TechSpot

Undetectable redirect

By greg0418
Jul 27, 2010
  1. Hi

    I recently had the antimalware doctor virus that I thought I removed. To make sure I did a malwarebytes scan last night in safe mode. It deleted some system restore files that were infected.

    The problem now is that my browser still gets redirected to strange sites even though all scans (vipre, spybot S and D, and malwarebytes) show no infection.

    The redirects usually happen when clicking on a link in a google search. I simply can't get rid of this problem.

    I tried to use GMER but everytime I try to open the program even with all programs closed and internet and antivirus turned off I always get the following error: "2g4ecg27.exe has encountered a problem and needs to close. We are sorry for the inconvenience."

    I also discovered another MAJOR problem while attempting to post this. Any time I try to attach files or paste malwarebytes or hijack this logs on this forums I keep getting an error that says 'connection was reset' when trying to post. I tried to email a copy to myself so I could post from another computer, and it won't even allow me to send the email. It keeps resetting the connection. I did a test email without the logs and it works fine. Obviously there is some kind of malware that recognizes these logs and attempts to stop me from sharing them. I wasn't aware a malicious program could be that malicious. It kind of scares me...

    The only way I was able to post this was to save this to a text file and put it on a usb stick and send it from another computer.

    I have attached my most recent malwarebytes log and hijack this log. Any help would be appreciated. Thanks.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:15:13 AM, on 7/27/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
    C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Greg\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\hijackthis\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WeatherEye] C:\Documents and Settings\Greg\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265828571837
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Vipre Trial Reset (.vipre_reset) - Unknown owner - C:\Program Files\Vipre_Reset.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: VIPRE Antivirus Premium (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
    O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 6115 bytes

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4349

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    7/26/2010 10:21:13 PM
    mbam-log-2010-07-26 (22-21-13).txt

    Scan type: Full scan (C:\|D:\|E:\|G:\|)
    Objects scanned: 208819
    Time elapsed: 1 hour(s), 14 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 15

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP79\A0118118.exe (Trojan.Adware) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP79\A0118119.dll (Adware.BHO) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP79\A0118121.dll (Adware.BHO) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP79\A0118122.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP79\A0118123.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP80\A0120294.dll (Adware.BHO) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP80\A0120295.exe (Trojan.Adware) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP80\A0120301.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP80\A0121300.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP81\A0121309.dll (Adware.BHO) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP81\A0121310.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP81\A0121312.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP81\A0121434.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP81\A0121436.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP81\A0121438.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
     
  2. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    Here are my DDS logs as well. (attach.txt is attached)

    I tried once again to run GMER in safe mode but I am still getting the same error as soon as the program opens.

    Thanks in advance for your help.
     
  3. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    Here are the logs my other computer wouldnt allow me to post. (attach.txt is attached)


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Greg at 2:30:52.71 on Tue 07/27/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.350 [GMT -4:00]

    AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
    FW: Sunbelt VIPRE *disabled* {FF1CD5B7-1553-4625-A258-1775385CED33}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Greg\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Greg\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [AdobeBridge]
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [WeatherEye] c:\documents and settings\greg\local settings\application data\theweathernetwork\weathereye\WeatherEye.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    mRun: [<NO NAME>]
    mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
    uPolicies-explorer: NoActiveDesktop = 00000000
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265828571837
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\greg\applic~1\mozilla\firefox\profiles\udmwoh6w.default\
    FF - plugin: c:\documents and settings\greg\application data\mozilla\firefox\profiles\udmwoh6w.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: google.toolbar.linkdoctor.enabled - false
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2010-3-9 155136]
    R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2010-3-9 5248]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-7-24 13400]
    R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-7-24 322904]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]
    R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-7-24 204632]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-7-24 69720]
    R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-4-30 181584]
    R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
    R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2004-2-17 292352]
    R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2004-2-17 273536]
    R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2004-7-15 18432]
    R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-7-24 67800]
    S2 .vipre_reset;Vipre Trial Reset;c:\program files\Vipre_Reset.exe [2010-2-10 325271]
    S2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-4-30 2730120]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-25 38224]
    S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2010-7-24 86232]
    S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2010-1-29 2074480]

