\FaxTools eXPert Network\\FaxTools.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"990:TCP"= 990:TCP:*:Disabled:990"999:TCP"= 999:TCP:*:Disabled:999"5678:TCP"= 5678:TCP:*:Disabled:5678"5679:UDP"= 5679:UDP:*:Disabled:5679"5721:TCP"= 5721:TCP:*:Disabled:5721"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]"RemoteAddresses"= LocalSubNet"Enabled"= 1 (0x1).R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [22/08/2008 3:24 PM 700632]R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [14/05/2009 2:22 PM 12872]R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 2:22 PM 67656]R2 hl_mull;hl_mull;c:\windows\system32\drivers\hl_mull.sys [14/03/2008 7:32 PM 199168]R2 KeyP;KeyP;c:\windows\system32\drivers\KEYP.SYS [17/06/2002 4:37 PM 18720]R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/07/2011 5:27 PM 366640]R2 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [5/09/2007 3:49 PM 2171904]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/07/2011 5:27 PM 22712]S2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [3/11/2010 4:40 PM 83624]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/07/2011 12:19 PM 136176]S2 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/07/2011 12:19 PM 136176]S2 gvmnsuri;gvmnsuri;c:\windows\system32\drivers\gvmnsuri.sys [3/06/2011 11:06 AM 96256]S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [9/07/2011 5:52 PM 20552]S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/07/2011 5:27 PM 39984]S3 MSSQL$MPSC_DB;MSSQL$MPSC_DB;c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlservr.exe -sMPSC_DB --> c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlservr.exe -sMPSC_DB [?]S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 2:22 PM 12872]S3 SQLAgent$MPSC_DB;SQLAgent$MPSC_DB;c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlagent.EXE -i MPSC_DB --> c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlagent.EXE -i MPSC_DB [?]S3 UFBFilte;UFBFilte;c:\windows\system32\drivers\UFBFilte.sys [23/09/2010 1:18 PM 4818]S4 AdLM;Autodesk License Manager;c:\windows\system32\AD_ELMD.EXE [27/06/2006 8:56 PM 194048]S4 BvrpKrnl;BvrpKrnl;c:\program files\FaxTools eXPert Network\BvrpKrnl.exe [2/02/2008 1:24 PM 544768].--- Other Services/Drivers In Memory ---.*NewlyCreated* - MBAMSWISSARMY.Contents of the 'Scheduled Tasks' folder.2011-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-09 02:19].2011-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-09 02:19].2011-07-11 c:\windows\Tasks\OGALogon.job- c:\windows\system32\OGAEXEC.exe [2009-08-03 05:07]..------- Supplementary Scan -------.uStart Page = hxxp://bee.com.au/uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}uInternet Connection Wizard,ShellNext = iexploreuSearchURL,(Default) = hxxp://www.google.com/keyword/%sIE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.htmlTCP: Interfaces\{B11C8186-34FA-430C-9B86-F1353EDB837E}: NameServer = 139.130.4.4,203.50.2.71DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabFF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\qts5r0xp.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.startup.homepage - hxxp://bee.com.auFF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.2.6&q=.- - - - ORPHANS REMOVED - - - -.Toolbar-Locked - (no file)SafeBoot-gvmnsuriAddRemove-DUMMy - c:\temp\_ISTMP1.DIR\_ISTMP0.DIR\dummy.log...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-07-11 17:30Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(692)c:\program files\SUPERAntiSpyware\SASWINLO.DLLc:\windows\system32\WININET.dllc:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLLc:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dllc:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dllc:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dllc:\windows\system32\Ati2evxx.dll.Completion time: 2011-07-11 17:47:11ComboFix-quarantined-files.txt 2011-07-11 07:46.Pre-Run: 206,468,640,768 bytes freePost-Run: 206,648,107,008 bytes free.- - End Of File - - 45B639A914CD052B8C3CEFC53B5D7D60ComboFix-quarantined-files.txt2011-07-11 07:45:16 . 2011-07-11 07:45:16 436 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-DUMMy.reg.dat2011-07-11 07:41:33 . 2011-07-11 07:41:33 542 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-gvmnsuri.reg.dat2011-07-11 07:37:11 . 2011-07-11 07:37:12 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat2011-07-06 10:07:25 . 2011-07-11 07:16:35 306 ----a-w- C:\Qoobox\Quarantine\catchme.log2011-07-06 03:09:42 . 2008-04-14 00:12:37 135,680 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\explorer.exe.vir2011-07-05 06:03:59 . 2011-07-05 06:03:59 936 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\Start Menu\Programs\Windows XP Repair\Uninstall Windows XP Repair.lnk.vir2011-07-05 06:03:59 . 2011-07-05 06:03:59 864 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\Start Menu\Programs\Windows XP Repair\Windows XP Repair.lnk.vir2011-06-01 02:12:13 . 2011-07-05 06:14:39 55,808 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\Application Data\ntuser.dat.vir2010-09-14 05:56:30 . 2010-09-14 05:56:30 17,408 ----a-w- C:\Qoobox\Quarantine\C\Thumbs.db.vir2008-03-14 09:32:19 . 2003-07-13 08:02:10 57,344 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\wdreg.exe.vir2006-08-19 05:51:12 . 2007-02-23 07:56:31 99 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\System\win_qs7.jqx.vir2005-01-27 00:53:04 . 2005-01-27 00:53:04 1,069 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Desktop\NRW Feecalculator.lnk.virI will now try tdsskillerregards Greg Link to post Share on other sites More sharing options...
Elise Posted July 11, 2011 ID:452355 Share Posted July 11, 2011 BTW where are You?Whats the time there?What hours do you work?No. I'm not planning to ask you out.I'm just trying to align your times with Brisbane Australia times.I live in Romania, where it is 4.12 PM at the moment. I'm usually online during the day/evening here, although, I suspect that is night in Australia.Can you please redownload combofix and run it. Please run also TDSSkiller and post me the log.Combofix download link: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Link to post Share on other sites More sharing options...
beeonline Posted July 12, 2011 Author ID:452721 Share Posted July 12, 2011 Hi Elise,I have tried to run combofix a number of times without success.It gets to stage 2 & computer hangs.I have waited for 25 minutes with no sign of hards drive activity.Only way to restart is unplug power supply.Also TDSSkiller.exe will not run. Renamed com file will also not run.I did (off my own bat, sorry) download & run gmer. log attached.Maybe I MBR Rootkitregards Greg Link to post Share on other sites More sharing options...
Elise Posted July 12, 2011 ID:452764 Share Posted July 12, 2011 Hi Greg, GMER is okay, but I don't see the log. Please copy/paste it directly in the reply box if it is not too long. Link to post Share on other sites More sharing options...
beeonline Posted July 12, 2011 Author ID:452770 Share Posted July 12, 2011 Hi Elise,here it is.GMER 1.0.15.15640 - http://www.gmer.netRootkit scan 2011-07-12 07:01:51Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST3250624AS rev.3.AAERunning: pud1.exe; Driver: C:\Temp\ugtdqpod.sys---- System - GMER 1.0.15 ----INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F75E216DINT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F75E1FC2---- Kernel code sections - GMER 1.0.15 ----.text KDCOM.DLL!KdSendPacket F79EF345 6 Bytes [FA, 8D, 46, 01, 25, FF].text KDCOM.DLL!KdSendPacket F79EF34D 5 Bytes [80, 79, 07, 48, 0D].text KDCOM.DLL!KdSendPacket F79EF353 29 Bytes [FF, FF, FF, 40, 0F, B6, F0, ...].text KDCOM.DLL!KdSendPacket F79EF371 28 Bytes [FF, FF, FF, 42, 0F, B6, FA, ...].text KDCOM.DLL!KdD0Transition + 8 F79EF38E 17 Bytes [08, 03, 55, F8, 03, D8, 81, ...].text KDCOM.DLL!KdD0Transition + 1A F79EF3A0 42 Bytes [FF, FF, FF, 43, 0F, B6, C3, ...].text KDCOM.DLL!KdDebuggerInitialize0 + 25 F79EF3CB 6 Bytes [00, C9, C2, 08, 00, 55] {ADD CL, CL; RET 0x8; PUSH EBP}.text KDCOM.DLL!KdDebuggerInitialize0 + 2C F79EF3D2 23 Bytes [EC, 83, C8, FF, 83, 7D, 08, ...].text KDCOM.DLL!KdDebuggerInitialize0 + 44 F79EF3EA 162 Bytes [42, 5E, F6, C1, 01, 74, 0A, ...].text KDCOM.DLL!KdRestore + 2D F79EF48D 1 Byte [43].text KDCOM.DLL!KdRestore + 2D F79EF48D 77 Bytes [43, 08, 89, 45, FC, 8B, 55, ...].text KDCOM.DLL!KdRestore + 7C F79EF4DC 25 Bytes [C9, C2, 08, 00, 55, 8B, EC, ...].text KDCOM.DLL!KdRestore + 97 F79EF4F7 21 Bytes [89, 06, 89, 46, 08, 89, 46, ...].text KDCOM.DLL!KdRestore + 19F F79EF5FF 118 Bytes [68, 3B, F6, 9E, F7, FF, 15, ...].text ... PAGEKD KDCOM.DLL!KdReceivePacket + 2 F79EFF4E 205 Bytes [F0, 8D, 45, FC, 50, 53, 56, ...]PAGEKD KDCOM.DLL!KdReceivePacket + D0 F79F001C 2 Bytes [75, 0E] {JNZ 0x10}PAGEKD KDCOM.DLL!KdReceivePacket + D3 F79F001F 1 Byte [C0]PAGEKD KDCOM.DLL!KdReceivePacket + D3 F79F001F 103 Bytes [C0, 02, 83, C2, 02, 84, DB, ...]PAGEKD KDCOM.DLL!KdReceivePacket + 13B F79F0087 131 Bytes [7D, 0C, B8, 4D, 5A, 00, 00, ...]PAGEKD ... ? dgqxg.sys The system cannot find the file specified. !init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xAA69FA80].text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA112F400, 0x7960C, 0xE8000020].protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA11D1420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA11D1420].protectÿÿÿÿhardlockunknown last code section [0xA11D1200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA11D1200, 0x5049, 0xE0000020].text C:\WINDOWS\System32\drivers\hl_mull.SYS section is writeable [0xA1032300, 0x400F, 0xE8000020].UPX2 C:\WINDOWS\System32\drivers\hl_mull.SYS entry point in ".UPX2" section [0xA105DFE1]---- User code sections - GMER 1.0.15 ----.text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00C90000 .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00E468C7 .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 00C50000 .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 00C30000 .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!InternetConnectW 3D94F862 5 Bytes JMP 00C40000 .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00C80000 .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 00C60000 .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00E46AD2 .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00C70000 .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0058000A .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0055000A .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0054000A .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0056000A .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0057000A .text C:\Program Files\Internet Explorer\iexplore.exe[3012] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0053000A .text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A91 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0CD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB60 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5691 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation).text C:\Program Files\Internet Explorer\iexplore.exe[3780] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D8000A .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D5000A .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00D4000A .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D6000A .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00D7000A .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0059000A .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00C90000 .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00E468C7 .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 00C50000 .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 00C30000 .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!InternetConnectW 3D94F862 5 Bytes JMP 00C40000 .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00C80000 .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 00C60000 .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00E46AD2 .text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00C70000 ---- Kernel IAT/EAT - GMER 1.0.15 ----IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdSendPacket] [F79EF631] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdD0Transition] [F79EF5DF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdD3Transition] [F79EF5E9] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdReceivePacket] [F79EF60D] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdDebuggerInitialize0] [F79EF5F3] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdSave] [F79EF625] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdDebuggerInitialize1] [F79EF5FF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdRestore] [F79EF619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)IAT \WINDOWS\system32\hal.dll[KDCOM.dll!KdRestore] [F79EF619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!WRITE_REGISTER_UCHAR] 6C6C642EIAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!READ_REGISTER_UCHAR] 8B550000IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!HalPrivateDispatchTable] 835151ECIAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!KeFindConfigurationEntry] 8300F865IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!InbvDisplayString] 8A000C7DIAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!KdDebuggerNotPresent] 00010081IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!_strupr] 01918A00IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!strstr] 0F000001IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!MmMapIoSpace] 00008386IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!atol] 57565300IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!READ_PORT_UCHAR] 736F746EIAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!WRITE_PORT_UCHAR] 6C6E726BIAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalQueryRealTimeClock] 6578652EIAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalInitSystem] 00000000IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!KdComPortInUse] 2E6C6168---- User IAT/EAT - GMER 1.0.15 ----IAT C:\Program Files\Internet Explorer\iexplore.exe[3780] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)---- Devices - GMER 1.0.15 ----Device \Driver\Beep \Device\Beep 86645360Device \Driver\hardlock \Device\HLVol hl_mull.SYSDevice \Driver\hardlock \Device\HLVol XHASP.sysDevice \Driver\hardlock \Device\FNT0 hl_mull.SYSDevice \Driver\hardlock \Device\FNT0 XHASP.sysAttachedDevice \Driver\Tcpip \Device\Tcp 86644070AttachedDevice \FileSystem\Fastfat \Fat FStopW.sys (FPAV - RealTime Protector/FRISK Software International)AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)---- Threads - GMER 1.0.15 ----Thread System [4:116] 86F260B3Thread System [4:128] 86F277FBThread System [4:920] 86647BA0Thread System [4:924] 866440E0---- Registry - GMER 1.0.15 ----Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yesReg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1---- Disk sectors - GMER 1.0.15 ----Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior---- EOF - GMER 1.0.15 ---- Link to post Share on other sites More sharing options...
Elise Posted July 12, 2011 ID:452773 Share Posted July 12, 2011 Hi again, that looks indeed like an MBR rootkit. Restart your computer Before Windows loads, you will be prompted to choose which Operating System to start Use the up and down arrow key to select Microsoft Windows Recovery Console You must enter which Windows installation to log onto. Type 1 and press enter. At the C:\Windows prompt, type the following bolded text, and press Enter:fixmbrIf asked to confirm, please do so. At the next prompt type the following bolded text, and press Enter:exitWindows will now begin loading.When done, try to run combofix again. Link to post Share on other sites More sharing options...
beeonline Posted July 12, 2011 Author ID:452816 Share Posted July 12, 2011 Elise,Twice I typed really long replies & IE dropped out.I’m now drafting it in Word Processor to be safe.MBRfix appeared to work OK but ComboFix refuses to run on infected machine despite numerous attemps so no log.Mbam detected & eventually appeared to remove Malware.trace.butIE google re-redirects have stopped & MBAM also is not showing attempted connects to bad sites.However ComboFix failure is worrying & an attempted SAS scan stalled on file GUSV which I think is Google updater.A MUCH BIGGER WORRY THOUGH is2 other machines on the home network that I thought/hoped had largely escaped infection showed infections with MBAM & SAS scans which appered to be fixed.ComBo Fix has since been run on these however MBAM is still detecting bad site connection attempts on 1 of these machines.Do you have suggestions?Do we finish with the first machine before moving on?or Perhaps we should be dealing with each machine separately and starting a new forum?Regards Greg Link to post Share on other sites More sharing options...
Elise Posted July 12, 2011 ID:452850 Share Posted July 12, 2011 Hi Greg, I can help you with the other machines, but indeed in different topics, to avoid confusion. You also will have to keep all computers as much as possible isolated.Can you try to run combofix from safe mode? Link to post Share on other sites More sharing options...
beeonline Posted July 13, 2011 Author ID:453089 Share Posted July 13, 2011 Elise,ComboFix was successful in Safe mode.I have pasted log below. Computer is GREG.I know we planned to keep cleaning of other machines a seperate issue butI have also pasted excerps from logs of GREG, WISE & BASALT because I think they are relevant.All 3 machines have Mbam stopping access to the 2 sites 219.139.81 & 168.95.1.1 but NONE OF THEM ARE NOW HAVING GOOGLE REDIRECTSAll excerps show similar references to 219.139.81.6 168.95.1.1 which are URL's MBAM is blocking access to.In GREG, TCP: Interfaces\{B11C8186-34FA-430C-9B86-F1353EDB837E}: NameServer = 139.130.4.4,203.50.2.71refers to Telstra IP's nameservers which were nominated at scan timein WISE TCP: Interfaces\{FB0E3BB5-8B50-4036-8B7F-2CFFF878DD92}: NameServer = 192.168.1.1refers to router address (Auto DNS selection)I don't know why no similar reference in BASALTCOMPUTER GREG (1st infected)------- Supplementary Scan -------.uStart Page = hxxp://bee.com.au/uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}uInternet Connection Wizard,ShellNext = iexploreuSearchURL,(Default) = hxxp://www.google.com/keyword/%sIE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.htmlTCP: DhcpNameServer = 219.139.81.6 168.95.1.1TCP: Interfaces\{B11C8186-34FA-430C-9B86-F1353EDB837E}: NameServer = 139.130.4.4,203.50.2.71DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabFF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\qts5r0xp.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.startup.homepage - hxxp://bee.com.auFF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.2.6&q=.- - - - ORPHANS REMOVED - - - -COMPUTER WISE (2nd infected?)------- Supplementary Scan -------.uStart Page = hxxp://www.bee.com.au/uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = iexploreuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%sTCP: DhcpNameServer = 219.139.81.6 168.95.1.1TCP: Interfaces\{FB0E3BB5-8B50-4036-8B7F-2CFFF878DD92}: NameServer = 192.168.1.1DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab..**************************************************************************COMPUTER BASALT (3rd infected?)------- Supplementary Scan -------.uStart Page = hxxp://www.bee.com.au/IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.htmlTCP: DhcpNameServer = 219.139.81.6 168.95.1.1FF - ProfilePath - ..************************************************************************** HERE IS FULL ComboFIX LOG FOR GREG ComboFix 11-07-12.04 - user 13/07/2011 8:00.11.2 - x86 MINIMALMicrosoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.726 [GMT 10:00]Running from: c:\documents and settings\user\Desktop\ComboFix.exeAV: F-PROT Antivirus for Windows *Disabled/Updated* {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\All Users\Application Data\common.datac:\documents and settings\user\Application Data\desktop.inic:\windows\system\C4ascx.dllc:\windows\system\C4basx.dllc:\windows\system\C4clax.dllc:\windows\system\C4dosx.dllc:\windows\system\C4runx.dllc:\windows\system\C4tpsx.dllc:\windows\system32\spool\prtprocs\w32x86\WFXPNT40.DLL..((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))..2011-07-12 22:10 . 2011-07-12 22:10 53248 ----a-w- c:\temp\catchme.dll2011-07-12 09:07 . 2011-07-12 09:08 -------- d-----w- C:\BomboFix2011-07-09 07:52 . 2011-07-09 11:18 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys2011-07-09 07:49 . 2011-07-09 07:49 -------- d-----w- c:\program files\Hitman Pro 3.52011-07-09 07:46 . 2011-07-09 07:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro2011-07-09 05:04 . 2011-07-09 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Boost2011-07-09 02:19 . 2011-07-09 02:19 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Deployment2011-07-09 01:58 . 2011-07-09 01:58 -------- dc-h--w- c:\windows\ie82011-07-08 07:50 . 2011-07-08 07:50 -------- d-----w- c:\windows\system32\wbem\Repository2011-07-08 07:17 . 2011-07-08 07:17 -------- d-----w- c:\program files\Realtek2011-07-06 07:27 . 2011-05-28 23:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-07-06 07:27 . 2011-07-08 09:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-07-06 07:27 . 2011-05-28 23:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys2011-07-06 06:36 . 2011-07-06 06:36 -------- d-----w- c:\windows\system32\Logfiles2011-07-06 06:13 . 2011-06-16 04:32 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll2011-07-06 06:13 . 2011-06-16 04:32 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll2011-07-06 06:13 . 2011-06-16 04:32 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll2011-07-06 06:13 . 2011-06-16 04:32 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll2011-07-06 06:13 . 2011-06-16 04:32 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll2011-07-06 06:13 . 2011-06-16 04:32 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll2011-07-06 06:13 . 2011-06-16 04:32 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe2011-07-06 06:13 . 2011-06-16 04:32 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll2011-07-06 06:13 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll2011-07-06 06:13 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll2011-07-01 08:46 . 2011-07-01 08:46 1458992 ----a-w- C:\t.com2011-06-29 09:48 . 2011-06-29 09:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-06-16 10:04 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-06-03 01:06 . 2011-06-03 01:06 96256 ----a-w- c:\windows\system32\drivers\gvmnsuri.sys2011-05-02 15:31 . 2006-04-12 06:41 692736 ----a-w- c:\windows\system32\inetcomm.dll2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll2011-04-25 16:11 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys2011-06-16 04:32 . 2011-07-06 06:13 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"EFI Job Monitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EFJM.dll" [2008-07-24 2400256]"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-09 39408].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 32768]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-11-11 86016]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]"F-PROT Antivirus Tray application"="c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2010-07-05 1674032]"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-22 483328]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-28 449584].[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360].c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-5-29 25214]Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-5-29 113664]Command WorkStation 4.lnk - c:\program files\Fiery\Command WorkStation 4\CWS 4.exe [2006-7-20 2068480]Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-5-20 114688].[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2009-09-07 06:35 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]@="Service".[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\WINDOWS\\system32\\mmc.exe"="c:\\Program Files\\KONICA MINOLTA\\PSC2\\BinPro\\MPSCFTPS.exe"="c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="c:\\WINDOWS\\system32\\sessmgr.exe"="c:\\Program Files\\FaxTools eXPert Network\\BvrpKrnl.exe"="c:\\Program Files\\FaxTools eXPert Network\\FaxTools.exe"=.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"990:TCP"= 990:TCP:*:Disabled:990"999:TCP"= 999:TCP:*:Disabled:999"5678:TCP"= 5678:TCP:*:Disabled:5678"5679:UDP"= 5679:UDP:*:Disabled:5679"5721:TCP"= 5721:TCP:*:Disabled:5721"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]"RemoteAddresses"= LocalSubNet"Enabled"= 1 (0x1).R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [22/08/2008 3:24 PM 700632]S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [14/05/2009 2:22 PM 12872]S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 2:22 PM 67656]S2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [3/11/2010 4:40 PM 83624]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/07/2011 12:19 PM 136176]S2 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/07/2011 12:19 PM 136176]S2 gvmnsuri;gvmnsuri;c:\windows\system32\drivers\gvmnsuri.sys [3/06/2011 11:06 AM 96256]S2 hl_mull;hl_mull;c:\windows\system32\drivers\hl_mull.sys [14/03/2008 7:32 PM 199168]S2 KeyP;KeyP;c:\windows\system32\drivers\KEYP.SYS [17/06/2002 4:37 PM 18720]S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/07/2011 5:27 PM 366640]S2 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [5/09/2007 3:49 PM 2171904]S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [9/07/2011 5:52 PM 20552]S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/07/2011 5:27 PM 22712]S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/07/2011 5:27 PM 39984]S3 MSSQL$MPSC_DB;MSSQL$MPSC_DB;c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlservr.exe -sMPSC_DB --> c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlservr.exe -sMPSC_DB [?]S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 2:22 PM 12872]S3 SQLAgent$MPSC_DB;SQLAgent$MPSC_DB;c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlagent.EXE -i MPSC_DB --> c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlagent.EXE -i MPSC_DB [?]S3 UFBFilte;UFBFilte;c:\windows\system32\drivers\UFBFilte.sys [23/09/2010 1:18 PM 4818]S4 AdLM;Autodesk License Manager;c:\windows\system32\AD_ELMD.EXE [27/06/2006 8:56 PM 194048]S4 BvrpKrnl;BvrpKrnl;c:\program files\FaxTools eXPert Network\BvrpKrnl.exe [2/02/2008 1:24 PM 544768].Contents of the 'Scheduled Tasks' folder.2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-09 02:19].2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-09 02:19].2011-07-12 c:\windows\Tasks\OGALogon.job- c:\windows\system32\OGAEXEC.exe [2009-08-03 05:07]..------- Supplementary Scan -------.uStart Page = hxxp://bee.com.au/uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}uInternet Connection Wizard,ShellNext = iexploreuSearchURL,(Default) = hxxp://www.google.com/keyword/%sIE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.htmlTCP: DhcpNameServer = 219.139.81.6 168.95.1.1TCP: Interfaces\{B11C8186-34FA-430C-9B86-F1353EDB837E}: NameServer = 139.130.4.4,203.50.2.71DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabFF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\qts5r0xp.default\FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FF - prefs.js: browser.startup.homepage - hxxp://bee.com.auFF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.2.6&q=.- - - - ORPHANS REMOVED - - - -.SafeBoot-gvmnsuri...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-07-13 08:10Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(232)c:\program files\SUPERAntiSpyware\SASWINLO.DLLc:\windows\system32\WININET.dllc:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLLc:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dllc:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dllc:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dllc:\windows\system32\Ati2evxx.dll.Completion time: 2011-07-13 08:12:44ComboFix-quarantined-files.txt 2011-07-12 22:12.Pre-Run: 210,366,447,616 bytes freePost-Run: 210,381,332,480 bytes free.- - End Of File - - EC30769AA727DA150A5EF8D757A55341regards Greg Link to post Share on other sites More sharing options...
Elise Posted July 13, 2011 ID:453171 Share Posted July 13, 2011 Hi Greg, the Combofix log looks good. Do you have any problem left on this computer?As for the difference in IP information, this may depend on the OS and configuration. Can you tell me what OS each computer has and how your network is setup (are all computers using one router, or modem?) Link to post Share on other sites More sharing options...
beeonline Posted July 13, 2011 Author ID:453202 Share Posted July 13, 2011 Hi Elise ,How many more hours are you on duty today, so I know how late a night I may have???All machines run windows XP SP3 and connect via single Linksys ADSL router/modem.Gateway is 192.168.1.1. Router assigns IPS (192.168.1.2,192.168.3 & 192.168.4) and handles DNS through the Telsta IP assigned servers.All 3 machines have Mbam stopping access to the 2 sites 219.139.81 & 168.95.1.1 but NONE OF THEM ARE NOW HAVING GOOGLE REDIRECTSAll 3 excerps from ComboFix logs show similar references to 219.139.81.6 & 168.95.1.1 which are URL's MBAM is blocking access to.The only problem seems to be the attempted connections to the known bad sites. If Mbam sis not active continuously bad things may happen.Would correction involve removing some registry entries on each of the machines?I just scanned computer GREG with MBAM & it again detected Malware>trace which was removed.Machines 2 & 3 come up clear.Log belowMalwarebytes' Anti-Malware 1.51.0.1200www.malwarebytes.orgDatabase version: 7089Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870213/07/2011 6:19:42 PMmbam-log-2011-07-13 (18-19-42).txtScan type: Flash scanObjects scanned: 127336Time elapsed: 1 minute(s), 12 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\documents and settings\all users\application data\common.data (Malware.Trace) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
beeonline Posted July 13, 2011 Author ID:453205 Share Posted July 13, 2011 a couple of typos aboveGateway is 192.168.1.1. Router assigns IPS (192.168.1.2,192.168.1.3 & 192.168.1.4) and handles DNS through the Telsta IP assigned servers.All 3 machines have Mbam stopping access to the 2 sites 219.139.81.6 & 168.95.1.1but NONE OF THEM ARE NOW HAVING GOOGLE REDIRECTSAll 3 excerps from ComboFix logs show similar references to 219.139.81.6 & 168.95.1.1 which are URL's MBAM is blocking access to. Link to post Share on other sites More sharing options...
Elise Posted July 13, 2011 ID:453207 Share Posted July 13, 2011 I would definitely reset your router, as it is possible malware altered the router's dns settings. Also change the default password for your router; this is often used by malware to access the router, and simply changing it will prevent it from accessing the router in the future.How many more hours are you on duty today, so I know how late a night I may have???Sorry, I'm not "on duty", I'm a volunteer, but I'll be around for the coming 12 hours or so. Link to post Share on other sites More sharing options...
beeonline Posted July 13, 2011 Author ID:453236 Share Posted July 13, 2011 Hi Elise,and a fine VOLUNTARY duty you are performing.I reset the router using static DNS addresses & changed password from default.I am 99.999% sure no suspicious acts or changes had been made with the router. Link to post Share on other sites More sharing options...
Elise Posted July 13, 2011 ID:453238 Share Posted July 13, 2011 Do you still get the IP blocks now?Please right click on your Internet Connection icon in the System Tray and select Status. In the Status window click the Options button.Look under "this connection uses the following items" and highlight Internet Protocol (TCP/IP). Click Properties.On the General tab, make sure "Obtain an IP address automatically" and "Obtain DNS server address automatically" are both ticked.On the Alternate Configuration tab, make sure "Automatic private IP address" is ticked.Click OK to exit the Properties and OK to exit the other windows as well. Link to post Share on other sites More sharing options...
beeonline Posted July 13, 2011 Author ID:453261 Share Posted July 13, 2011 Elise, All those settings are as described on all machines.It has been ages since any blocks by Mbam have shown up. (on any of the three machines)looks really promising but I'm learning not to be too confident.Just when you think it's safe to go back in the water......I decided to search each of the 3 registries for instances of those bad sites.None on machines 1 & 2.... 2 instances under dhcpnameserver on machine 3 (Basalt)I modified the keys on Baslts registry to telstras primary & secondary dns servers.Lets see what happens in the next 24 hours.i'm off to bed... nearly 10:30I really appreciate your devotion to voluntary duty.I hate to think how many people there are are their tearing their hair out.Your efforts are more than appreciated.i will come back with more.regards Greg Link to post Share on other sites More sharing options...
Elise Posted July 13, 2011 ID:453288 Share Posted July 13, 2011 Hi Greg, you are most welcome. Good night, and please keep me posted. Link to post Share on other sites More sharing options...
beeonline Posted July 14, 2011 Author ID:453704 Share Posted July 14, 2011 Hi Elise,We are not quite there.Tonight Mbam scan detected and removed another instance of Malware.Trace and after that Mbam has again blocked access but this time to 208.73.210.29 which I don't think has been tried before.I was doing some web surfing just prior to the scan, and had an uneasy feeling with a site... thats why I scanned.The blocking occured just once after scan & removal & there has been no repeat flag. I have just scanned again & no apparent problems.No re-directions. No signs of problems on machines 2 & 3.Unfortunately, i am very tired & it may be a while begore i can try much more but please post any suggestions you have.regards Greg Link to post Share on other sites More sharing options...
Elise Posted July 14, 2011 ID:453747 Share Posted July 14, 2011 Can you please post me the MBAM log showing the malware trace. Link to post Share on other sites More sharing options...
beeonline Posted July 14, 2011 Author ID:453903 Share Posted July 14, 2011 Hi Elise,First scan after log1 came up clear, but scan just now came up with infection as per log2.LOG1Malwarebytes' Anti-Malware 1.51.0.1200www.malwarebytes.orgDatabase version: 7121Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870214/07/2011 5:27:49 PMmbam-log-2011-07-14 (17-27-49).txtScan type: Flash scanObjects scanned: 127540Time elapsed: 1 minute(s), 16 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\documents and settings\all users\application data\common.data (Malware.Trace) -> Quarantined and deleted successfully.LOG2Malwarebytes' Anti-Malware 1.51.0.1200www.malwarebytes.orgDatabase version: 7139Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870215/07/2011 6:48:12 AMmbam-log-2011-07-15 (06-48-12).txtScan type: Flash scanObjects scanned: 127924Time elapsed: 1 minute(s), 25 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\documents and settings\all users\application data\common.data (Malware.Trace) -> Quarantined and deleted successfully.regards Greg Link to post Share on other sites More sharing options...
Recommended Posts