TechSpot

Google redirect and who knows what else

By adam0454
May 11, 2010
  1. Hello, I'm a victim of the System Security 2010 virus, and (i think) was able to remove it with Malwarebytes Anti-Malware. However, I do have the google redirect issues and some other issues with gmail (attachments not working, inability to log in sometimes). I run avast antivirus protection, but I suppose that was not enough.

    Any help in getting my system clean would be very much appreciated. Thanks in advance!

    Logs to follow...
     
  2. adam0454

    adam0454 TS Rookie Topic Starter

    Malwarebytes' Anti-Malware 1.46

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4088

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18904

    5/10/2010 9:32:07 PM
    mbam-log-2010-05-10 (21-32-07).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 287255
    Time elapsed: 1 hour(s), 11 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 1
    Registry Values Infected: 3
    Registry Data Items Infected: 10
    Folders Infected: 1
    Files Infected: 15

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\Windows\System32\helpers32.dll (Trojan.FakeAlert) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\SE2010 (Rogue.Securityessentials2010) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\security essentials 2010 (Rogue.SecurityEssentials) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-soft-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-software-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\Windows\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Program Files\Securityessentials2010 (Rogue.SecurityEssentials2010) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Program Files\Securityessentials2010\SE2010.exe (Rogue.SecurityEssentials) -> Quarantined and deleted successfully.
    C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2MEVO0HE\exe[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FBS4KVWB\SetupSE2010[1].exe (Rogue.SecurityEssentials) -> Quarantined and deleted successfully.
    C:\Users\Administrator\AppData\Local\Temp\195C.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Users\Administrator\AppData\Local\Temp\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Users\Administrator\AppData\Local\Temp\B29E.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Windows\Temp\A60F.tmp (Rootkit.TDSS) -> Delete on reboot.
    C:\Windows\Temp\B33C.tmp (Rootkit.TDSS) -> Delete on reboot.
    C:\Windows\System32\warnings.html (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Windows\System32\helpers32.dll (Trojan.FakeAlert) -> Delete on reboot.
    C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Security essentials 2010.lnk (Rogue.SecurityEssentials2010) -> Quarantined and deleted successfully.
    C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Security essentials 2010.lnk (Rogue.SecurityEssentials2010) -> Quarantined and deleted successfully.
    C:\Windows\System32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Windows\System32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Administrator\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
     
  3. adam0454

    adam0454 TS Rookie Topic Starter

    Gmer 1.0.15.15281

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-05-11 18:01:24
    Windows 6.0.6002 Service Pack 2
    Running: lohhww1e.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\kwrdypog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x8079E014]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\System32\svchost.exe[1580] ntdll.dll!NtProtectVirtualMemory 77D74D34 5 Bytes JMP 0083000A
    .text C:\Windows\System32\svchost.exe[1580] ntdll.dll!NtWriteVirtualMemory 77D75674 5 Bytes JMP 0084000A
    .text C:\Windows\System32\svchost.exe[1580] ntdll.dll!KiUserExceptionDispatcher 77D75DC8 5 Bytes JMP 0082000A
    .text C:\Windows\System32\svchost.exe[1580] ole32.dll!CoCreateInstance 76759EA6 5 Bytes JMP 028D000A
    .text C:\Windows\System32\svchost.exe[1580] USER32.dll!GetCursorPos 76870B88 5 Bytes JMP 028E000A
    .text C:\Windows\Explorer.EXE[1920] ntdll.dll!NtProtectVirtualMemory 77D74D34 5 Bytes JMP 0081000A
    .text C:\Windows\Explorer.EXE[1920] ntdll.dll!NtWriteVirtualMemory 77D75674 5 Bytes JMP 0082000A
    .text C:\Windows\Explorer.EXE[1920] ntdll.dll!KiUserExceptionDispatcher 77D75DC8 5 Bytes JMP 0080000A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\services.exe[660] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00010002
    IAT C:\Windows\system32\services.exe[660] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00010000

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 8555BEE4

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
  4. adam0454

    adam0454 TS Rookie Topic Starter

    DDS

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Administrator at 18:02:10.44 on Tue 05/11/2010
    Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2000 [GMT -5:00]

    AV: avast! antivirus 4.8.1335 [VPS 090308-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    SP: avast! antivirus 4.8.1335 [VPS 090308-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
    D:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    D:\Program Files\Nero 8\Nero BackItUp\NBService.exe
    C:\Windows\system32\PnkBstrA.exe
    C:\Windows\system32\PnkBstrB.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\System32\svchost.exe -k netsvcs
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Users\Administrator\Desktop\Antivirus\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://google.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [WinampAgent] "d:\program files\winamp\winampa.exe"
    mRun: [NBKeyScan] "d:\program files\nero 8\nero backitup\NBKeyScan.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Acrobat Assistant 7.0] "d:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
    mRun: [<NO NAME>]
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Convert link target to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office11\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
    Trusted Zone: gmail.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\e26uf6n0.default\
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\e26uf6n0.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
    FF - plugin: d:\program files\divx\divx player\npDivxPlayerPlugin.dll
    FF - plugin: d:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: d:\program files\divx\divx web player\npdivx32.dll
    FF - plugin: d:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
    FF - plugin: d:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
    FF - plugin: d:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-6-23 150568]
    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-29 114768]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-29 20560]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-1-29 53328]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-20 138680]
    R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2008-7-29 904192]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-20 254040]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-20 352920]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-2-4 21504]