    =============== Created Last 30 ================

    2010-07-27 04:48:08 0 d-sh--w- c:\documents and settings\greg\IECompatCache
    2010-07-27 04:33:17 0 d-----w- c:\docume~1\greg\applic~1\JAM Software
    2010-07-27 04:32:56 0 d-----w- c:\program files\JAM Software
    2010-07-27 02:47:49 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-07-26 09:00:05 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-07-26 08:27:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-07-26 03:20:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-26 03:20:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-26 03:20:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-25 03:14:51 69720 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2010-07-25 03:14:50 13400 ----a-w- c:\windows\system32\drivers\sbaphd.sys
    2010-07-25 03:08:47 0 d-----w- c:\docume~1\greg\applic~1\Sunbelt
    2010-07-25 03:08:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
    2010-07-25 03:06:03 86232 ----a-w- c:\windows\system32\drivers\sbhips.sys
    2010-07-25 03:06:03 204632 ----a-w- c:\windows\system32\drivers\sbtis.sys
    2010-07-25 03:05:30 67800 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
    2010-07-25 03:05:28 322904 ----a-w- c:\windows\system32\drivers\SbFw.sys
    2010-07-25 02:42:11 0 d-----w- c:\windows\system32\wbem\Repository
    2010-07-23 06:01:43 0 d-----w- c:\program files\Sunbelt Software
    2010-07-23 05:53:34 37760 ----a-w- c:\windows\system32\drivers\amdk7.sys5B84D6EB
    2010-07-23 05:16:50 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
    2010-07-23 05:04:16 585850 ----a-w- c:\windows\umcat_01.db
    2010-07-23 04:33:12 120 ----a-w- c:\windows\Rnapivu.dat
    2010-07-23 04:33:12 0 ----a-w- c:\windows\Edanuzona.bin
    2010-07-23 04:31:46 150 ----a-w- C:\zrpt.xml
    2010-07-23 04:31:13 0 d-----w- c:\docume~1\greg\applic~1\7B1D34BA9A3D96584E76E71EE8CCC94D
    2010-07-18 03:26:17 3145856 ----a-w- C:\fb_0.dds
    2010-07-18 03:26:16 3145784 ----a-w- C:\fb_0.bmp
    2010-07-09 14:29:19 3250 ----a-w- c:\windows\system32\wbem\Outlook_01cb1f731da65660.mof
    2010-07-08 09:30:47 0 d-----w- c:\program files\common files\Macrovision Shared
    2010-07-08 09:30:05 0 d-----w- c:\program files\Rosetta Stone
    2010-07-08 09:30:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Rosetta Stone

    ==================== Find3M ====================

    2010-06-10 04:56:38 737280 ----a-w- c:\windows\iun6002.exe
    2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-30 16:31:00 27984 ----a-w- c:\windows\system32\sbbd.exe
    2010-02-11 00:35:23 325271 ------r- c:\program files\Vipre_Reset.exe
    2010-02-12 23:33:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010021220100213\index.dat

    ============= FINISH: 2:32:37.23 ===============
     

    Attached Files:

  4. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    It seems to be getting worse. There are now popups when I don't even click on a link. Antivirus still shows nothing in scan. Here is my latest scan log:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4356

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/27/2010 8:28:10 AM
    mbam-log-2010-07-27 (08-28-10).txt

    Scan type: Full scan (C:\|D:\|E:\|G:\|)
    Objects scanned: 206647
    Time elapsed: 3 hour(s), 19 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  5. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  6. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    Thank you for your reply. I have attached the combo fix log as requested.

    Also after the scan was over and the computer restarted, the combo fix log said it was preparing the log. During that time my desktop background went away and said that my copy of windows may not be genuine. I have never had this before. I have a valid copy of windows that came with my PC from the manufacturer (HP)

    Just thought I would include that in case it was a problem caused by malware. I haven't attempted to correct the problem, I will wait for your reply.

    Thanks again
     

    Attached Files:

  7. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    While I'm checking Combofix log, please restart computer one more time and let me know, if you still getting same message ("windows may not be genuine").
    Also, let me know how is redirection issue.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - c:\windows\system32\drivers\amdk7.sys5B84D6EB
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.

    ========================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Rnapivu.dat
    c:\windows\Edanuzona.bin
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  9. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    Below is the report form virustotal. Also regarding the windows validation. When I try to access windows update it tells me that windows validation has failed.

    It says "The product key is a unique identifier assigned by Microsoft only to genuine Windows software. If this key is missing or incorrect, it may indicate the presence of counterfeit software and your computer may be at risk.

    The Windows product key installed on this computer is a Volume License Key (VLK) that has been blocked. A VLK is typically licensed to organizations that want to use multiple copies of Windows. However, if a VLK is reported as stolen or leaked, it is blocked from passing validation and is not considered genuine.

    You or your organization may be a victim of software counterfeiting if:

    ■You received a computer with a VLK, but you do not have a Volume License Agreement with Microsoft, or
    ■Your organization purchased a VLK from a 3rd party but does not have a Volume License Agreement with Microsoft"

    Could combofix have somehow deleted the key? Like I said I have never had this problem before. I was asked to validate my copy of windows a few months ago when doing a windows update and it passed fine. The only thing I can think of is the virus I had did this or combofix deleted something important by mistake (this happened while combofix was running)

    I will post the new combofix log as soon as it is complete.

    Thanks

    Antivirus Version Last Update Result
    AhnLab-V3 2010.07.27.00 2010.07.26 -
    AntiVir 8.2.4.26 2010.07.27 -
    Antiy-AVL 2.0.3.7 2010.07.26 -
    Authentium 5.2.0.5 2010.07.27 -
    Avast 4.8.1351.0 2010.07.27 -
    Avast5 5.0.332.0 2010.07.27 -
    AVG 9.0.0.851 2010.07.27 -
    BitDefender 7.2 2010.07.27 -
    CAT-QuickHeal 11.00 2010.07.27 -
    ClamAV 0.96.0.3-git 2010.07.27 -
    Comodo 5556 2010.07.27 -
    DrWeb 5.0.2.03300 2010.07.27 -
    Emsisoft 5.0.0.34 2010.07.27 -
    eSafe 7.0.17.0 2010.07.27 -
    eTrust-Vet 36.1.7742 2010.07.27 -
    F-Prot 4.6.1.107 2010.07.27 -
    F-Secure 9.0.15370.0 2010.07.27 -
    Fortinet 4.1.143.0 2010.07.24 -
    GData 21 2010.07.27 -
    Ikarus T3.1.1.84.0 2010.07.27 -
    Jiangmin 13.0.900 2010.07.26 -
    Kaspersky 7.0.0.125 2010.07.27 -
    McAfee 5.400.0.1158 2010.07.27 -
    McAfee-GW-Edition 2010.1 2010.07.27 -
    Microsoft 1.6004 2010.07.27 -
    NOD32 5318 2010.07.27 -
    Norman 6.05.11 2010.07.27 -
    nProtect 2010-07-27.01 2010.07.27 -
    Panda 10.0.2.7 2010.07.27 -
    PCTools 7.0.3.5 2010.07.27 -
    Prevx 3.0 2010.07.27 -
    Rising 22.58.01.04 2010.07.27 -
    Sophos 4.55.0 2010.07.27 -
    Sunbelt 6649 2010.07.27 -
    Symantec 20101.1.1.7 2010.07.27 -
    TheHacker 6.5.2.1.326 2010.07.27 -
    TrendMicro 9.120.0.1004 2010.07.27 -
    TrendMicro-HouseCall 9.120.0.1004 2010.07.27 -
    VBA32 3.12.12.6 2010.07.27 -
    ViRobot 2010.7.24.3958 2010.07.27 -
    VirusBuster 5.0.27.0 2010.07.27 -
    Additional information
    File size: 37760 bytes
    MD5...: d99b6a693dbc6d031d0246215ce068a4
    SHA1..: d67b0a9e893f73f16667fecfa9a925e1a119a751
    SHA256: ac31c8ae89ecd8b84e3f3c9fbbe17653cf89308f20fa3bdd490c85d7ba0dc996
    ssdeep: 768:dxTRfnoq0A7qPTDb5ioJbA58ZLUbpPo8U6r3Au:dPfnoBTL38Rr3z
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x5f05
    timedatestamp.....: 0x48025184 (Sun Apr 13 18:31:32 2008)
    machinetype.......: 0x14c (I386)

    ( 8 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x380 0x2566 0x2580 6.44 5b6715c459850cb2f5c27013dcf0b711
    .rdata 0x2900 0x3aa 0x400 4.47 afc409ab29476b3c64dff280d37b008f
    .data 0x2d00 0x52c 0x580 0.39 1db59357b57fdfe8f486fe2b2b2b378f
    PAGE 0x3280 0x2648 0x2680 6.30 b4d623a6195d69785f71fa56a4f85684
    PAGELK 0x5900 0x5cc 0x600 5.91 ce44fbd54bd02a8fe0ae8cb37d3680eb
    INIT 0x5f00 0xad8 0xb00 5.66 4211cd6f6d57ae733490d9ef31b910df
    .rsrc 0x6a00 0x23c0 0x2400 7.00 7079b43e2afc7b78119d6caf9515aba7
    .reloc 0x8e00 0x532 0x580 5.57 98d0029586bd797097571b684d3ab371

    ( 3 imports )
    > ntoskrnl.exe: RtlIntegerToUnicodeString, IoFreeWorkItem, ZwPowerInformation, IoBuildSynchronousFsdRequest, KeSetEvent, KeRevertToUserAffinityThread, KeSetSystemAffinityThread, KeQueryActiveProcessors, ZwClose, RtlEqualUnicodeString, ZwOpenKey, IoQueueWorkItem, IoAllocateWorkItem, _snwprintf, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoDetachDevice, IoDeleteDevice, IoAttachDeviceToDeviceStack, PoSetPowerState, KeInitializeSpinLock, IoCreateDevice, ExUnregisterCallback, IofCompleteRequest, KefAcquireSpinLockAtDpcLevel, wcslen, KeClearEvent, KeNumberProcessors, ExRegisterCallback, ExCreateCallback, RtlCopyUnicodeString, _alldiv, _allmul, READ_REGISTER_UCHAR, READ_REGISTER_USHORT, READ_REGISTER_ULONG, WRITE_REGISTER_UCHAR, WRITE_REGISTER_USHORT, WRITE_REGISTER_ULONG, IoWMIRegistrationControl, swprintf, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, PoCallDriver, PoStartNextPowerIrp, PoRequestPowerIrp, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlInitUnicodeString, ZwQueryValueKey, strncpy, KeInitializeEvent, IoBuildDeviceIoControlRequest, IofCallDriver, KeWaitForSingleObject, KeBugCheckEx, KeTickCount, MmMapIoSpace, MmUnmapIoSpace, ExAllocatePoolWithTag, IoReleaseCancelSpinLock, ExFreePoolWithTag
    > HAL.dll: WRITE_PORT_USHORT, KfReleaseSpinLock, KfAcquireSpinLock, HalSetBusDataByOffset, KeStallExecutionProcessor, WRITE_PORT_ULONG, WRITE_PORT_UCHAR, READ_PORT_ULONG, READ_PORT_USHORT, READ_PORT_UCHAR, KeQueryPerformanceCounter
    > WMILIB.SYS: WmiCompleteRequest, WmiSystemControl, WmiFireEvent

    ( 0 exports )
    RDS...: NSRL Reference Data Set
    -
    pdfid.: -
    trid..: Win32 Executable Generic (68.0%)
    Generic Win/DOS Executable (15.9%)
    DOS Executable Generic (15.9%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
    packers (Kaspersky): PE_Patch
    sigcheck:
    publisher....: n/a
    copyright....: n/a
    product......: n/a
    description..: n/a
    original name: n/a
    internal name: n/a
    file version.: n/a
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
     
  10. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    hmm I just tried to post a reply to your last request but it didn't show up. The forum said it was waiting for validation from moderators. Is there a reason that post didn't show up and the rest did?
     
  11. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    Below is the report form virustotal. Also regarding the windows validation. When I try to access windows update it tells me that windows validation has failed.

    I left out the copy and paste from the windows site as I think it may have caused the post to not show immediately and be tagged for moderation.

    Basically it said "your VLK (volume liscence key) is not valid

    Could combofix have somehow deleted the key? Like I said I have never had this problem before. I was asked to validate my copy of windows a few months ago when doing a windows update and it passed fine. The only thing I can think of is the virus I had did this or combofix deleted something important by mistake (this happened while combofix was running)

    I will post the new combofix log as soon as it is complete.

    Thanks

    Antivirus Version Last Update Result
    AhnLab-V3 2010.07.27.00 2010.07.26 -
    AntiVir 8.2.4.26 2010.07.27 -
    Antiy-AVL 2.0.3.7 2010.07.26 -
    Authentium 5.2.0.5 2010.07.27 -
    Avast 4.8.1351.0 2010.07.27 -
    Avast5 5.0.332.0 2010.07.27 -
    AVG 9.0.0.851 2010.07.27 -
    BitDefender 7.2 2010.07.27 -
    CAT-QuickHeal 11.00 2010.07.27 -
    ClamAV 0.96.0.3-git 2010.07.27 -
    Comodo 5556 2010.07.27 -
    DrWeb 5.0.2.03300 2010.07.27 -
    Emsisoft 5.0.0.34 2010.07.27 -
    eSafe 7.0.17.0 2010.07.27 -
    eTrust-Vet 36.1.7742 2010.07.27 -
    F-Prot 4.6.1.107 2010.07.27 -
    F-Secure 9.0.15370.0 2010.07.27 -
    Fortinet 4.1.143.0 2010.07.24 -
    GData 21 2010.07.27 -
    Ikarus T3.1.1.84.0 2010.07.27 -
    Jiangmin 13.0.900 2010.07.26 -
    Kaspersky 7.0.0.125 2010.07.27 -
    McAfee 5.400.0.1158 2010.07.27 -
    McAfee-GW-Edition 2010.1 2010.07.27 -
    Microsoft 1.6004 2010.07.27 -
    NOD32 5318 2010.07.27 -
    Norman 6.05.11 2010.07.27 -
    nProtect 2010-07-27.01 2010.07.27 -
    Panda 10.0.2.7 2010.07.27 -
    PCTools 7.0.3.5 2010.07.27 -
    Prevx 3.0 2010.07.27 -
    Rising 22.58.01.04 2010.07.27 -
    Sophos 4.55.0 2010.07.27 -
    Sunbelt 6649 2010.07.27 -
    Symantec 20101.1.1.7 2010.07.27 -
    TheHacker 6.5.2.1.326 2010.07.27 -
    TrendMicro 9.120.0.1004 2010.07.27 -
    TrendMicro-HouseCall 9.120.0.1004 2010.07.27 -
    VBA32 3.12.12.6 2010.07.27 -
    ViRobot 2010.7.24.3958 2010.07.27 -
    VirusBuster 5.0.27.0 2010.07.27 -
    Additional information
    File size: 37760 bytes
    MD5...: d99b6a693dbc6d031d0246215ce068a4
    SHA1..: d67b0a9e893f73f16667fecfa9a925e1a119a751
    SHA256: ac31c8ae89ecd8b84e3f3c9fbbe17653cf89308f20fa3bdd490c85d7ba0dc996
    ssdeep: 768:dxTRfnoq0A7qPTDb5ioJbA58ZLUbpPo8U6r3Au:dPfnoBTL38Rr3z
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x5f05
    timedatestamp.....: 0x48025184 (Sun Apr 13 18:31:32 2008)
    machinetype.......: 0x14c (I386)

    ( 8 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x380 0x2566 0x2580 6.44 5b6715c459850cb2f5c27013dcf0b711
    .rdata 0x2900 0x3aa 0x400 4.47 afc409ab29476b3c64dff280d37b008f
    .data 0x2d00 0x52c 0x580 0.39 1db59357b57fdfe8f486fe2b2b2b378f
    PAGE 0x3280 0x2648 0x2680 6.30 b4d623a6195d69785f71fa56a4f85684
    PAGELK 0x5900 0x5cc 0x600 5.91 ce44fbd54bd02a8fe0ae8cb37d3680eb
    INIT 0x5f00 0xad8 0xb00 5.66 4211cd6f6d57ae733490d9ef31b910df
    .rsrc 0x6a00 0x23c0 0x2400 7.00 7079b43e2afc7b78119d6caf9515aba7
    .reloc 0x8e00 0x532 0x580 5.57 98d0029586bd797097571b684d3ab371

    ( 3 imports )
    > ntoskrnl.exe: RtlIntegerToUnicodeString, IoFreeWorkItem, ZwPowerInformation, IoBuildSynchronousFsdRequest, KeSetEvent, KeRevertToUserAffinityThread, KeSetSystemAffinityThread, KeQueryActiveProcessors, ZwClose, RtlEqualUnicodeString, ZwOpenKey, IoQueueWorkItem, IoAllocateWorkItem, _snwprintf, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoDetachDevice, IoDeleteDevice, IoAttachDeviceToDeviceStack, PoSetPowerState, KeInitializeSpinLock, IoCreateDevice, ExUnregisterCallback, IofCompleteRequest, KefAcquireSpinLockAtDpcLevel, wcslen, KeClearEvent, KeNumberProcessors, ExRegisterCallback, ExCreateCallback, RtlCopyUnicodeString, _alldiv, _allmul, READ_REGISTER_UCHAR, READ_REGISTER_USHORT, READ_REGISTER_ULONG, WRITE_REGISTER_UCHAR, WRITE_REGISTER_USHORT, WRITE_REGISTER_ULONG, IoWMIRegistrationControl, swprintf, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, PoCallDriver, PoStartNextPowerIrp, PoRequestPowerIrp, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlInitUnicodeString, ZwQueryValueKey, strncpy, KeInitializeEvent, IoBuildDeviceIoControlRequest, IofCallDriver, KeWaitForSingleObject, KeBugCheckEx, KeTickCount, MmMapIoSpace, MmUnmapIoSpace, ExAllocatePoolWithTag, IoReleaseCancelSpinLock, ExFreePoolWithTag
    > HAL.dll: WRITE_PORT_USHORT, KfReleaseSpinLock, KfAcquireSpinLock, HalSetBusDataByOffset, KeStallExecutionProcessor, WRITE_PORT_ULONG, WRITE_PORT_UCHAR, READ_PORT_ULONG, READ_PORT_USHORT, READ_PORT_UCHAR, KeQueryPerformanceCounter
    > WMILIB.SYS: WmiCompleteRequest, WmiSystemControl, WmiFireEvent

    ( 0 exports )
    RDS...: NSRL Reference Data Set
    -
    pdfid.: -
    trid..: Win32 Executable Generic (68.0%)
    Generic Win/DOS Executable (15.9%)
    DOS Executable Generic (15.9%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
    packers (Kaspersky): PE_Patch
    sigcheck:
    publisher....: n/a
    copyright....: n/a
    product......: n/a
    description..: n/a
    original name: n/a
    internal name: n/a
    file version.: n/a
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
     
  12. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    Below is the report form virustotal. Also regarding the windows validation. When I try to access windows update it tells me that windows validation has failed.

    I left out the copy and paste from the windows site as I think it may have caused the post to not show immediately and be tagged for moderation. I also copied the file into text in case that was the problem

    Could combofix have somehow deleted the key? Like I said I have never had this problem before. I was asked to validate my copy of windows a few months ago when doing a windows update and it passed fine. The only thing I can think of is the virus I had did this or combofix deleted something important by mistake (this happened while combofix was running)

    I will post the new combofix log as soon as it is complete.

    Thanks
     

    Attached Files:

    • log.txt
      File size:
      4.5 KB
      Views:
      1
  13. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    You had one system file infected - disk.sys - which was replaced by Combofix with a healthy file.
    This could possibly cause your issue.
    Did you try to re-validate?
     
  14. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    Yes, I tried to revalidate and it said :

    "The Windows product key installed on this computer is a Volume License Key (VLK) that has been blocked. A VLK is typically licensed to organizations that want to use multiple copies of Windows. However, if a VLK is reported as stolen or leaked, it is blocked from passing validation and is not considered genuine."

    Which I know is impossible since the license for windows came with the computer.

    Also I tried to do the scan with the text file as you indicated above. The scan seemed to be stuck at the start of the scan. After 30 minutes of waiting it never went on to "stage 1 complete" etc as it did in the previous scan.

    I restarted my computer since it looked like it was going nowhere.

    Do you have any ideas on how to fix this validation issue?

    Thanks
     
  15. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Let's wait with validating.
    We'll make sure, your computer is clean, first and we'll see what happens.

    Try to run my Combofix script from safe mode.
    Did you have your AV program disabled while running Combofix this time?
     
  16. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    Yes, I had it disabled. But when the scan starts it restarts my computer before the scan starts then finished before windows loads. I think vipre is running in the background. On the first scan a vipre popup appeared asking me if I wanted to allow the action. I clicked yes and the scan finished.

    I had active protection disabled just like during the last scan before it restarted, so I don't know why its creating a problem now. But I will try it again in safe mode. But I'm not sure there is a way to get into safe mode when combofix causes the computer to restart.

    Should I boot into safe mode after or before or both after starting the combofix scan?
     
  17. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    OK, I was able to do the scan in safe mode. I have attached the log.

    The redirect problem seems fixed since the first combofix scan. I just hope there is nothing else hiding somewhere.

    The biggest problem right now seems to be the Windows Validation issue.
     

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    I still don't like Combofix log.

    See, if GMER will run now...

    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.
     
  19. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    GMER still isn't working. As soon as I open it, even in safe mode, it looks like it is already starting a scan. I have no option to click on anything because there is an hourglass that doesn't allow me to click.

    It stays open for a few seconds, a few seconds more in safe mode, but it always closes with the same error before I can click anything
     
  20. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    That's fine.

    Delete your Combofix file, download new one and post fresh log.
     
  21. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    OK, I deleted the log before performing a new scan. Here is the new scan log.

    Thanks for your help
     

    Attached Files:

  22. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  23. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    here is the log. It only ran for like 2 seconds.

    Thanks for your help.

    MBRCheck, version 1.1.1

    (c) 2010, AD



    \\.\C: --> \\.\PhysicalDrive0



    Size Device Name MBR Status

    --------------------------------------------

    37 GB \\.\PhysicalDrive0 Windows XP MBR code detected





    Done! Press ENTER to exit...
     
  24. greg0418

    greg0418 TS Rookie Topic Starter Posts: 25

    Another quick question. Maybe I am just paranoid about getting infected again, but thought I would share this. When I tried to check my hotmail account tonight I got redirected to http://bl108w.blu108.mail.live.com/default.aspx?rru=inbox&wa=wsignin1.0
    It seems to have the same functionality of regular hotmail but claims to have a "new feature". I can still access my mail the only thing is I can't change to another email address like I could on the old hotmail screen without logging out.

    The URL just looked strange to me so I thought I would ask here. I don't know if its malicious. I googled the URL and it came up with:

    "origin.bl108w.blu108.mail.live.com

    Origin.bl108w.blu108.mail.live.com has one IP number , which is the same as for bl108w.blu108.mail.live.com. Origin.bl108w.blu108.mail.live.com also has a corresponding reverse pointer.

    Blu108w.mail.live.com.akadns.net cnames to this hostname. Bl108w.blu108.mail.live.com point to the same IP.
    bl108w.blu108.mail.live.com

    Sorry, we are currently missing dns information for bl108w.blu108.mail.live.com
    More information

    You might also be interested in origin.bl118w.blu118.mail.live.com, origin.bl109w.blu109.mail.live.com, origin.bl138w.blu138.mail.live.com, origin.bl104w.blu104.mail.live.com and origin.bl105w.blu105.mail.live.com.

    Origin.bl108w.blu108.mail.live.com is hosted on a server in United States.

    It is not listed in any blacklists.Search for live.com."

    That report was at http://www.robtex.com/dns/origin.bl108w.blu108.mail.live.com.html

    Thanks again for all your help
     
  25. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Thank you for an extra info :)
    Which browser is having problems?

    Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

    * Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
    * A black DOS window will quickly appear then disappear.
    * When mbr.exe is finished it will create a log on your desktop.
    * Copy and paste contents of that log (mbr.log) file to your next reply.

    ========================================================================

    Download RootRepeal.zip (Mirror1, Mirror2) and unzip it to your Desktop.
    • Double click RootRepeal.exe to start the program
    • Click on the Report tab at the bottom of the program window
    • Click the Scan button
    • In the Select Scan dialog, check:

      • [*]Drivers
        [*]Files
        [*]Processes
        [*]SSDT
        [*]Stealth Objects
        [*]Hidden Services
    • Click the OK button
    • In the next dialog, select all drives showing
    • Click OK to start the scan
      Note: The scan can take some time. DO NOT run any other programs while the scan is running
    • When the scan is complete, the Save Report button will become available
    • Click this and save the report to your Desktop as RootRepeal.txt
    • Go to File, then Exit to close the program
    Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

    If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...