Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

banking sites being redirected

Started by calmnreserved , Feb 03 2010 01:47 AM

  • Please log in to reply

#1
calmnreserved
Posted 03 February 2010 - 01:47 AM

calmnreserved

    Member

  • Member
  • PipPip
  • 13 posts
Hi,

I have been going to my banking websites (Chase, BOA) and each time i get redirected to a page that was obviously phishing for my information. I recognize the site and don't key in anything, but i cannot actually access the banking websites i want. Thanks! see below for MBAM & OTL logs

Malwarebytes' Anti-Malware 1.44
Database version: 3681
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/2/2010 11:37:35 PM
mbam-log-2010-02-02 (23-37-35).txt

Scan type: Quick Scan
Objects scanned: 137234
Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




OTL LOG
_________________________________________________________________________

OTL logfile created on: 2/2/2010 11:38:12 PM - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Zachary Tan.ZACH\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 467.00 Mb Available Physical Memory | 52.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 43.37 Gb Free Space | 58.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZACH
Current User Name:
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/02 23:36:05 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Zachary Tan.ZACH\Desktop\OTL.exe
PRC - [2010/01/09 01:40:57 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/21 15:36:12 | 000,305,440 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/09/21 15:36:02 | 000,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/08/28 18:42:54 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/01 09:57:06 | 001,773,568 | ---- | M] (TOSHIBA Inc.) -- C:\Program Files\TOSHIBA\Windows Utilities\Hotkey.exe
PRC - [2006/05/25 17:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe
PRC - [2006/05/03 01:56:56 | 000,237,679 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
PRC - [2006/05/03 01:56:56 | 000,036,975 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
PRC - [2006/04/07 15:48:22 | 000,761,946 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2005/12/16 01:41:28 | 000,188,416 | ---- | M] (Agere Systems) -- C:\Program Files\ltmoh\ltmoh.exe
PRC - [2005/12/11 22:33:46 | 000,393,216 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2005/12/11 20:05:00 | 000,344,064 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2005/12/05 21:06:10 | 001,077,322 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
PRC - [2005/09/26 11:22:28 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe
PRC - [2005/07/12 16:14:42 | 000,040,960 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2005/05/31 20:00:12 | 000,282,624 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSMain.exe
PRC - [2005/05/31 19:59:58 | 000,045,056 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSBattM.exe
PRC - [2005/04/26 15:13:20 | 000,122,880 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
PRC - [2005/01/17 15:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2004/10/15 12:54:14 | 000,100,016 | ---- | M] (America Online, Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
PRC - [2004/10/15 12:54:12 | 000,046,768 | ---- | M] (America Online Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
PRC - [2004/08/27 23:37:00 | 000,155,648 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\RAMASST.exe
PRC - [2004/08/27 23:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe
PRC - [2002/12/17 11:40:22 | 000,049,152 | R--- | M] () -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe


========== Modules (SafeList) ==========

MOD - [2010/02/02 23:36:05 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Zachary Tan.ZACH\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/11/06 09:20:16 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/09/21 15:36:02 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/08/28 18:42:54 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2006/08/21 09:22:23 | 000,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2006/05/25 17:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\TODDSrv.exe -- (TODDSrv)
SRV - [2005/12/11 22:33:46 | 000,393,216 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2005/09/26 11:22:28 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2005/07/12 16:14:42 | 000,040,960 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2005/04/03 23:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/01/17 15:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2004/10/15 12:54:14 | 000,100,016 | ---- | M] (America Online, Inc) [Auto | Running] -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe -- (AOL TopSpeedMonitor)
SRV - [2004/08/27 23:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)
SRV - [2003/07/28 11:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo....g/mail?.intl=us
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo....r=ytff-msgr&p="
FF - prefs.js..browser.startup.homepage: "https://login.yahoo..../mail?.intl=us"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 49
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.07076007
FF - prefs.js..keyword.URL: "http://us.yhs.search...2-tb-web_us&p="
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/20 23:29:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/09 01:41:02 | 000,000,000 | ---D | M]

[2009/05/19 16:50:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\Mozilla\Extensions
[2010/02/02 22:00:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\Mozilla\Firefox\Profiles\40k12gys.default\extensions
[2009/12/06 01:14:50 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\Mozilla\Firefox\Profiles\40k12gys.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2008/01/16 00:24:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\Mozilla\Firefox\Profiles\40k12gys.default\extensions\[email protected]
[2009/05/19 16:50:58 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/03/24 19:21:00 | 002,889,088 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
[2009/09/21 12:24:16 | 000,001,329 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\crawlersrch.xml

O1 HOSTS File: ([2009/11/24 23:42:57 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe ()
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\ltmoh.exe (Agere Systems)
O4 - HKLM..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe (TOSHIBA)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [Toshiba Hotkey Utility] c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe (TOSHIBA Inc.)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsushita Electric Industrial Co., Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\NPJPI150_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Zachary Tan.ZACH\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Zachary Tan.ZACH\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/08/21 09:25:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/08/21 09:25:14 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/02/02 23:36:04 | 000,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Zachary Tan.ZACH\Desktop\OTL.exe
[2010/02/02 23:30:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/02 23:30:47 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/02 23:30:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/02 23:29:24 | 005,115,840 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Zachary Tan.ZACH\Desktop\mbam-setup.exe
[2010/02/02 23:23:15 | 000,439,808 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Zachary Tan.ZACH\Desktop\TFC.exe
[2009/12/01 22:48:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/12/01 22:44:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/12/01 22:44:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/12/01 22:44:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/11/23 22:06:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/05/19 20:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Spyware Terminator
[2007/05/16 21:45:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Spyware Terminator
[2006/11/28 10:10:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall

========== Files - Modified Within 14 Days ==========

[2010/02/02 23:36:05 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Zachary Tan.ZACH\Desktop\OTL.exe
[2010/02/02 23:30:52 | 000,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/02 23:29:48 | 005,115,840 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Zachary Tan.ZACH\Desktop\mbam-setup.exe
[2010/02/02 23:27:04 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/02 23:26:43 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/02 23:26:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/02 23:26:37 | 937,603,072 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/02 23:25:54 | 003,670,016 | ---- | M] () -- C:\Documents and Settings\Zachary Tan.ZACH\NTUSER.DAT
[2010/02/02 23:25:46 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Zachary Tan.ZACH\ntuser.ini
[2010/02/02 23:23:15 | 000,439,808 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Zachary Tan.ZACH\Desktop\TFC.exe
[2010/02/02 22:18:18 | 000,870,128 | ---- | M] () -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\mcs.rma
[2010/02/02 22:18:18 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\A11555
[2010/02/02 21:51:40 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/25 22:06:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/21 00:00:01 | 000,002,481 | ---- | M] () -- C:\Documents and Settings\Zachary Tan.ZACH\Desktop\Microsoft Excel.lnk
[2010/01/20 23:59:39 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Zachary Tan.ZACH\Desktop\Microsoft Word.lnk

========== Files Created - No Company Name ==========

[2010/02/02 23:30:52 | 000,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/08 21:00:43 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\mcs.rma
[2009/12/08 20:56:32 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\A11555
[2007/08/11 22:22:32 | 000,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/02/24 22:48:49 | 000,010,061 | ---- | C] () -- C:\WINDOWS\hpdj3600.ini
[2006/12/15 02:08:31 | 000,001,610 | ---- | C] () -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\wklnhst.dat
[2006/11/29 17:32:34 | 000,079,360 | ---- | C] () -- C:\Documents and Settings\Zachary Tan.ZACH\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/09/09 11:29:20 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/09/09 11:29:20 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/09/09 11:29:20 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/09/09 11:29:20 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/09/09 11:29:20 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/09/09 11:29:20 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/09/09 11:28:14 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2006/09/09 11:28:14 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2006/09/09 11:28:14 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2006/09/09 11:28:14 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2006/09/09 11:25:07 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/08/21 15:44:11 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/21 10:54:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2006/08/21 10:53:47 | 000,011,122 | ---- | C] () -- C:\WINDOWS\HWSetupStr.ini
[2006/08/21 10:53:47 | 000,002,036 | ---- | C] () -- C:\WINDOWS\SVPW32Str.ini
[2006/08/21 09:30:37 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/21 09:22:29 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/08/21 09:06:11 | 000,000,341 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/08/01 09:56:40 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\TPeculiarity.dll
[2005/12/08 10:56:50 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\tsbwls.dll
[2005/08/24 14:20:28 | 000,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2007/12/01 15:18:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2007/08/11 21:22:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/05/16 21:37:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2006/11/28 12:48:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2009/10/28 21:47:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2006/09/09 12:05:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\InterVideo
[2006/12/15 02:08:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\Template
[2007/12/01 15:19:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\TomTom
[2006/08/21 10:48:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\toshiba
[2010/01/06 23:14:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\tunebite
[2007/08/11 21:22:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Zachary Tan.ZACH\Application Data\Viewpoint

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/03 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/04/12 19:18:25 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/03 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
[2009/04/12 19:18:25 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/03 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/04/12 19:18:25 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/03 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2009/04/12 19:18:25 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 13:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/03 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: KR10N.SYS >
[2005/01/11 09:05:46 | 000,204,160 | ---- | M] (TOSHIBA CORPORATION) MD5=00C1EA8DECF810B8ECCB5C5A8186A96E -- C:\WINDOWS\OemDir\KR10N.sys
[2005/01/11 09:05:46 | 000,204,160 | ---- | M] (TOSHIBA CORPORATION) MD5=00C1EA8DECF810B8ECCB5C5A8186A96E -- C:\WINDOWS\system32\drivers\KR10N.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/03 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 13:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/08/21 02:17:25 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/08/21 02:17:25 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/08/21 02:17:25 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >
  • 0

Advertisements

#2
RKinner
Posted 03 February 2010 - 09:41 PM

RKinner

    Malware Expert

  • Expert
  • 23,723 posts
  • MVP
Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Ron
  • 0

#3
calmnreserved
Posted 05 February 2010 - 01:40 AM

calmnreserved

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ComboFix 10-02-04.06 - Zachary Tan 02/04/2010 23:29:59.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.551 [GMT -8:00]
Running from: c:\documents and settings\Zachary Tan.ZACH\Desktop\george.exe.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-03 07:30 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-03 07:30 . 2010-02-03 07:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-03 07:30 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 08:42 . 2010-01-26 08:42 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-13 07:55 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-07 07:14 . 2009-10-25 08:06 -------- d-----w- c:\documents and settings\Zachary Tan.ZACH\Application Data\tunebite
2009-12-22 05:21 . 2006-08-21 17:03 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2006-08-21 17:02 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-02 07:24 . 2006-12-06 07:52 34736 ----a-w- c:\documents and settings\Zachary Tan.ZACH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-23 08:15 . 2009-11-23 08:15 70 ---ha-w- C:\aaw7boot.cmd
2009-11-21 23:26 . 2009-11-21 23:26 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-21 15:51 . 2006-08-21 17:01 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-12 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 761946]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 1773568]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-8-21 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156187317\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TOSHIBA\\Windows Utilities\\Hotkey.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\acs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"6166:TCP"= 6166:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3036:TCP"= 3036:TCP:Services

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 10:50 AM 98816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo....g/mail?.intl=us
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Zachary Tan.ZACH\Application Data\Mozilla\Firefox\Profiles\40k12gys.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.intl=us
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\Zachary Tan.ZACH\Application Data\Mozilla\Firefox\Profiles\40k12gys.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Zachary Tan.ZACH\Application Data\Mozilla\Firefox\Profiles\40k12gys.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 23:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x851EBDC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7768f28
\Driver\ACPI -> ACPI.sys @ 0xf76dbcb8
\Driver\atapi -> 0x851ebdc8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> 0x84a1c330
PacketIndicateHandler -> NDIS.sys @ 0xf7526a0d
SendHandler -> NDIS.sys @ 0xf753ab40
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-02-04 23:36:42
ComboFix-quarantined-files.txt 2010-02-05 07:36

Pre-Run: 46,392,680,448 bytes free
Post-Run: 46,352,506,880 bytes free

- - End Of File - - 5D196797517A0875DF31014B6DFB4E3A
  • 0

#4
RKinner
Posted 05 February 2010 - 01:52 AM

RKinner

    Malware Expert

  • Expert
  • 23,723 posts
  • MVP
Please run Combofix one more time. It appears it found an mbr infection and fixed it but gmer says it's still there. If it did fix it then gmer should be happy this time.

Ron
  • 0

#5
calmnreserved
Posted 06 February 2010 - 02:50 PM

calmnreserved

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Not sure if it worked... I ran COmboFix again and this is the log generated



ComboFix 10-02-04.06 - Zachary Tan 02/06/2010 12:39:00.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.539 [GMT -8:00]
Running from: c:\documents and settings\Zachary Tan.ZACH\Desktop\george.exe.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\HotbarSA
c:\documents and settings\All Users\Application Data\HotbarSA\HotbarSA.dat
c:\documents and settings\All Users\Application Data\HotbarSA\HotbarSA_hpk.dat
c:\documents and settings\All Users\Application Data\HotbarSA\HotbarSA_kyf.dat
c:\documents and settings\All Users\Application Data\HotbarSA\HotbarSAAbout.mht
c:\documents and settings\All Users\Application Data\HotbarSA\HotbarSAau.dat
c:\documents and settings\All Users\Application Data\HotbarSA\HotbarSAEULA.mht
c:\documents and settings\All Users\Start Menu\Programs\Hotbar
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\About Hotbar.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Hotbar Customer Support Center.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Hotbar Games!.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Hotbar Uninstall Instructions.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Hotbar Videos!.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Reset Cursor.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Weather.lnk
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\1.sdf
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\1248283.sdf
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\domains.txt
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\TooltipXML\25469
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\TooltipXML\32541
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\TooltipXML\39897
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\TooltipXML\73282
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\TooltipXML\750263
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\TooltipXML\8443
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\TooltipXML\93899
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\TooltipXML\95917
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\TooltipXML\98285
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\TooltipXML\998
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\dynamic\ustat\3936.dat
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\ads.cdf
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\btntrans.idx
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\btntrans1.dat
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\business_promo.htm
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\buttondir.txt
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\components.cdf
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\cursors.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_1000.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_2000.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_3000.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_bar.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_bbar1.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_logos.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_other.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_weather.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\default.cdf
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_511745-514279.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz1.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz10.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz11.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz12.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz13.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz14.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz15.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz16.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz17.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz18.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz19.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz2.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz20.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz3.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz4.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz5.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz6.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz7.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz8.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz9.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_categorize.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_comparison.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_em_PROFL_CA_flow_b_IEB.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_explorer-Mails.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_explorer-people.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_favorites.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_Games.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_Hide.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_hotbarcom.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_Hotmail.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_hsskin.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_jemster.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_jemsterie.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_jemsteruk.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_jobsearch.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_Mails.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_new.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_premium.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_reun.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_ringtones.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_SearchBoxTrapper.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_searchfor.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_searchgo.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_weather.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_yellowpages.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\editblbuttons.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\email-def-511724-548964.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\email-def-511724-9595.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\email-t1-bg.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\gamesmenu.cdf
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\gamesMenu.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\hb_ie_menu.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\hotbar-premium-hotbar-premium.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\hotbar-premium.cdf
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\hotbar_promo.htm
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\icons2.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\ie_games_icon.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\ie_video.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\keywords.idx
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\keywords1.dat
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\layout.cdf
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\linkpathlegal.txt
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\more.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\new_games.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\progress.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\s_icons_buttons.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\sales_buttons.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\sdfmodifier.xml
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\t2_bg.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\theweb.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\top7.cdf
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\Top7_theweb.mnu
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\tsd_bg.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\1\weathericon.res
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\ads.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\BtnTrans.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\BtnTrans1.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\business_promo.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\buttondir.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\cursors.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_1000.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_2000.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_3000.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_bar.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_bbar1.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_logos.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_other.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_weather.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\default.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\editblbuttons.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\email-t1-bg.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\gamesmenu.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\hb_ie_menu.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\hotbar-premium.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\hotbar_promo.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\icons2.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\ie_games_icon.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\ie_video.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\keywords.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\keywords1.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\layout.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\linkpathlegal.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\more.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\progress.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\s_icons_buttons.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\sales_buttons.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\samplegroups2.txt
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\samplegroups2.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\sdfmodifier.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\t2_bg.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\top7.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\tsd_bg.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\weathericon.xip
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\history
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\Weather_XML\Default
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\Weather_XML\Genera1
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\Weather_XML\General
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\WeatherDPA\Links
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\WeatherDPA\radar-big.jpg
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\WeatherDPA\radar-small
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\WeatherDPA\satellite-big.jpg
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\WeatherDPA\satellite-small
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\WeatherDPA\Weather_XML\Display
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\WeatherDPA\Weather_XML\Loading
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\WeatherDPA\Weather_XML\screen2
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\WeatherDPA\WeatherPreferences
c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar\Weather\WeatherStartup.xml
c:\documents and settings\Zachary Tan.ZACH\Application Data\WeatherDPA
c:\program files\Hotbar
c:\program files\Hotbar\bin\11.0.117.0\arrow.ico
c:\program files\Hotbar\bin\11.0.117.0\CntntCntr.dll
c:\program files\Hotbar\bin\11.0.117.0\copyright.txt
c:\program files\Hotbar\bin\11.0.117.0\CoreSrv.dll
c:\program files\Hotbar\bin\11.0.117.0\firefox\extensions\chrome.manifest
c:\program files\Hotbar\bin\11.0.117.0\firefox\extensions\components\npclntax.xpt
c:\program files\Hotbar\bin\11.0.117.0\firefox\extensions\install.rdf
c:\program files\Hotbar\bin\11.0.117.0\firefox\extensions\plugins\npclntax_HotbarSA.dll
c:\program files\Hotbar\bin\11.0.117.0\HostIE.dll
c:\program files\Hotbar\bin\11.0.117.0\HostOL.dll
c:\program files\Hotbar\bin\11.0.117.0\HotbarSA.exe
c:\program files\Hotbar\bin\11.0.117.0\HotbarSAAX.dll
c:\program files\Hotbar\bin\11.0.117.0\HotbarSADF.exe
c:\program files\Hotbar\bin\11.0.117.0\HotbarSAHook.dll
c:\program files\Hotbar\bin\11.0.117.0\HotbarUninstaller.exe
c:\program files\Hotbar\bin\11.0.117.0\Srv.exe
c:\program files\Hotbar\bin\11.0.117.0\Toolbar.dll
c:\program files\Hotbar\bin\11.0.117.0\Weather.exe
c:\program files\Hotbar\bin\11.0.117.0\WeSkin.dll
c:\program files\Mozilla Firefox\components\npclntax.xpt
c:\program files\Mozilla Firefox\plugins\npclntax_HotbarSA.dll

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-02-03 07:30 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-03 07:30 . 2010-02-03 07:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-03 07:30 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 08:42 . 2010-01-26 08:42 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-13 07:55 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-06 11:16 . 2010-02-06 11:16 -------- d-----w- c:\documents and settings\Zachary Tan.ZACH\Application Data\Hotbar_Icons
2010-02-06 11:07 . 2010-02-06 08:45 -------- d-----w- c:\documents and settings\Zachary Tan.ZACH\Application Data\vlc
2010-02-06 08:36 . 2010-02-06 08:36 -------- d-----w- c:\program files\VideoLAN
2010-01-07 07:14 . 2009-10-25 08:06 -------- d-----w- c:\documents and settings\Zachary Tan.ZACH\Application Data\tunebite
2009-12-22 05:21 . 2006-08-21 17:03 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2006-08-21 17:02 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-02 07:24 . 2006-12-06 07:52 34736 ----a-w- c:\documents and settings\Zachary Tan.ZACH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-23 08:15 . 2009-11-23 08:15 70 ---ha-w- C:\aaw7boot.cmd
2009-11-21 23:26 . 2009-11-21 23:26 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-21 15:51 . 2006-08-21 17:01 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-12 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 761946]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 1773568]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 36975]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-8-21 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1156187317\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TOSHIBA\\Windows Utilities\\Hotkey.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\acs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"6166:TCP"= 6166:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3036:TCP"= 3036:TCP:Services
"3246:TCP"= 3246:TCP:Services

