Jump to content

Google Redirect - Malware.Trace


Recommended Posts

I am new.

MBAM Protection blocks attempted access to a number of potentially dangerous sites.

MBAM Scan reveals malware.trace.

Removes threat.

Threats re appear.

Attempted accesses to dangerous sites continue.

Google searches are redirected to unassociated sites.

Please Help

Link to post
Share on other sites

  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Hello and :welcome:

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites

2nd try had success.

Contents of dds.txt below + aatach.zip attached.

I await your reply.

Thankyou

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by user at 13:07:40 on 2011-07-11

Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.315 [GMT 10:00]

.

AV: F-PROT Antivirus for Windows *Disabled/Updated* {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

"C:\WINDOWS\system32\svchost.exe"

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe

C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\dumprep.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://bee.com.au/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

BHO: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - Adobe PDF Reader Link Helper

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} -

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll

uRun: [EFI Job Monitor] c:\windows\system32\rundll32.exe c:\windows\system32\spool\drivers\w32x86\3\EFJM.dll,run

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [F-PROT Antivirus Tray application] c:\program files\frisk software\f-prot antivirus for windows\FProtTray.exe

mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\comman~1.lnk - c:\program files\fiery\command workstation 4\CWS 4.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/b/e/5/be592e3e-4442-4588-b01e-8fe3a2e104ac/LegitCheckControl.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 192.168.1.55 pluto

Hosts: 192.168.1.60 mino

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\qts5r0xp.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://bee.com.au

FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.2.6&q=

FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

.

============= SERVICES / DRIVERS ===============

.

R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [2008-8-22 700632]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-5-14 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 67656]

R2 hl_mull;hl_mull;c:\windows\system32\drivers\hl_mull.sys [2008-3-14 199168]

R2 KeyP;KeyP;c:\windows\system32\drivers\KEYP.SYS [2002-6-17 18720]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-6 366640]

R2 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [2007-9-5 2171904]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-6 22712]

S2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\frisk software\f-prot antivirus for windows\FPAVServer.exe [2010-11-3 83624]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-9 136176]

S2 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-7-9 136176]

S2 gvmnsuri;gvmnsuri;c:\windows\system32\drivers\gvmnsuri.sys [2011-6-3 96256]

S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-7-9 20552]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-6 39984]

S3 MSSQL$MPSC_DB;MSSQL$MPSC_DB;c:\program files\microsoft sql server\mssql$mpsc_db\binn\sqlservr.exe -smpsc_db --> c:\program files\microsoft sql server\mssql$mpsc_db\binn\sqlservr.exe -sMPSC_DB [?]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 12872]

S3 SQLAgent$MPSC_DB;SQLAgent$MPSC_DB;c:\program files\microsoft sql server\mssql$mpsc_db\binn\sqlagent.exe -i mpsc_db --> c:\program files\microsoft sql server\mssql$mpsc_db\binn\sqlagent.EXE -i MPSC_DB [?]

S3 UFBFilte;UFBFilte;c:\windows\system32\drivers\UFBFilte.sys [2010-9-23 4818]

S4 AdLM;Autodesk License Manager;c:\windows\system32\AD_ELMD.EXE [2006-6-27 194048]

S4 BvrpKrnl;BvrpKrnl;c:\program files\faxtools expert network\BvrpKrnl.exe [2008-2-2 544768]

.

=============== Created Last 30 ================

.

2011-07-10 04:06:47 -------- d-s---w- C:\ComboFix

2011-07-10 03:07:23 108 ----a-w- C:\fixme.reg

2011-07-09 11:27:21 359296 ----a-w- c:\temp\MSFRLDA.exe

2011-07-09 08:41:18 355056 ----a-w- c:\temp\SSUPDATE.EXE

2011-07-09 07:52:39 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-07-09 07:49:17 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-07-09 07:46:17 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro

2011-07-09 07:34:53 1458992 ----a-w- C:\TDSSKiller.exe

2011-07-09 05:04:26 -------- d-----w- c:\documents and settings\all users\application data\Driver Boost

2011-07-09 02:19:16 -------- d-----w- c:\documents and settings\user\local settings\application data\Deployment

2011-07-09 01:58:05 -------- dc-h--w- c:\windows\ie8

2011-07-08 10:08:35 71680 ----a-w- c:\temp\GLB40.tmp

2011-07-08 07:50:27 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-07-08 07:50:27 -------- d-----w- c:\windows\system32\wbem\Repository

2011-07-08 07:17:25 -------- d-----w- c:\program files\Realtek

2011-07-08 02:55:01 90161 ----a-w- c:\temp\jobmonitor\harmony_core.dll

2011-07-08 02:55:01 479280 ----a-w- c:\temp\jobmonitor\harmony_efi.dll

2011-07-08 02:55:00 442414 ----a-w- c:\temp\jobmonitor\harmony10.dll

2011-07-08 02:55:00 368691 ----a-w- c:\temp\jobmonitor\harmony_bridge.dll

2011-07-08 02:54:59 704512 ----a-w- c:\temp\jobmonitor\JobMonitor.exe

2011-07-06 10:19:23 -------- d-sha-r- C:\cmdcons

2011-07-06 10:08:48 208896 ----a-w- c:\windows\MBR.exe

2011-07-06 10:08:47 98816 ----a-w- c:\windows\sed.exe

2011-07-06 10:08:47 518144 ----a-w- c:\windows\SWREG.exe

2011-07-06 10:08:47 256000 ----a-w- c:\windows\PEV.exe

2011-07-06 07:27:23 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 07:27:18 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-06 07:27:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-06 06:36:04 -------- d-----w- C:\Inetpub

2011-07-06 06:36:03 -------- d-----w- c:\windows\system32\Logfiles

2011-07-06 06:13:59 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-07-06 06:13:58 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-07-06 06:13:58 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-07-06 06:13:58 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll

2011-07-06 06:13:58 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-07-06 06:13:58 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-07-06 06:13:58 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2011-07-06 06:13:58 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-07-06 06:13:58 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe

2011-07-06 06:13:58 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-07-06 03:09:42 135680 ----a-w- c:\windows\system32\explorer.exe

2011-06-29 09:48:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-16 10:04:10 105472 -c----w- c:\windows\system32\dllcache\mup.sys

.

==================== Find3M ====================

.

2011-07-05 06:14:39 9728 ---h--w- c:\documents and settings\user\application data\desktop.ini

2011-07-05 06:14:39 55808 ---h--w- c:\documents and settings\user\application data\ntuser.dat

2011-06-03 01:06:36 96256 ----a-w- c:\windows\system32\drivers\gvmnsuri.sys

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys

.

============= FINISH: 13:13:42.20 ===============

attach.zip

Link to post
Share on other sites

Hi, it looks like you have run combofix. Please post me the log at c:\combofix.txt

Lets also check for rootkits.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Hi Elise,

My previous attempts to run combofix were not successful.

I have downloaded again & it is running on the infected machine now.

If it is successful I will post the log, otherwise I will tell you.

I have also downloaded the tootkit detector & I will run that after Combofix.

BTW where are You?

Whats the time there?

What hours do you work?

No. I'm not planning to ask you out.

I'm just trying to align your times with Brisbane Australia times.

It looks like Combofix is working this time.

I think I'll wait..... It did warn at startup something about expiry date & running with reduced functionality.

combofix.txt

ComboFix 11-07-05.03 - user 11/07/2011 17:22:49.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.502 [GMT 10:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

AV: F-PROT Antivirus for Windows *Disabled/Updated* {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}

.

- REDUCED FUNCTIONALITY MODE -

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\user\Application Data\ntuser.dat

c:\documents and settings\user\Start Menu\Programs\Windows XP Repair

c:\documents and settings\user\Start Menu\Programs\Windows XP Repair\Uninstall Windows XP Repair.lnk

c:\documents and settings\user\Start Menu\Programs\Windows XP Repair\Windows XP Repair.lnk

c:\documents and settings\user\System

c:\documents and settings\user\System\win_qs7.jqx

c:\documents and settings\user\WINDOWS

C:\Thumbs.db

c:\windows\desktop

c:\windows\desktop\NRW Feecalculator.lnk

c:\windows\system32\drivers\wdreg.exe

c:\windows\system32\explorer.exe

c:\windows\system32\Temp

.

.

((((((((((((((((((((((((( Files Created from 2011-06-11 to 2011-07-11 )))))))))))))))))))))))))))))))

.

.

2011-07-11 06:57 . 2011-07-11 06:57 54016 ----a-w- c:\windows\system32\drivers\dgqxg.sys

2011-07-09 07:52 . 2011-07-09 11:18 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-07-09 07:49 . 2011-07-09 07:49 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-07-09 07:46 . 2011-07-09 07:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-07-09 05:04 . 2011-07-09 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Boost

2011-07-09 02:19 . 2011-07-09 02:19 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Deployment

2011-07-09 01:58 . 2011-07-09 01:58 -------- dc-h--w- c:\windows\ie8

2011-07-08 07:50 . 2011-07-08 07:50 -------- d-----w- c:\windows\system32\wbem\Repository

2011-07-08 07:17 . 2011-07-08 07:17 -------- d-----w- c:\program files\Realtek

2011-07-06 07:27 . 2011-05-28 23:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 07:27 . 2011-07-08 09:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-06 07:27 . 2011-05-28 23:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-06 06:36 . 2011-07-06 06:36 -------- d-----w- C:\Inetpub

2011-07-06 06:36 . 2011-07-06 06:36 -------- d-----w- c:\windows\system32\Logfiles

2011-07-06 06:13 . 2011-06-16 04:32 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-07-06 06:13 . 2011-06-16 04:32 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-07-06 06:13 . 2011-06-16 04:32 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-07-06 06:13 . 2011-06-16 04:32 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll

2011-07-06 06:13 . 2011-06-16 04:32 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-07-06 06:13 . 2011-06-16 04:32 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-07-06 06:13 . 2011-06-16 04:32 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe

2011-07-06 06:13 . 2011-06-16 04:32 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-07-06 06:13 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll

2011-07-06 06:13 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll

2011-06-29 09:48 . 2011-06-29 09:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-16 10:04 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-03 01:06 . 2011-06-03 01:06 96256 ----a-w- c:\windows\system32\drivers\gvmnsuri.sys

2011-05-02 15:31 . 2006-04-12 06:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-06-16 04:32 . 2011-07-06 06:13 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EFI Job Monitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EFJM.dll" [2008-07-24 2400256]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-09 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 32768]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-11-11 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]

"F-PROT Antivirus Tray application"="c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2010-07-05 1674032]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-22 483328]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-28 449584]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-28 1047656]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-5-29 25214]

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-5-29 113664]

Command WorkStation 4.lnk - c:\program files\Fiery\Command WorkStation 4\CWS 4.exe [2006-7-20 2068480]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-5-20 114688]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-07 06:35 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=

"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\KONICA MINOLTA\\PSC2\\BinPro\\MPSCFTPS.exe"=

"c:\\Program Files\\Internet Explorer\\iexplore.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\FaxTools eXPert Network\\BvrpKrnl.exe"=

"c:\\Program Files\\FaxTools eXPert Network\\FaxTools.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"990:TCP"= 990:TCP:*:Disabled:990

"999:TCP"= 999:TCP:*:Disabled:999

"5678:TCP"= 5678:TCP:*:Disabled:5678

"5679:UDP"= 5679:UDP:*:Disabled:5679

"5721:TCP"= 5721:TCP:*:Disabled:5721

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]

"RemoteAddresses"= LocalSubNet

"Enabled"= 1 (0x1)

.

R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [22/08/2008 3:24 PM 700632]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [14/05/2009 2:22 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 2:22 PM 67656]

R2 hl_mull;hl_mull;c:\windows\system32\drivers\hl_mull.sys [14/03/2008 7:32 PM 199168]

R2 KeyP;KeyP;c:\windows\system32\drivers\KEYP.SYS [17/06/2002 4:37 PM 18720]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/07/2011 5:27 PM 366640]

R2 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [5/09/2007 3:49 PM 2171904]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/07/2011 5:27 PM 22712]

S2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [3/11/2010 4:40 PM 83624]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/07/2011 12:19 PM 136176]

S2 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/07/2011 12:19 PM 136176]

S2 gvmnsuri;gvmnsuri;c:\windows\system32\drivers\gvmnsuri.sys [3/06/2011 11:06 AM 96256]

S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [9/07/2011 5:52 PM 20552]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/07/2011 5:27 PM 39984]

S3 MSSQL$MPSC_DB;MSSQL$MPSC_DB;c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlservr.exe -sMPSC_DB --> c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlservr.exe -sMPSC_DB [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 2:22 PM 12872]

S3 SQLAgent$MPSC_DB;SQLAgent$MPSC_DB;c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlagent.EXE -i MPSC_DB --> c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlagent.EXE -i MPSC_DB [?]

S3 UFBFilte;UFBFilte;c:\windows\system32\drivers\UFBFilte.sys [23/09/2010 1:18 PM 4818]

S4 AdLM;Autodesk License Manager;c:\windows\system32\AD_ELMD.EXE [27/06/2006 8:56 PM 194048]

S4 BvrpKrnl;BvrpKrnl;c:\program files\FaxTools eXPert Network\BvrpKrnl.exe [2/02/2008 1:24 PM 544768]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MBAMSWISSARMY

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-09 02:19]

.

2011-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-09 02:19]

.

2011-07-11 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 05:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://bee.com.au/

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

TCP: Interfaces\{B11C8186-34FA-430C-9B86-F1353EDB837E}: NameServer = 139.130.4.4,203.50.2.71

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\qts5r0xp.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://bee.com.au

FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.2.6&q=

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

SafeBoot-gvmnsuri

AddRemove-DUMMy - c:\temp\_ISTMP1.DIR\_ISTMP0.DIR\dummy.log

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-11 17:30

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(692)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2011-07-11 17:47:11

ComboFix-quarantined-files.txt 2011-07-11 07:46

.

Pre-Run: 206,468,640,768 bytes free

Post-Run: 206,648,107,008 bytes free

.

- - End Of File - - 45B639A914CD052B8C3CEFC53B5D7D60

ComboFix-quarantined-files.txt

2011-07-11 07:45:16 . 2011-07-11 07:45:16 436 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-DUMMy.reg.dat

2011-07-11 07:41:33 . 2011-07-11 07:41:33 542 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-gvmnsuri.reg.dat

2011-07-11 07:37:11 . 2011-07-11 07:37:12 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat

2011-07-06 10:07:25 . 2011-07-11 07:16:35 306 ----a-w- C:\Qoobox\Quarantine\catchme.log

2011-07-06 03:09:42 . 2008-04-14 00:12:37 135,680 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\explorer.exe.vir

2011-07-05 06:03:59 . 2011-07-05 06:03:59 936 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\Start Menu\Programs\Windows XP Repair\Uninstall Windows XP Repair.lnk.vir

2011-07-05 06:03:59 . 2011-07-05 06:03:59 864 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\Start Menu\Programs\Windows XP Repair\Windows XP Repair.lnk.vir

2011-06-01 02:12:13 . 2011-07-05 06:14:39 55,808 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\Application Data\ntuser.dat.vir

2010-09-14 05:56:30 . 2010-09-14 05:56:30 17,408 ----a-w- C:\Qoobox\Quarantine\C\Thumbs.db.vir

2008-03-14 09:32:19 . 2003-07-13 08:02:10 57,344 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\wdreg.exe.vir

2006-08-19 05:51:12 . 2007-02-23 07:56:31 99 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\user\System\win_qs7.jqx.vir

2005-01-27 00:53:04 . 2005-01-27 00:53:04 1,069 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Desktop\NRW Feecalculator.lnk.vir

I will now try tdsskiller

regards Greg

Link to post
Share on other sites

BTW where are You?

Whats the time there?

What hours do you work?

No. I'm not planning to ask you out.

I'm just trying to align your times with Brisbane Australia times.

I live in Romania, where it is 4.12 PM at the moment. :) I'm usually online during the day/evening here, although, I suspect that is night in Australia.

Can you please redownload combofix and run it. Please run also TDSSkiller and post me the log.

Combofix download link: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Link to post
Share on other sites

Hi Elise,

I have tried to run combofix a number of times without success.

It gets to stage 2 & computer hangs.

I have waited for 25 minutes with no sign of hards drive activity.

Only way to restart is unplug power supply.

Also TDSSkiller.exe will not run. Renamed com file will also not run.

I did (off my own bat, sorry) download & run gmer. log attached.

Maybe I MBR Rootkit

regards Greg

Link to post
Share on other sites

Hi Elise,

here it is.

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit scan 2011-07-12 07:01:51

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST3250624AS rev.3.AAE

Running: pud1.exe; Driver: C:\Temp\ugtdqpod.sys

---- System - GMER 1.0.15 ----

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F75E216D

INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F75E1FC2

---- Kernel code sections - GMER 1.0.15 ----

.text KDCOM.DLL!KdSendPacket F79EF345 6 Bytes [FA, 8D, 46, 01, 25, FF]

.text KDCOM.DLL!KdSendPacket F79EF34D 5 Bytes [80, 79, 07, 48, 0D]

.text KDCOM.DLL!KdSendPacket F79EF353 29 Bytes [FF, FF, FF, 40, 0F, B6, F0, ...]

.text KDCOM.DLL!KdSendPacket F79EF371 28 Bytes [FF, FF, FF, 42, 0F, B6, FA, ...]

.text KDCOM.DLL!KdD0Transition + 8 F79EF38E 17 Bytes [08, 03, 55, F8, 03, D8, 81, ...]

.text KDCOM.DLL!KdD0Transition + 1A F79EF3A0 42 Bytes [FF, FF, FF, 43, 0F, B6, C3, ...]

.text KDCOM.DLL!KdDebuggerInitialize0 + 25 F79EF3CB 6 Bytes [00, C9, C2, 08, 00, 55] {ADD CL, CL; RET 0x8; PUSH EBP}

.text KDCOM.DLL!KdDebuggerInitialize0 + 2C F79EF3D2 23 Bytes [EC, 83, C8, FF, 83, 7D, 08, ...]

.text KDCOM.DLL!KdDebuggerInitialize0 + 44 F79EF3EA 162 Bytes [42, 5E, F6, C1, 01, 74, 0A, ...]

.text KDCOM.DLL!KdRestore + 2D F79EF48D 1 Byte [43]

.text KDCOM.DLL!KdRestore + 2D F79EF48D 77 Bytes [43, 08, 89, 45, FC, 8B, 55, ...]

.text KDCOM.DLL!KdRestore + 7C F79EF4DC 25 Bytes [C9, C2, 08, 00, 55, 8B, EC, ...]

.text KDCOM.DLL!KdRestore + 97 F79EF4F7 21 Bytes [89, 06, 89, 46, 08, 89, 46, ...]

.text KDCOM.DLL!KdRestore + 19F F79EF5FF 118 Bytes [68, 3B, F6, 9E, F7, FF, 15, ...]

.text ...

PAGEKD KDCOM.DLL!KdReceivePacket + 2 F79EFF4E 205 Bytes [F0, 8D, 45, FC, 50, 53, 56, ...]

PAGEKD KDCOM.DLL!KdReceivePacket + D0 F79F001C 2 Bytes [75, 0E] {JNZ 0x10}

PAGEKD KDCOM.DLL!KdReceivePacket + D3 F79F001F 1 Byte [C0]

PAGEKD KDCOM.DLL!KdReceivePacket + D3 F79F001F 103 Bytes [C0, 02, 83, C2, 02, 84, DB, ...]

PAGEKD KDCOM.DLL!KdReceivePacket + 13B F79F0087 131 Bytes [7D, 0C, B8, 4D, 5A, 00, 00, ...]

PAGEKD ...

? dgqxg.sys The system cannot find the file specified. !

init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xAA69FA80]

.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA112F400, 0x7960C, 0xE8000020]

.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA11D1420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA11D1420]

.protectÿÿÿÿhardlockunknown last code section [0xA11D1200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA11D1200, 0x5049, 0xE0000020]

.text C:\WINDOWS\System32\drivers\hl_mull.SYS section is writeable [0xA1032300, 0x400F, 0xE8000020]

.UPX2 C:\WINDOWS\System32\drivers\hl_mull.SYS entry point in ".UPX2" section [0xA105DFE1]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00C90000

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00E468C7

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 00C50000

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 00C30000

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!InternetConnectW 3D94F862 5 Bytes JMP 00C40000

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00C80000

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 00C60000

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00E46AD2

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00C70000

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0058000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0055000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0054000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0056000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0057000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3012] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0053000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A91 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0CD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB60 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5691 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D8000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D5000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00D4000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D6000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00D7000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0059000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00C90000

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00E468C7

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 00C50000

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 00C30000

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!InternetConnectW 3D94F862 5 Bytes JMP 00C40000

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00C80000

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 00C60000

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00E46AD2

.text C:\Program Files\Internet Explorer\iexplore.exe[3780] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00C70000

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdSendPacket] [F79EF631] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)

IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdD0Transition] [F79EF5DF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)

IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdD3Transition] [F79EF5E9] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)

IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdReceivePacket] [F79EF60D] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)

IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdDebuggerInitialize0] [F79EF5F3] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)

IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdSave] [F79EF625] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)

IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdDebuggerInitialize1] [F79EF5FF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)

IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdRestore] [F79EF619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)

IAT \WINDOWS\system32\hal.dll[KDCOM.dll!KdRestore] [F79EF619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)

IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!WRITE_REGISTER_UCHAR] 6C6C642E

IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!READ_REGISTER_UCHAR] 8B550000

IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!HalPrivateDispatchTable] 835151EC

IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!KeFindConfigurationEntry] 8300F865

IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!InbvDisplayString] 8A000C7D

IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!KdDebuggerNotPresent] 00010081

IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!_strupr] 01918A00

IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!strstr] 0F000001

IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!MmMapIoSpace] 00008386

IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!atol] 57565300

IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!READ_PORT_UCHAR] 736F746E

IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!WRITE_PORT_UCHAR] 6C6E726B

IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalQueryRealTimeClock] 6578652E

IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalInitSystem] 00000000

IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!KdComPortInUse] 2E6C6168

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[3780] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Beep \Device\Beep 86645360

Device \Driver\hardlock \Device\HLVol hl_mull.SYS

Device \Driver\hardlock \Device\HLVol XHASP.sys

Device \Driver\hardlock \Device\FNT0 hl_mull.SYS

Device \Driver\hardlock \Device\FNT0 XHASP.sys

AttachedDevice \Driver\Tcpip \Device\Tcp 86644070

AttachedDevice \FileSystem\Fastfat \Fat FStopW.sys (FPAV - RealTime Protector/FRISK Software International)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)

---- Threads - GMER 1.0.15 ----

Thread System [4:116] 86F260B3

Thread System [4:128] 86F277FB

Thread System [4:920] 86647BA0

Thread System [4:924] 866440E0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi again, that looks indeed like an MBR rootkit.

  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:
    fixmbr
    If asked to confirm, please do so.
  6. At the next prompt type the following bolded text, and press Enter:
    exit

Windows will now begin loading.

When done, try to run combofix again.

Link to post
Share on other sites

Elise,

Twice I typed really long replies & IE dropped out.

I’m now drafting it in Word Processor to be safe.

MBRfix appeared to work OK but ComboFix refuses to run on infected machine despite numerous attemps so no log.

Mbam detected & eventually appeared to remove Malware.trace.

but

IE google re-redirects have stopped & MBAM also is not showing attempted connects to bad sites.

However ComboFix failure is worrying & an attempted SAS scan stalled on file GUSV which I think is Google updater.

A MUCH BIGGER WORRY THOUGH is

2 other machines on the home network that I thought/hoped had largely escaped infection showed infections with MBAM & SAS scans which appered to be fixed.

ComBo Fix has since been run on these however MBAM is still detecting bad site connection attempts on 1 of these machines.

Do you have suggestions?

Do we finish with the first machine before moving on?

or Perhaps we should be dealing with each machine separately and starting a new forum?

Regards Greg

Link to post
Share on other sites

Elise,

ComboFix was successful in Safe mode.

I have pasted log below. Computer is GREG.

I know we planned to keep cleaning of other machines a seperate issue but

I have also pasted excerps from logs of GREG, WISE & BASALT because I think they are relevant.

All 3 machines have Mbam stopping access to the 2 sites 219.139.81 & 168.95.1.1 but NONE OF THEM ARE NOW HAVING GOOGLE REDIRECTS

All excerps show similar references to 219.139.81.6 168.95.1.1 which are URL's MBAM is blocking access to.

In GREG, TCP: Interfaces\{B11C8186-34FA-430C-9B86-F1353EDB837E}: NameServer = 139.130.4.4,203.50.2.71

refers to Telstra IP's nameservers which were nominated at scan time

in WISE TCP: Interfaces\{FB0E3BB5-8B50-4036-8B7F-2CFFF878DD92}: NameServer = 192.168.1.1

refers to router address (Auto DNS selection)

I don't know why no similar reference in BASALT

COMPUTER GREG (1st infected)

------- Supplementary Scan -------

.

uStart Page = hxxp://bee.com.au/

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

TCP: DhcpNameServer = 219.139.81.6 168.95.1.1

TCP: Interfaces\{B11C8186-34FA-430C-9B86-F1353EDB837E}: NameServer = 139.130.4.4,203.50.2.71

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\qts5r0xp.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://bee.com.au

FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.2.6&q=

.

- - - - ORPHANS REMOVED - - - -

COMPUTER WISE (2nd infected?)

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bee.com.au/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

TCP: DhcpNameServer = 219.139.81.6 168.95.1.1

TCP: Interfaces\{FB0E3BB5-8B50-4036-8B7F-2CFFF878DD92}: NameServer = 192.168.1.1

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

.

.

**************************************************************************

COMPUTER BASALT (3rd infected?)

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bee.com.au/

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

TCP: DhcpNameServer = 219.139.81.6 168.95.1.1

FF - ProfilePath -

.

.

**************************************************************************

HERE IS FULL ComboFIX LOG FOR GREG

ComboFix 11-07-12.04 - user 13/07/2011 8:00.11.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.726 [GMT 10:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

AV: F-PROT Antivirus for Windows *Disabled/Updated* {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\common.data

c:\documents and settings\user\Application Data\desktop.ini

c:\windows\system\C4ascx.dll

c:\windows\system\C4basx.dll

c:\windows\system\C4clax.dll

c:\windows\system\C4dosx.dll

c:\windows\system\C4runx.dll

c:\windows\system\C4tpsx.dll

c:\windows\system32\spool\prtprocs\w32x86\WFXPNT40.DLL

.

.

((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))

.

.

2011-07-12 22:10 . 2011-07-12 22:10 53248 ----a-w- c:\temp\catchme.dll

2011-07-12 09:07 . 2011-07-12 09:08 -------- d-----w- C:\BomboFix

2011-07-09 07:52 . 2011-07-09 11:18 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-07-09 07:49 . 2011-07-09 07:49 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-07-09 07:46 . 2011-07-09 07:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-07-09 05:04 . 2011-07-09 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Boost

2011-07-09 02:19 . 2011-07-09 02:19 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Deployment

2011-07-09 01:58 . 2011-07-09 01:58 -------- dc-h--w- c:\windows\ie8

2011-07-08 07:50 . 2011-07-08 07:50 -------- d-----w- c:\windows\system32\wbem\Repository

2011-07-08 07:17 . 2011-07-08 07:17 -------- d-----w- c:\program files\Realtek

2011-07-06 07:27 . 2011-05-28 23:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 07:27 . 2011-07-08 09:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-06 07:27 . 2011-05-28 23:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-06 06:36 . 2011-07-06 06:36 -------- d-----w- c:\windows\system32\Logfiles

2011-07-06 06:13 . 2011-06-16 04:32 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-07-06 06:13 . 2011-06-16 04:32 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-07-06 06:13 . 2011-06-16 04:32 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-07-06 06:13 . 2011-06-16 04:32 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll

2011-07-06 06:13 . 2011-06-16 04:32 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-07-06 06:13 . 2011-06-16 04:32 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-07-06 06:13 . 2011-06-16 04:32 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe

2011-07-06 06:13 . 2011-06-16 04:32 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-07-06 06:13 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll

2011-07-06 06:13 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll

2011-07-01 08:46 . 2011-07-01 08:46 1458992 ----a-w- C:\t.com

2011-06-29 09:48 . 2011-06-29 09:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-16 10:04 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-03 01:06 . 2011-06-03 01:06 96256 ----a-w- c:\windows\system32\drivers\gvmnsuri.sys

2011-05-02 15:31 . 2006-04-12 06:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-06-16 04:32 . 2011-07-06 06:13 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EFI Job Monitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EFJM.dll" [2008-07-24 2400256]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-09 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 32768]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-11-11 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]

"F-PROT Antivirus Tray application"="c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2010-07-05 1674032]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-22 483328]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-28 449584]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-5-29 25214]

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-5-29 113664]

Command WorkStation 4.lnk - c:\program files\Fiery\Command WorkStation 4\CWS 4.exe [2006-7-20 2068480]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-5-20 114688]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-07 06:35 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\KONICA MINOLTA\\PSC2\\BinPro\\MPSCFTPS.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\FaxTools eXPert Network\\BvrpKrnl.exe"=

"c:\\Program Files\\FaxTools eXPert Network\\FaxTools.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"990:TCP"= 990:TCP:*:Disabled:990

"999:TCP"= 999:TCP:*:Disabled:999

"5678:TCP"= 5678:TCP:*:Disabled:5678

"5679:UDP"= 5679:UDP:*:Disabled:5679

"5721:TCP"= 5721:TCP:*:Disabled:5721

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]

"RemoteAddresses"= LocalSubNet

"Enabled"= 1 (0x1)

.

R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [22/08/2008 3:24 PM 700632]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [14/05/2009 2:22 PM 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 2:22 PM 67656]

S2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [3/11/2010 4:40 PM 83624]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/07/2011 12:19 PM 136176]

S2 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/07/2011 12:19 PM 136176]

S2 gvmnsuri;gvmnsuri;c:\windows\system32\drivers\gvmnsuri.sys [3/06/2011 11:06 AM 96256]

S2 hl_mull;hl_mull;c:\windows\system32\drivers\hl_mull.sys [14/03/2008 7:32 PM 199168]

S2 KeyP;KeyP;c:\windows\system32\drivers\KEYP.SYS [17/06/2002 4:37 PM 18720]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/07/2011 5:27 PM 366640]

S2 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [5/09/2007 3:49 PM 2171904]

S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [9/07/2011 5:52 PM 20552]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/07/2011 5:27 PM 22712]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/07/2011 5:27 PM 39984]

S3 MSSQL$MPSC_DB;MSSQL$MPSC_DB;c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlservr.exe -sMPSC_DB --> c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlservr.exe -sMPSC_DB [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 2:22 PM 12872]

S3 SQLAgent$MPSC_DB;SQLAgent$MPSC_DB;c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlagent.EXE -i MPSC_DB --> c:\program files\Microsoft SQL Server\MSSQL$MPSC_DB\Binn\sqlagent.EXE -i MPSC_DB [?]

S3 UFBFilte;UFBFilte;c:\windows\system32\drivers\UFBFilte.sys [23/09/2010 1:18 PM 4818]

S4 AdLM;Autodesk License Manager;c:\windows\system32\AD_ELMD.EXE [27/06/2006 8:56 PM 194048]

S4 BvrpKrnl;BvrpKrnl;c:\program files\FaxTools eXPert Network\BvrpKrnl.exe [2/02/2008 1:24 PM 544768]

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-09 02:19]

.

2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-09 02:19]

.

2011-07-12 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 05:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://bee.com.au/

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

TCP: DhcpNameServer = 219.139.81.6 168.95.1.1

TCP: Interfaces\{B11C8186-34FA-430C-9B86-F1353EDB837E}: NameServer = 139.130.4.4,203.50.2.71

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\qts5r0xp.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://bee.com.au

FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.2.6&q=

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-gvmnsuri

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-13 08:10

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(232)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2011-07-13 08:12:44

ComboFix-quarantined-files.txt 2011-07-12 22:12

.

Pre-Run: 210,366,447,616 bytes free

Post-Run: 210,381,332,480 bytes free

.

- - End Of File - - EC30769AA727DA150A5EF8D757A55341

regards Greg

Link to post
Share on other sites

Hi Greg, the Combofix log looks good. Do you have any problem left on this computer?

As for the difference in IP information, this may depend on the OS and configuration. Can you tell me what OS each computer has and how your network is setup (are all computers using one router, or modem?)

Link to post
Share on other sites

Hi Elise :rolleyes: ,

How many more hours are you on duty today, so I know how late a night I may have???

All machines run windows XP SP3 and connect via single Linksys ADSL router/modem.

Gateway is 192.168.1.1. Router assigns IPS (192.168.1.2,

192.168.3 & 192.168.4) and handles DNS through the Telsta IP assigned servers.

All 3 machines have Mbam stopping access to the 2 sites 219.139.81 & 168.95.1.1

but NONE OF THEM ARE NOW HAVING GOOGLE REDIRECTS

All 3 excerps from ComboFix logs show similar references to 219.139.81.6 & 168.95.1.1 which are URL's MBAM is blocking access to.

The only problem seems to be the attempted connections to the known bad sites. If Mbam sis not active continuously bad things may happen.

Would correction involve removing some registry entries on each of the machines?

I just scanned computer GREG with MBAM & it again detected Malware>trace which was removed.

Machines 2 & 3 come up clear.

Log below

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 7089

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

13/07/2011 6:19:42 PM

mbam-log-2011-07-13 (18-19-42).txt

Scan type: Flash scan

Objects scanned: 127336

Time elapsed: 1 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\all users\application data\common.data (Malware.Trace) -> Quarantined and deleted successfully.

Link to post
Share on other sites

a couple of typos above

Gateway is 192.168.1.1. Router assigns IPS (192.168.1.2,

192.168.1.3 & 192.168.1.4) and handles DNS through the Telsta IP assigned servers.

All 3 machines have Mbam stopping access to the 2 sites 219.139.81.6 & 168.95.1.1

but NONE OF THEM ARE NOW HAVING GOOGLE REDIRECTS

All 3 excerps from ComboFix logs show similar references to 219.139.81.6 & 168.95.1.1 which are URL's MBAM is blocking access to.

Link to post
Share on other sites

I would definitely reset your router, as it is possible malware altered the router's dns settings. Also change the default password for your router; this is often used by malware to access the router, and simply changing it will prevent it from accessing the router in the future.

How many more hours are you on duty today, so I know how late a night I may have???

Sorry, I'm not "on duty", I'm a volunteer, but I'll be around for the coming 12 hours or so. :)
Link to post
Share on other sites

Do you still get the IP blocks now?

Please right click on your Internet Connection icon in the System Tray and select Status. In the Status window click the Options button.

Look under "this connection uses the following items" and highlight Internet Protocol (TCP/IP). Click Properties.

On the General tab, make sure "Obtain an IP address automatically" and "Obtain DNS server address automatically" are both ticked.

On the Alternate Configuration tab, make sure "Automatic private IP address" is ticked.

Click OK to exit the Properties and OK to exit the other windows as well.

Link to post
Share on other sites

Elise, :rolleyes::lol::D:P

All those settings are as described on all machines.

It has been ages since any blocks by Mbam have shown up. (on any of the three machines)

looks really promising but I'm learning not to be too confident.

Just when you think it's safe to go back in the water......

I decided to search each of the 3 registries for instances of those bad sites.

None on machines 1 & 2.... 2 instances under dhcpnameserver on machine 3 (Basalt)

I modified the keys on Baslts registry to telstras primary & secondary dns servers.

Lets see what happens in the next 24 hours.

i'm off to bed... nearly 10:30

I really appreciate your devotion to voluntary duty.

I hate to think how many people there are are their tearing their hair out.

Your efforts are more than appreciated.

i will come back with more.

regards Greg

Link to post
Share on other sites

Hi Elise,

We are not quite there.

Tonight Mbam scan detected and removed another instance of Malware.Trace and after that Mbam has again blocked access but this time to 208.73.210.29 which I don't think has been tried before.

I was doing some web surfing just prior to the scan, and had an uneasy feeling with a site... thats why I scanned.

The blocking occured just once after scan & removal & there has been no repeat flag.

I have just scanned again & no apparent problems.

No re-directions.

No signs of problems on machines 2 & 3.

Unfortunately, i am very tired & it may be a while begore i can try much more but please post any suggestions you have.

regards Greg

Link to post
Share on other sites

Hi Elise,

First scan after log1 came up clear, but scan just now came up with infection as per log2.

LOG1

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 7121

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

14/07/2011 5:27:49 PM

mbam-log-2011-07-14 (17-27-49).txt

Scan type: Flash scan

Objects scanned: 127540

Time elapsed: 1 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\all users\application data\common.data (Malware.Trace) -> Quarantined and deleted successfully.

LOG2

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 7139

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

15/07/2011 6:48:12 AM

mbam-log-2011-07-15 (06-48-12).txt

Scan type: Flash scan

Objects scanned: 127924

Time elapsed: 1 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\all users\application data\common.data (Malware.Trace) -> Quarantined and deleted successfully.

regards Greg

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.