    =============== Created Last 30 ================

    2010-05-11 22:19:56 0 d-----w- c:\programdata\Google
    2010-05-11 03:32:03 0 d-----w- c:\programdata\Sun
    2010-05-11 03:26:21 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-05-10 23:25:31 0 d-----w- c:\users\admini~1\appdata\roaming\Malwarebytes
    2010-05-10 23:25:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-05-10 23:25:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-10 23:25:23 0 d-----w- c:\programdata\Malwarebytes
    2010-05-10 23:18:27 16 ----a-w- c:\users\admini~1\appdata\roaming\woxcdv.dat
    2010-05-03 11:46:24 0 d-----w- c:\program files\iPod
    2010-04-25 20:25:26 0 d-----w- c:\programdata\Office Genuine Advantage
    2010-04-25 20:18:17 35669 ----a-w- c:\programdata\nvModes.dat
    2010-04-25 20:16:51 0 d-----w- c:\program files\NVIDIA Corporation
    2010-04-15 08:05:05 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2010-04-15 08:05:05 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-04-15 08:05:05 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-04-15 08:05:01 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-04-15 08:04:55 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-04-15 08:04:54 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-04-15 08:04:51 62464 ----a-w- c:\windows\system32\l3codeca.acm
    2010-04-15 08:04:51 220672 ----a-w- c:\windows\system32\l3codecp.acm
    2010-04-15 08:04:46 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-04-15 08:04:46 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-04-15 08:04:46 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-04-14 11:36:22 172032 ----a-w- c:\windows\system32\wintrust.dll
    2010-04-14 11:36:21 98304 ----a-w- c:\windows\system32\cabview.dll
    2010-04-13 13:11:53 14 ----a-w- c:\windows\system32\ssprs.tgz
    2010-04-13 13:11:53 1024 ----a-w- c:\windows\system32\clauth2.dll
    2010-04-13 13:11:53 1024 ----a-w- c:\windows\system32\clauth1.dll
    2010-04-13 13:11:53 0 ----a-w- c:\windows\system32\ssprs.dll
    2010-04-13 13:11:53 0 ----a-w- c:\windows\system32\serauth2.dll
    2010-04-13 13:11:53 0 ----a-w- c:\windows\system32\serauth1.dll
    2010-04-13 13:11:53 0 ----a-w- c:\windows\system32\nsprs.tgz
    2010-04-13 13:11:53 0 ----a-w- c:\windows\system32\nsprs.dll
    2010-04-13 13:10:40 219 ----a-w- c:\windows\system32\lsprst7.tgz
    2010-04-13 13:10:40 205 ----a-w- c:\windows\system32\lsprst7.dll
    2010-04-13 13:10:40 1025 ----a-w- c:\windows\system32\sysprs7.tgz
    2010-04-13 13:10:40 1025 ----a-w- c:\windows\system32\sysprs7.dll
    2010-04-13 13:10:39 16 ---h--w- c:\windows\system32\servdat.slm

    ==================== Find3M ====================

    2010-05-06 15:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-03 11:44:23 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-05-03 11:44:23 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-04-25 20:18:28 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-04-11 13:12:02 100776 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-04-03 23:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
    2010-04-03 23:27:00 66664 ----a-w- c:\windows\system32\nvshext.dll
    2010-04-03 23:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
    2010-04-03 23:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
    2010-04-03 23:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
    2009-11-02 09:09:41 665600 ----a-w- c:\windows\inf\drvindex.dat
    2009-03-09 19:22:19 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

    ============= FINISH: 18:03:16.74 ===============
     
  5. adam0454

    adam0454 TS Rookie Topic Starter

    mbam log and attach.txt
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Please open Notepad
      • Click Start , then Run
      • Type notepad .exe in the Run Box.
    5. Now copy/paste the entire content of the codebox below into the Notepad window:

      Code:
      TDL::
      C:\Windows\system32\drivers\atapi.sys
      
    6. Save the above as CFScript.txt
    7. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

      [​IMG]
    8. After reboot, (in case it asks to reboot), please post the following logs into your next reply:
      • Combofix.txt

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. adam0454

    adam0454 TS Rookie Topic Starter

    Combofix

    I ran combofix twice (once without the CFScript and once with). log.txt is from the first run and Combofix.txt is from the second (with CFScript). Thanks in advance!
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    How is redirection issue?
     
  9. adam0454

    adam0454 TS Rookie Topic Starter

    I think it's gone! Haven't had a redirect issue in 2 days :)

    Thanks so much for all your help.

    Based on the logs, are there any other issues I need to take care of?
     
  10. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Very good :)
    We'll have to double check, if your computer is totally clean.

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =======================================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
  11. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Are you still out there?
     
  12. adam0454

    adam0454 TS Rookie Topic Starter

    yep

    sorry about that! i held off the scan for a few days because i haven't been near my desktop in a while.

    logs are attached :)
     

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  14. adam0454

    adam0454 TS Rookie Topic Starter

    thanks so much for all your help! so far, things are running smoothly and I've set a new system restore point. hopefully history doesn't repeat itself...

    not sure what i would have done without some guidance, so thanks again.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Way to go!! [​IMG]
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...