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 10:50 AM 98816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo....g/mail?.intl=us
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Zachary Tan.ZACH\Application Data\Mozilla\Firefox\Profiles\40k12gys.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/mail?.intl=us
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\Zachary Tan.ZACH\Application Data\Mozilla\Firefox\Profiles\40k12gys.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Zachary Tan.ZACH\Application Data\Mozilla\Firefox\Profiles\40k12gys.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - c:\program files\Hotbar\bin\11.0.117.0\HostIE.dll
Toolbar-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - c:\program files\Hotbar\bin\11.0.117.0\HostIE.dll
WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - c:\program files\Hotbar\bin\11.0.117.0\HostIE.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 12:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x84BE0468]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7768f28
\Driver\ACPI -> ACPI.sys @ 0xf76dbcb8
\Driver\atapi -> 0x84be0468
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> 0x84a1a330
PacketIndicateHandler -> NDIS.sys @ 0xf7526a0d
SendHandler -> NDIS.sys @ 0xf753ab40
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-02-06 12:46:50
ComboFix-quarantined-files.txt 2010-02-06 20:46
ComboFix2.txt 2010-02-05 07:36

Pre-Run: 46,133,219,328 bytes free
Post-Run: 46,165,970,944 bytes free

- - End Of File - - 3BE7FED06EA38CDEBD5502E98E89724F
  • 0

#6
RKinner
Posted 06 February 2010 - 03:28 PM

RKinner

    Malware Expert

  • Expert
  • 23,723 posts
  • MVP
Doesn't look like it worked. We can try the mbr.exe program and see if that helps but I think there must be something that keeps putting it back.

Download mbr.exe and save it to C:\

http://www2.gmer.net/mbr/mbr.exe

Then Start, Run, cmd, OK to open a new command window.

Type (with an Enter after each line)

\mbr.exe -f

(Space before -f)

Did you install all of this hotbar stuff or did the malware? If you did it please do not install new stuff until we are done. http://www.pchell.co...rt/hotbar.shtml

Ron
  • 0

#7
calmnreserved
Posted 07 February 2010 - 12:09 PM

calmnreserved

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I followed the steps and all it said was "\mbr.exe -f is not recognized as an internal or externalcommand, operable program or batch file"

Yes i'm sorry. I downloaded VLC player and somehow all the hotbar stuff was downloaded too.. Please let me know what i should do next
  • 0

#8
RKinner
Posted 07 February 2010 - 12:16 PM

RKinner

    Malware Expert

  • Expert
  • 23,723 posts
  • MVP
Either you didn't save it to the c:\ , left out a space or the malware is eating it. Let's try again:

http://www2.gmer.net/mbr/mbr.exe

and save it to your desktop.

Now copy the text between the lines of stars by highlighting and Ctrl + c

****************************************

"%userprofile%\Desktop\MBR.EXE" -f

***********************************************

Start, Run, cmd, OK or Start, All Programs, Accessories, Command Prompt to open a Command Window.

Right click and select Paste. Then hit Enter. When it finishes close the Command Window.

On your desktop should be a file mbr.txt or mbr.log (I forget which). Please open it by double clicking or right click and Open with Notepad and copy the text and paste it into a reply.

Ron
  • 0

#9
calmnreserved
Posted 07 February 2010 - 01:25 PM

calmnreserved

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x852efe50
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> 0x84a29330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
  • 0

#10
RKinner
Posted 07 February 2010 - 01:37 PM

RKinner

    Malware Expert

  • Expert
  • 23,723 posts
  • MVP
I think I should have put the -f inside the quotes. Delete the log file and then try it again.

****************************************

"%userprofile%\Desktop\MBR.EXE -f"

***********************************************
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP