Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Browser Redirect + can't open Malwarebytes/Spybot, etc. [Solved]

Started by mailasaurus , Jan 12 2009 04:58 PM

  • This topic is locked This topic is locked

#16
mailasaurus
Posted 17 January 2009 - 03:18 PM

mailasaurus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I appreciate you taking time to help me. I probably should have told you that I'm using a different computer (the one I am on now) to download these programs and am then transferring them to the infected computer via a flash drive. The reason I bring this up is because you say regarding Combofix that "It is important that it is saved directly to your desktop". If I save it to my flash drive and then transfer it to the desktop of the infected computer will there be a problem?
  • 0

Advertisements

#17
handhfan
Posted 17 January 2009 - 03:21 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Nope, that will be fine. It just needs to be put on your Desktop when you transfer it, before you run it. :)
  • 0

#18
mailasaurus
Posted 17 January 2009 - 03:32 PM

mailasaurus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Here's my SDFix log, the others will be coming soon.


SDFix: Version 1.240
Run by Keith on Sat 01/17/2009 at 04:13 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Keith\Desktop\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\AV.EXE - Deleted
C:\WINDOWS\system32\av.dat - Deleted
C:\WINDOWS\system32\av.exe - Deleted
C:\WINDOWS\system32\TDSSfxmp.dll - Deleted
C:\WINDOWS\system32\TDSSosvd.dat - Deleted
C:\WINDOWS\system32\TDSStkdv.log - Deleted


Could Not Remove C:\WINDOWS\system32\TDSSofxh.dll
Could Not Remove C:\WINDOWS\system32\TDSSnrsr.dll
Could Not Remove C:\WINDOWS\system32\TDSSriqp.dll
Could Not Remove C:\WINDOWS\system32\TDSScfum.dll



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 16:27:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Keith\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\1125955117\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1125955117\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\Triton\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\Triton\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Nortel Networks\\Extranet.exe"="C:\\Program Files\\Nortel Networks\\Extranet.exe:*:Enabled:Contivity VPN Client"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Disabled:Ares p2p for windows"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\1125955117\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1125955117\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\Triton\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\Triton\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

C:\WINDOWS\system32\TDSSofxh.dll Found
C:\WINDOWS\system32\TDSSnrsr.dll Found
C:\WINDOWS\system32\TDSSriqp.dll Found
C:\WINDOWS\system32\TDSScfum.dll Found

File Backups: - C:\DOCUME~1\Keith\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 18 Aug 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Finished!
  • 0

#19
mailasaurus
Posted 17 January 2009 - 04:13 PM

mailasaurus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ComoFix log:

ComboFix 09-01-17.03 - Keith 2009-01-17 16:55:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.472 [GMT -5:00]
Running from: c:\documents and settings\Keith\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Keith\nah_log.dat
c:\documents and settings\Keith\nah_qybg.exe
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\TDSSmhxt.sys
c:\windows\system32\getwn32.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSfxmp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\wertyu.dll

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\winlogon.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-17 16:10 . 2009-01-17 16:10 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-01-17 16:05 . 2009-01-17 16:06 <DIR> d-------- c:\windows\ERUNT
2009-01-17 14:48 . 2009-01-17 14:48 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-17 14:42 . 2009-01-17 16:28 <DIR> d-------- c:\program files\NOS
2009-01-17 14:42 . 2009-01-17 16:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-16 17:29 . 2009-01-16 17:29 <DIR> d-------- c:\program files\Windows Defender
2009-01-16 17:27 . 2009-01-17 14:40 <DIR> d-------- c:\program files\SpywareBlaster
2009-01-16 17:27 . 2009-01-17 14:40 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-16 16:48 . 2009-01-16 16:47 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-16 16:48 . 2009-01-16 16:47 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-12 15:09 . 2009-01-12 15:09 <DIR> d-------- c:\program files\Avira
2009-01-12 15:09 . 2009-01-12 15:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-12 15:05 . 2009-01-12 15:05 <DIR> d-------- c:\program files\Safer Networking
2009-01-04 20:23 . 2009-01-04 20:23 <DIR> d-------- c:\program files\Carbonite
2009-01-04 20:23 . 2009-01-04 20:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Carbonite
2009-01-01 19:34 . 2009-01-01 19:34 <DIR> d-------- c:\documents and settings\Judy\Application Data\Amazon
2009-01-01 19:31 . 2009-01-01 19:31 <DIR> d-------- c:\program files\Amazon
2008-12-29 13:23 . 2008-12-29 13:23 <DIR> d-------- c:\documents and settings\Judy\Application Data\Snapfish
2008-12-23 19:49 . 2008-12-23 19:50 <DIR> d-------- c:\program files\iTunes
2008-12-23 19:49 . 2008-12-23 19:49 <DIR> d-------- c:\program files\iPod
2008-12-23 19:49 . 2008-12-23 19:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-18 22:18 . 2008-12-18 22:18 1,393 --a------ c:\windows\imsins.BAK
2008-12-17 03:59 . 2008-12-17 03:59 <DIR> d-------- c:\program files\Webroot
2008-12-17 03:59 . 2008-12-17 03:59 <DIR> d-------- c:\documents and settings\Keith\Application Data\Webroot
2008-12-17 03:59 . 2008-12-17 03:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot
2008-12-17 03:59 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll
2008-12-17 03:58 . 2008-12-17 03:58 164 --a------ C:\install.dat
2008-12-17 03:46 . 2005-05-11 20:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-17 03:46 . 2005-05-11 20:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-12-17 03:46 . 2005-05-11 20:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-12-17 03:46 . 2005-06-01 22:09 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-17 03:46 . 2009-01-12 16:49 <DIR> d-------- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 19:47 --------- d-----w c:\program files\Common Files\Adobe
2009-01-16 21:47 --------- d-----w c:\program files\Java
2009-01-12 22:25 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-12 21:50 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-12 19:51 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-12 19:49 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 23:41 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 23:41 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-29 17:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-24 00:49 --------- d-----w c:\program files\Common Files\Apple
2008-12-24 00:48 --------- d-----w c:\program files\QuickTime
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 03:21 --------- d-----w c:\program files\CCleaner
2008-12-08 23:35 --------- d-----w c:\program files\Trend Micro
2008-12-07 21:59 --------- d-----w c:\documents and settings\Judy\Application Data\Move Networks
2007-01-03 05:07 214,616 ----a-w c:\program files\mozilla firefox\components\FFHook.dll
.

------- Sigcheck -------

2004-08-04 05:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-11-29 23:18 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-08-18 09:51 527304 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-08-18 09:51 527304 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-08-18 09:51 527304 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2008-08-18 600008]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-10-22 1757]
HP Digital Imaging Monitor.lnk.disabled [2005-06-23 1808]
HP Image Zone Fast Start.lnk.disabled [2005-06-23 798]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.MJPG"= pvmjpg21.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe
"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
"MMTray"=c:\progra~1\MUSICM~1\MUSICM~3\mm_tray.exe
"QBReminderFlash"="c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe"
"DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
"SoundMAXPnP"=c:\program files\Analog Devices\Core\smax4pnp.exe
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
"dla"=c:\windows\system32\dla\tfswctrl.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-11-30 11113]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2008-12-17 1086840]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-11-30 216459]
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-01-16 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\CHARTE~1\ANTI-V~1\fsav.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Keith\Application Data\Mozilla\Firefox\Profiles\zkkybxe1.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (Eng)
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Mozilla Firefox\components\FFHook.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 17:02:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Carbonite\Carbonite Backup\CarboniteService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\devldr32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-17 17:08:19 - machine was rebooted [Keith]
ComboFix-quarantined-files.txt 2009-01-17 22:08:15

Pre-Run: 17,578,545,152 bytes free
Post-Run: 18,071,363,584 bytes free

222 --- E O F --- 2009-01-13 22:03:40
  • 0

#20
mailasaurus
Posted 17 January 2009 - 04:39 PM

mailasaurus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
GMER log:


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-17 17:37:31
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 83BD9D50 ZwAllocateVirtualMemory
SSDT 83BEA468 ZwCreateKey
SSDT 83B8A1A8 ZwCreateProcess
SSDT 83B993F0 ZwCreateProcessEx
SSDT F7CB1C34 ZwCreateThread
SSDT 83BEA3F0 ZwDeleteKey
SSDT 83BAE0D0 ZwDeleteValueKey
SSDT F7CB1C20 ZwOpenProcess
SSDT F7CB1C25 ZwOpenThread
SSDT 83BD9DC8 ZwQueueApcThread
SSDT 83BD9C60 ZwReadVirtualMemory
SSDT 83BE3210 ZwRenameKey
SSDT 83BD9EB8 ZwSetContextThread
SSDT 83B95150 ZwSetInformationKey
SSDT 83BDA510 ZwSetInformationProcess
SSDT 83BD9F30 ZwSetInformationThread
SSDT 83B991E0 ZwSetValueKey
SSDT 83BDA498 ZwSuspendProcess
SSDT 83BD9E40 ZwSuspendThread
SSDT F7CB1C2F ZwTerminateProcess
SSDT 83BD9FA8 ZwTerminateThread
SSDT F7CB1C2A ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!_abnormal_termination + 4A1 804E2AFD 3 Bytes [ 1C, CB, F7 ]
? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 83BD9AF0
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 83BD9BE8
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 83BD9BE8
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 83BD9AF0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 83BD9AF0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 83BD9BE8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 83BD9BE8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 83BD9AF0
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 83BD9BE8
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 83BD9AF0
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 83BD9BE8
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 83BD9BE8
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 83BD9AF0

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 836BE8F8
Device \Driver\Tcpip \Device\Ip 83745918
Device \Driver\Tcpip \Device\Ip 83A97AB8
Device \Driver\Tcpip \Device\Tcp 836BE8F8
Device \Driver\Tcpip \Device\Tcp 83745918
Device \Driver\Tcpip \Device\Tcp 83A97AB8
Device \Driver\Tcpip \Device\Udp 836BE8F8
Device \Driver\Tcpip \Device\Udp 83745918
Device \Driver\Tcpip \Device\Udp 83A97AB8
Device \Driver\Tcpip \Device\RawIp 836BE8F8
Device \Driver\Tcpip \Device\RawIp 83745918
Device \Driver\Tcpip \Device\RawIp 83A97AB8
Device \Driver\Tcpip \Device\IPMULTICAST 836BE8F8
Device \Driver\Tcpip \Device\IPMULTICAST 83745918
Device \Driver\Tcpip \Device\IPMULTICAST 83A97AB8

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\Implemented Categories\{0DE86A54-2BAA-11CF-A229-00AA003D7352}
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ C:\WINDOWS\system32\msvidctl.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\ProgID@ BDATuner.DVBSLocator.1
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\TypeLib@ {9B085638-018E-11D3-9D8E-00C04F72D980}
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\VersionIndependentProgID@ BDATuner.DVBSLocator

---- EOF - GMER 1.0.14 ----
  • 0

#21
mailasaurus
Posted 17 January 2009 - 04:51 PM

mailasaurus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Just so you know, after that last round everything seems to be working regularly!
  • 0

#22
handhfan
Posted 17 January 2009 - 09:32 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Your logs look clean. Just use these two tools to clean up everything left over and you should be all set. :)

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

  • Make sure you have an Internet Connection.
  • Download OTCleanIt to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTCleanUp to reach the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

  • 0

#23
mailasaurus
Posted 18 January 2009 - 02:07 PM

mailasaurus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Everything is all set. Thank you for your time and effort. I appreciate it!
  • 0

#24
handhfan
Posted 18 January 2009 - 02:34 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP