Solved Undetectable redirect

Status
Not open for further replies.

greg0418

Posts: 25   +0
Hi

I recently had the antimalware doctor virus that I thought I removed. To make sure I did a malwarebytes scan last night in safe mode. It deleted some system restore files that were infected.

The problem now is that my browser still gets redirected to strange sites even though all scans (vipre, spybot S and D, and malwarebytes) show no infection.

The redirects usually happen when clicking on a link in a google search. I simply can't get rid of this problem.

I tried to use GMER but everytime I try to open the program even with all programs closed and internet and antivirus turned off I always get the following error: "2g4ecg27.exe has encountered a problem and needs to close. We are sorry for the inconvenience."

I also discovered another MAJOR problem while attempting to post this. Any time I try to attach files or paste malwarebytes or hijack this logs on this forums I keep getting an error that says 'connection was reset' when trying to post. I tried to email a copy to myself so I could post from another computer, and it won't even allow me to send the email. It keeps resetting the connection. I did a test email without the logs and it works fine. Obviously there is some kind of malware that recognizes these logs and attempts to stop me from sharing them. I wasn't aware a malicious program could be that malicious. It kind of scares me...

The only way I was able to post this was to save this to a text file and put it on a usb stick and send it from another computer.

I have attached my most recent malwarebytes log and hijack this log. Any help would be appreciated. Thanks.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:15:13 AM, on 7/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Greg\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\hijackthis\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Documents and Settings\Greg\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265828571837
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Vipre Trial Reset (.vipre_reset) - Unknown owner - C:\Program Files\Vipre_Reset.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: VIPRE Antivirus Premium (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6115 bytes

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4349

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

7/26/2010 10:21:13 PM
mbam-log-2010-07-26 (22-21-13).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)
Objects scanned: 208819
Time elapsed: 1 hour(s), 14 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP79\A0118118.exe (Trojan.Adware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP79\A0118119.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP79\A0118121.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP79\A0118122.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP79\A0118123.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP80\A0120294.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP80\A0120295.exe (Trojan.Adware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP80\A0120301.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP80\A0121300.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP81\A0121309.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP81\A0121310.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP81\A0121312.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP81\A0121434.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP81\A0121436.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CA336B29-2A69-408B-B0EC-03391545751E}\RP81\A0121438.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
 
Here are my DDS logs as well. (attach.txt is attached)

I tried once again to run GMER in safe mode but I am still getting the same error as soon as the program opens.

Thanks in advance for your help.
 
Here are the logs my other computer wouldnt allow me to post. (attach.txt is attached)


DDS (Ver_10-03-17.01) - NTFSx86
Run by Greg at 2:30:52.71 on Tue 07/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.350 [GMT -4:00]

AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Sunbelt VIPRE *disabled* {FF1CD5B7-1553-4625-A258-1775385CED33}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Greg\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Greg\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [AdobeBridge]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WeatherEye] c:\documents and settings\greg\local settings\application data\theweathernetwork\weathereye\WeatherEye.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [<NO NAME>]
mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
uPolicies-explorer: NoActiveDesktop = 00000000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265828571837
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\greg\applic~1\mozilla\firefox\profiles\udmwoh6w.default\
FF - plugin: c:\documents and settings\greg\application data\mozilla\firefox\profiles\udmwoh6w.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2010-3-9 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2010-3-9 5248]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-7-24 13400]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-7-24 322904]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-7-24 204632]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-7-24 69720]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-4-30 181584]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2004-2-17 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2004-2-17 273536]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2004-7-15 18432]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-7-24 67800]
S2 .vipre_reset;Vipre Trial Reset;c:\program files\Vipre_Reset.exe [2010-2-10 325271]
S2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-4-30 2730120]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-25 38224]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2010-7-24 86232]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2010-1-29 2074480]

=============== Created Last 30 ================

2010-07-27 04:48:08 0 d-sh--w- c:\documents and settings\greg\IECompatCache
2010-07-27 04:33:17 0 d-----w- c:\docume~1\greg\applic~1\JAM Software
2010-07-27 04:32:56 0 d-----w- c:\program files\JAM Software
2010-07-27 02:47:49 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-26 09:00:05 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-26 08:27:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-26 03:20:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-26 03:20:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-26 03:20:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-25 03:14:51 69720 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-07-25 03:14:50 13400 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-07-25 03:08:47 0 d-----w- c:\docume~1\greg\applic~1\Sunbelt
2010-07-25 03:08:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
2010-07-25 03:06:03 86232 ----a-w- c:\windows\system32\drivers\sbhips.sys
2010-07-25 03:06:03 204632 ----a-w- c:\windows\system32\drivers\sbtis.sys
2010-07-25 03:05:30 67800 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2010-07-25 03:05:28 322904 ----a-w- c:\windows\system32\drivers\SbFw.sys
2010-07-25 02:42:11 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-23 06:01:43 0 d-----w- c:\program files\Sunbelt Software
2010-07-23 05:53:34 37760 ----a-w- c:\windows\system32\drivers\amdk7.sys5B84D6EB
2010-07-23 05:16:50 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-07-23 05:04:16 585850 ----a-w- c:\windows\umcat_01.db
2010-07-23 04:33:12 120 ----a-w- c:\windows\Rnapivu.dat
2010-07-23 04:33:12 0 ----a-w- c:\windows\Edanuzona.bin
2010-07-23 04:31:46 150 ----a-w- C:\zrpt.xml
2010-07-23 04:31:13 0 d-----w- c:\docume~1\greg\applic~1\7B1D34BA9A3D96584E76E71EE8CCC94D
2010-07-18 03:26:17 3145856 ----a-w- C:\fb_0.dds
2010-07-18 03:26:16 3145784 ----a-w- C:\fb_0.bmp
2010-07-09 14:29:19 3250 ----a-w- c:\windows\system32\wbem\Outlook_01cb1f731da65660.mof
2010-07-08 09:30:47 0 d-----w- c:\program files\common files\Macrovision Shared
2010-07-08 09:30:05 0 d-----w- c:\program files\Rosetta Stone
2010-07-08 09:30:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Rosetta Stone

==================== Find3M ====================

2010-06-10 04:56:38 737280 ----a-w- c:\windows\iun6002.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 16:31:00 27984 ----a-w- c:\windows\system32\sbbd.exe
2010-02-11 00:35:23 325271 ------r- c:\program files\Vipre_Reset.exe
2010-02-12 23:33:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010021220100213\index.dat

============= FINISH: 2:32:37.23 ===============
 

Attachments

  • Attach.txt
    16.7 KB · Views: 0
It seems to be getting worse. There are now popups when I don't even click on a link. Antivirus still shows nothing in scan. Here is my latest scan log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4356

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/27/2010 8:28:10 AM
mbam-log-2010-07-27 (08-28-10).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)
Objects scanned: 206647
Time elapsed: 3 hour(s), 19 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Thank you for your reply. I have attached the combo fix log as requested.

Also after the scan was over and the computer restarted, the combo fix log said it was preparing the log. During that time my desktop background went away and said that my copy of windows may not be genuine. I have never had this before. I have a valid copy of windows that came with my PC from the manufacturer (HP)

Just thought I would include that in case it was a problem caused by malware. I haven't attempted to correct the problem, I will wait for your reply.

Thanks again
 

Attachments

  • ComboFix.txt
    20.1 KB · Views: 3
While I'm checking Combofix log, please restart computer one more time and let me know, if you still getting same message ("windows may not be genuine").
Also, let me know how is redirection issue.
 
Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- c:\windows\system32\drivers\amdk7.sys5B84D6EB
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

========================================================================

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\windows\Rnapivu.dat
c:\windows\Edanuzona.bin


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Below is the report form virustotal. Also regarding the windows validation. When I try to access windows update it tells me that windows validation has failed.

It says "The product key is a unique identifier assigned by Microsoft only to genuine Windows software. If this key is missing or incorrect, it may indicate the presence of counterfeit software and your computer may be at risk.

The Windows product key installed on this computer is a Volume License Key (VLK) that has been blocked. A VLK is typically licensed to organizations that want to use multiple copies of Windows. However, if a VLK is reported as stolen or leaked, it is blocked from passing validation and is not considered genuine.

You or your organization may be a victim of software counterfeiting if:

■You received a computer with a VLK, but you do not have a Volume License Agreement with Microsoft, or
■Your organization purchased a VLK from a 3rd party but does not have a Volume License Agreement with Microsoft"

Could combofix have somehow deleted the key? Like I said I have never had this problem before. I was asked to validate my copy of windows a few months ago when doing a windows update and it passed fine. The only thing I can think of is the virus I had did this or combofix deleted something important by mistake (this happened while combofix was running)

I will post the new combofix log as soon as it is complete.

Thanks

Antivirus Version Last Update Result
AhnLab-V3 2010.07.27.00 2010.07.26 -
AntiVir 8.2.4.26 2010.07.27 -
Antiy-AVL 2.0.3.7 2010.07.26 -
Authentium 5.2.0.5 2010.07.27 -
Avast 4.8.1351.0 2010.07.27 -
Avast5 5.0.332.0 2010.07.27 -
AVG 9.0.0.851 2010.07.27 -
BitDefender 7.2 2010.07.27 -
CAT-QuickHeal 11.00 2010.07.27 -
ClamAV 0.96.0.3-git 2010.07.27 -
Comodo 5556 2010.07.27 -
DrWeb 5.0.2.03300 2010.07.27 -
Emsisoft 5.0.0.34 2010.07.27 -
eSafe 7.0.17.0 2010.07.27 -
eTrust-Vet 36.1.7742 2010.07.27 -
F-Prot 4.6.1.107 2010.07.27 -
F-Secure 9.0.15370.0 2010.07.27 -
Fortinet 4.1.143.0 2010.07.24 -
GData 21 2010.07.27 -
Ikarus T3.1.1.84.0 2010.07.27 -
Jiangmin 13.0.900 2010.07.26 -
Kaspersky 7.0.0.125 2010.07.27 -
McAfee 5.400.0.1158 2010.07.27 -
McAfee-GW-Edition 2010.1 2010.07.27 -
Microsoft 1.6004 2010.07.27 -
NOD32 5318 2010.07.27 -
Norman 6.05.11 2010.07.27 -
nProtect 2010-07-27.01 2010.07.27 -
Panda 10.0.2.7 2010.07.27 -
PCTools 7.0.3.5 2010.07.27 -
Prevx 3.0 2010.07.27 -
Rising 22.58.01.04 2010.07.27 -
Sophos 4.55.0 2010.07.27 -
Sunbelt 6649 2010.07.27 -
Symantec 20101.1.1.7 2010.07.27 -
TheHacker 6.5.2.1.326 2010.07.27 -
TrendMicro 9.120.0.1004 2010.07.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.27 -
VBA32 3.12.12.6 2010.07.27 -
ViRobot 2010.7.24.3958 2010.07.27 -
VirusBuster 5.0.27.0 2010.07.27 -
Additional information
File size: 37760 bytes
MD5...: d99b6a693dbc6d031d0246215ce068a4
SHA1..: d67b0a9e893f73f16667fecfa9a925e1a119a751
SHA256: ac31c8ae89ecd8b84e3f3c9fbbe17653cf89308f20fa3bdd490c85d7ba0dc996
ssdeep: 768:dxTRfnoq0A7qPTDb5ioJbA58ZLUbpPo8U6r3Au:dPfnoBTL38Rr3z
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5f05
timedatestamp.....: 0x48025184 (Sun Apr 13 18:31:32 2008)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x2566 0x2580 6.44 5b6715c459850cb2f5c27013dcf0b711
.rdata 0x2900 0x3aa 0x400 4.47 afc409ab29476b3c64dff280d37b008f
.data 0x2d00 0x52c 0x580 0.39 1db59357b57fdfe8f486fe2b2b2b378f
PAGE 0x3280 0x2648 0x2680 6.30 b4d623a6195d69785f71fa56a4f85684
PAGELK 0x5900 0x5cc 0x600 5.91 ce44fbd54bd02a8fe0ae8cb37d3680eb
INIT 0x5f00 0xad8 0xb00 5.66 4211cd6f6d57ae733490d9ef31b910df
.rsrc 0x6a00 0x23c0 0x2400 7.00 7079b43e2afc7b78119d6caf9515aba7
.reloc 0x8e00 0x532 0x580 5.57 98d0029586bd797097571b684d3ab371

( 3 imports )
> ntoskrnl.exe: RtlIntegerToUnicodeString, IoFreeWorkItem, ZwPowerInformation, IoBuildSynchronousFsdRequest, KeSetEvent, KeRevertToUserAffinityThread, KeSetSystemAffinityThread, KeQueryActiveProcessors, ZwClose, RtlEqualUnicodeString, ZwOpenKey, IoQueueWorkItem, IoAllocateWorkItem, _snwprintf, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoDetachDevice, IoDeleteDevice, IoAttachDeviceToDeviceStack, PoSetPowerState, KeInitializeSpinLock, IoCreateDevice, ExUnregisterCallback, IofCompleteRequest, KefAcquireSpinLockAtDpcLevel, wcslen, KeClearEvent, KeNumberProcessors, ExRegisterCallback, ExCreateCallback, RtlCopyUnicodeString, _alldiv, _allmul, READ_REGISTER_UCHAR, READ_REGISTER_USHORT, READ_REGISTER_ULONG, WRITE_REGISTER_UCHAR, WRITE_REGISTER_USHORT, WRITE_REGISTER_ULONG, IoWMIRegistrationControl, swprintf, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, PoCallDriver, PoStartNextPowerIrp, PoRequestPowerIrp, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlInitUnicodeString, ZwQueryValueKey, strncpy, KeInitializeEvent, IoBuildDeviceIoControlRequest, IofCallDriver, KeWaitForSingleObject, KeBugCheckEx, KeTickCount, MmMapIoSpace, MmUnmapIoSpace, ExAllocatePoolWithTag, IoReleaseCancelSpinLock, ExFreePoolWithTag
> HAL.dll: WRITE_PORT_USHORT, KfReleaseSpinLock, KfAcquireSpinLock, HalSetBusDataByOffset, KeStallExecutionProcessor, WRITE_PORT_ULONG, WRITE_PORT_UCHAR, READ_PORT_ULONG, READ_PORT_USHORT, READ_PORT_UCHAR, KeQueryPerformanceCounter
> WMILIB.SYS: WmiCompleteRequest, WmiSystemControl, WmiFireEvent

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
 
hmm I just tried to post a reply to your last request but it didn't show up. The forum said it was waiting for validation from moderators. Is there a reason that post didn't show up and the rest did?
 
Below is the report form virustotal. Also regarding the windows validation. When I try to access windows update it tells me that windows validation has failed.

I left out the copy and paste from the windows site as I think it may have caused the post to not show immediately and be tagged for moderation.

Basically it said "your VLK (volume liscence key) is not valid

Could combofix have somehow deleted the key? Like I said I have never had this problem before. I was asked to validate my copy of windows a few months ago when doing a windows update and it passed fine. The only thing I can think of is the virus I had did this or combofix deleted something important by mistake (this happened while combofix was running)

I will post the new combofix log as soon as it is complete.

Thanks

Antivirus Version Last Update Result
AhnLab-V3 2010.07.27.00 2010.07.26 -
AntiVir 8.2.4.26 2010.07.27 -
Antiy-AVL 2.0.3.7 2010.07.26 -
Authentium 5.2.0.5 2010.07.27 -
Avast 4.8.1351.0 2010.07.27 -
Avast5 5.0.332.0 2010.07.27 -
AVG 9.0.0.851 2010.07.27 -
BitDefender 7.2 2010.07.27 -
CAT-QuickHeal 11.00 2010.07.27 -
ClamAV 0.96.0.3-git 2010.07.27 -
Comodo 5556 2010.07.27 -
DrWeb 5.0.2.03300 2010.07.27 -
Emsisoft 5.0.0.34 2010.07.27 -
eSafe 7.0.17.0 2010.07.27 -
eTrust-Vet 36.1.7742 2010.07.27 -
F-Prot 4.6.1.107 2010.07.27 -
F-Secure 9.0.15370.0 2010.07.27 -
Fortinet 4.1.143.0 2010.07.24 -
GData 21 2010.07.27 -
Ikarus T3.1.1.84.0 2010.07.27 -
Jiangmin 13.0.900 2010.07.26 -
Kaspersky 7.0.0.125 2010.07.27 -
McAfee 5.400.0.1158 2010.07.27 -
McAfee-GW-Edition 2010.1 2010.07.27 -
Microsoft 1.6004 2010.07.27 -
NOD32 5318 2010.07.27 -
Norman 6.05.11 2010.07.27 -
nProtect 2010-07-27.01 2010.07.27 -
Panda 10.0.2.7 2010.07.27 -
PCTools 7.0.3.5 2010.07.27 -
Prevx 3.0 2010.07.27 -
Rising 22.58.01.04 2010.07.27 -
Sophos 4.55.0 2010.07.27 -
Sunbelt 6649 2010.07.27 -
Symantec 20101.1.1.7 2010.07.27 -
TheHacker 6.5.2.1.326 2010.07.27 -
TrendMicro 9.120.0.1004 2010.07.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.27 -
VBA32 3.12.12.6 2010.07.27 -
ViRobot 2010.7.24.3958 2010.07.27 -
VirusBuster 5.0.27.0 2010.07.27 -
Additional information
File size: 37760 bytes
MD5...: d99b6a693dbc6d031d0246215ce068a4
SHA1..: d67b0a9e893f73f16667fecfa9a925e1a119a751
SHA256: ac31c8ae89ecd8b84e3f3c9fbbe17653cf89308f20fa3bdd490c85d7ba0dc996
ssdeep: 768:dxTRfnoq0A7qPTDb5ioJbA58ZLUbpPo8U6r3Au:dPfnoBTL38Rr3z
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5f05
timedatestamp.....: 0x48025184 (Sun Apr 13 18:31:32 2008)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x2566 0x2580 6.44 5b6715c459850cb2f5c27013dcf0b711
.rdata 0x2900 0x3aa 0x400 4.47 afc409ab29476b3c64dff280d37b008f
.data 0x2d00 0x52c 0x580 0.39 1db59357b57fdfe8f486fe2b2b2b378f
PAGE 0x3280 0x2648 0x2680 6.30 b4d623a6195d69785f71fa56a4f85684
PAGELK 0x5900 0x5cc 0x600 5.91 ce44fbd54bd02a8fe0ae8cb37d3680eb
INIT 0x5f00 0xad8 0xb00 5.66 4211cd6f6d57ae733490d9ef31b910df
.rsrc 0x6a00 0x23c0 0x2400 7.00 7079b43e2afc7b78119d6caf9515aba7
.reloc 0x8e00 0x532 0x580 5.57 98d0029586bd797097571b684d3ab371

( 3 imports )
> ntoskrnl.exe: RtlIntegerToUnicodeString, IoFreeWorkItem, ZwPowerInformation, IoBuildSynchronousFsdRequest, KeSetEvent, KeRevertToUserAffinityThread, KeSetSystemAffinityThread, KeQueryActiveProcessors, ZwClose, RtlEqualUnicodeString, ZwOpenKey, IoQueueWorkItem, IoAllocateWorkItem, _snwprintf, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoDetachDevice, IoDeleteDevice, IoAttachDeviceToDeviceStack, PoSetPowerState, KeInitializeSpinLock, IoCreateDevice, ExUnregisterCallback, IofCompleteRequest, KefAcquireSpinLockAtDpcLevel, wcslen, KeClearEvent, KeNumberProcessors, ExRegisterCallback, ExCreateCallback, RtlCopyUnicodeString, _alldiv, _allmul, READ_REGISTER_UCHAR, READ_REGISTER_USHORT, READ_REGISTER_ULONG, WRITE_REGISTER_UCHAR, WRITE_REGISTER_USHORT, WRITE_REGISTER_ULONG, IoWMIRegistrationControl, swprintf, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, PoCallDriver, PoStartNextPowerIrp, PoRequestPowerIrp, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlInitUnicodeString, ZwQueryValueKey, strncpy, KeInitializeEvent, IoBuildDeviceIoControlRequest, IofCallDriver, KeWaitForSingleObject, KeBugCheckEx, KeTickCount, MmMapIoSpace, MmUnmapIoSpace, ExAllocatePoolWithTag, IoReleaseCancelSpinLock, ExFreePoolWithTag
> HAL.dll: WRITE_PORT_USHORT, KfReleaseSpinLock, KfAcquireSpinLock, HalSetBusDataByOffset, KeStallExecutionProcessor, WRITE_PORT_ULONG, WRITE_PORT_UCHAR, READ_PORT_ULONG, READ_PORT_USHORT, READ_PORT_UCHAR, KeQueryPerformanceCounter
> WMILIB.SYS: WmiCompleteRequest, WmiSystemControl, WmiFireEvent

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
 
Below is the report form virustotal. Also regarding the windows validation. When I try to access windows update it tells me that windows validation has failed.

I left out the copy and paste from the windows site as I think it may have caused the post to not show immediately and be tagged for moderation. I also copied the file into text in case that was the problem

Could combofix have somehow deleted the key? Like I said I have never had this problem before. I was asked to validate my copy of windows a few months ago when doing a windows update and it passed fine. The only thing I can think of is the virus I had did this or combofix deleted something important by mistake (this happened while combofix was running)

I will post the new combofix log as soon as it is complete.

Thanks
 

Attachments

  • log.txt
    4.5 KB · Views: 1
You had one system file infected - disk.sys - which was replaced by Combofix with a healthy file.
This could possibly cause your issue.
Did you try to re-validate?
 
Yes, I tried to revalidate and it said :

"The Windows product key installed on this computer is a Volume License Key (VLK) that has been blocked. A VLK is typically licensed to organizations that want to use multiple copies of Windows. However, if a VLK is reported as stolen or leaked, it is blocked from passing validation and is not considered genuine."

Which I know is impossible since the license for windows came with the computer.

Also I tried to do the scan with the text file as you indicated above. The scan seemed to be stuck at the start of the scan. After 30 minutes of waiting it never went on to "stage 1 complete" etc as it did in the previous scan.

I restarted my computer since it looked like it was going nowhere.

Do you have any ideas on how to fix this validation issue?

Thanks
 
Let's wait with validating.
We'll make sure, your computer is clean, first and we'll see what happens.

Try to run my Combofix script from safe mode.
Did you have your AV program disabled while running Combofix this time?
 
Yes, I had it disabled. But when the scan starts it restarts my computer before the scan starts then finished before windows loads. I think vipre is running in the background. On the first scan a vipre popup appeared asking me if I wanted to allow the action. I clicked yes and the scan finished.

I had active protection disabled just like during the last scan before it restarted, so I don't know why its creating a problem now. But I will try it again in safe mode. But I'm not sure there is a way to get into safe mode when combofix causes the computer to restart.

Should I boot into safe mode after or before or both after starting the combofix scan?
 
OK, I was able to do the scan in safe mode. I have attached the log.

The redirect problem seems fixed since the first combofix scan. I just hope there is nothing else hiding somewhere.

The biggest problem right now seems to be the Windows Validation issue.
 

Attachments

  • ComboFix.txt
    17.1 KB · Views: 1
I still don't like Combofix log.

See, if GMER will run now...

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.
 
GMER still isn't working. As soon as I open it, even in safe mode, it looks like it is already starting a scan. I have no option to click on anything because there is an hourglass that doesn't allow me to click.

It stays open for a few seconds, a few seconds more in safe mode, but it always closes with the same error before I can click anything
 
OK, I deleted the log before performing a new scan. Here is the new scan log.

Thanks for your help
 

Attachments

  • ComboFix.txt
    24.6 KB · Views: 4
Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.
 
here is the log. It only ran for like 2 seconds.

Thanks for your help.

MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

37 GB \\.\PhysicalDrive0 Windows XP MBR code detected





Done! Press ENTER to exit...
 
Another quick question. Maybe I am just paranoid about getting infected again, but thought I would share this. When I tried to check my hotmail account tonight I got redirected to http://bl108w.blu108.mail.live.com/default.aspx?rru=inbox&wa=wsignin1.0
It seems to have the same functionality of regular hotmail but claims to have a "new feature". I can still access my mail the only thing is I can't change to another email address like I could on the old hotmail screen without logging out.

The URL just looked strange to me so I thought I would ask here. I don't know if its malicious. I googled the URL and it came up with:

"origin.bl108w.blu108.mail.live.com

Origin.bl108w.blu108.mail.live.com has one IP number , which is the same as for bl108w.blu108.mail.live.com. Origin.bl108w.blu108.mail.live.com also has a corresponding reverse pointer.

Blu108w.mail.live.com.akadns.net cnames to this hostname. Bl108w.blu108.mail.live.com point to the same IP.
bl108w.blu108.mail.live.com

Sorry, we are currently missing dns information for bl108w.blu108.mail.live.com
More information

You might also be interested in origin.bl118w.blu118.mail.live.com, origin.bl109w.blu109.mail.live.com, origin.bl138w.blu138.mail.live.com, origin.bl104w.blu104.mail.live.com and origin.bl105w.blu105.mail.live.com.

Origin.bl108w.blu108.mail.live.com is hosted on a server in United States.

It is not listed in any blacklists.Search for live.com."

That report was at http://www.robtex.com/dns/origin.bl108w.blu108.mail.live.com.html

Thanks again for all your help
 
Thank you for an extra info :)
Which browser is having problems?

Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.

========================================================================

Download RootRepeal.zip (Mirror1, Mirror2) and unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • [*]Drivers
      [*]Files
      [*]Processes
      [*]SSDT
      [*]Stealth Objects
      [*]Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
    Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.
 
Status
Not open for further replies.
Back