Help with Hijack log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

higgs03

Thread Starter
Joined
Dec 2, 2011
Messages
14
I am looking for help with Internet Explorer. I bought a new netbook and it has come from China. It had no antivirus when i got it so I install microsoft security essentials. It detected some malware on it and fixed the problems.The only problem I think I have now is with IE. It opens on www.1112.me when I click on it. If I click on a link on a program it automatically opens IE on that www.1112.me even though I have set chrome as my default browser. I went in to the registry editor and changed the start page manually in all sections where I saw that web address and it worked fine when I opened IE, but when I restart the netbook, the same thing keeps happening. Any help would be grateful.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 02:10:00, on 03/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\KaraokeSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1112.me
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: QQ.vbs (User 'SYSTEM')
O4 - .DEFAULT Startup: QQ.vbs (User 'Default user')
O4 - .DEFAULT User Startup: QQ.vbs (User 'Default user')
O4 - Startup: QQ.vbs
O4 - Global Startup: QQ.vbs
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: VIA Karaoke digital mixer Service (KaraokeService) - VIA Technologies, Inc. - C:\WINDOWS\system32\KaraokeSer.exe

--
End of file - 5156 bytes
 

higgs03

Thread Starter
Joined
Dec 2, 2011
Messages
14
Here is the new log as I have deleted a few items with no success


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:54:57, on 06/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\KaraokeSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: QQ.vbs (User 'SYSTEM')
O4 - .DEFAULT Startup: QQ.vbs (User 'Default user')
O4 - .DEFAULT User Startup: QQ.vbs (User 'Default user')
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: QQ.vbs
O4 - Global Startup: QQ.vbs
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: VIA Karaoke digital mixer Service (KaraokeService) - VIA Technologies, Inc. - C:\WINDOWS\system32\KaraokeSer.exe

--
End of file - 4970 bytes
 

jeffce

Malware Specialist
Joined
May 10, 2011
Messages
1,727
Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic button to the right of your topic title and then choosing the notification method ( Recommended: Inmediate Notification)
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.


Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")


Stay with this topic until I give you the all clean post.
----------

Please download DDS from one of the following links and save it to your desktop.
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
----------

Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
    Vista and Windows 7 users right click the icon and choose "Run as administrator".
  • Click the Scan button to start scan.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.


Click the image to enlarge it
----------

In your next reply please post both of the logs created by DDS and the log created by aswMBR.exe. :)
 

higgs03

Thread Starter
Joined
Dec 2, 2011
Messages
14
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Administrator at 18:33:29 on 2011-12-07
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.2038.1352 [GMT 0:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\KaraokeSer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.1112.me
uInternet Connection Wizard,ShellNext = hxxp://www.google.ie
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=userinit.exe
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\QQ.vbs
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\QQ.vbs
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2E593374-E73E-4ACE-B895-931D33C206D3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{EC1E7F15-E225-41DE-9167-3AA899ABD015} : DhcpNameServer = 202.96.134.133 202.96.128.166
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\9uqldack.default\
FF - prefs.js: browser.startup.homepage - www.google.ie
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 THREADACPI;THREAD Firmware Extension Device Driver;c:\windows\system32\drivers\THREADACPI.sys [2011-9-4 6912]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl2db308aa;MpKsl2db308aa;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{485d2aa5-76d1-4dd6-88f7-322ba3c51664}\MpKsl2db308aa.sys [2011-12-7 29904]
R2 KaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\KaraokeSer.exe [2011-11-1 88688]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2011-10-13 1720928]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-30 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-30 136176]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-11-1 2805744]
S4 ahcix86;ahcix86;c:\windows\system32\drivers\ahci8086.sys [2008-6-3 176136]
S4 iaStor5;Intel RAID Controller;c:\windows\system32\drivers\iastor5.sys [2008-1-23 874624]
S4 iaStor6;Intel AHCI Controller 6;c:\windows\system32\drivers\iastor6.sys [2008-1-23 250368]
S4 iaStor7;Intel AHCI Controller 7;c:\windows\system32\drivers\iastor7.sys [2008-1-23 308248]
S4 m5228;m5228;c:\windows\system32\drivers\m5228.sys [2008-1-23 45069]
S4 m5281;m5281;c:\windows\system32\drivers\m5281.sys [2008-1-23 51072]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2008-1-23 103680]
S4 m5288;m5288;c:\windows\system32\drivers\m5288.sys [2008-1-23 210304]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2008-1-23 52480]
S4 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\si3112r.sys [2008-1-23 102528]
S4 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [2008-1-23 68864]
S4 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-1-23 17968]
.
=============== File Associations ===============
.
chm.file=hh.exe %1
.
=============== Created Last 30 ================
.
2011-12-07 18:24:34 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{485d2aa5-76d1-4dd6-88f7-322ba3c51664}\MpKsl2db308aa.sys
2011-12-07 18:24:29 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{485d2aa5-76d1-4dd6-88f7-322ba3c51664}\offreg.dll
2011-12-06 20:22:46 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{485d2aa5-76d1-4dd6-88f7-322ba3c51664}\mpengine.dll
2011-12-06 20:13:50 -------- d-----w- c:\documents and settings\administrator\application data\OpenOffice.org
2011-12-03 01:26:11 -------- d-----w- c:\windows\pss
2011-12-02 18:51:43 388096 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-02 18:51:41 -------- d-----w- c:\program files\Trend Micro
2011-12-02 00:25:30 -------- dc-h--w- c:\windows\ie8
2011-12-02 00:19:09 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-12-01 18:51:34 758784 ----a-w- c:\windows\system32\dllcache\vgx.dll
2011-11-30 23:58:28 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-11-30 23:58:24 2686976 ----a-w- c:\windows\system32\ig4dev32.dll
2011-11-30 23:58:23 4104192 ----a-w- c:\windows\system32\ig4icd32.dll
2011-11-30 23:58:23 3829760 ----a-w- c:\windows\system32\igdumd32.dll
2011-11-30 23:58:23 257536 ----a-w- c:\windows\system32\igfxTMM.dll
2011-11-30 23:58:23 155648 ----a-w- c:\windows\system32\igfxCoIn_v1972.dll
2011-11-30 23:58:22 59392 ----a-w- c:\windows\system32\oemdspif.dll
2011-11-30 23:58:22 536576 ----a-w- c:\windows\system32\igdumdx32.dll
2011-11-30 23:58:22 4805120 ----a-w- c:\windows\system32\drivers\igdkmd32.sys
2011-11-30 22:09:57 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-30 21:56:04 24064 ----a-w- c:\windows\system32\pidgen.dll.wga
2011-11-30 21:56:04 24064 ----a-w- c:\windows\system32\dllcache\pidgen.dll
2011-11-30 21:56:04 102912 ----a-w- c:\windows\system32\dpcdll.dll.wga
2011-11-30 21:56:04 102912 ----a-w- c:\windows\system32\dllcache\dpcdll.dll
2011-11-30 21:00:45 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-11-30 20:19:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-30 20:07:09 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Temp
2011-11-30 20:03:00 -------- d-----w- c:\program files\CCleaner
2011-11-30 19:55:41 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache
2011-11-30 19:53:15 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2011-11-30 19:52:56 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2011-11-30 19:51:11 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
2011-11-30 19:50:10 -------- d-----w- c:\windows\ie8updates
2011-11-30 19:49:55 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-11-30 19:49:55 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-11-30 19:49:54 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-11-30 01:20:35 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-11-30 01:20:30 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2011-11-30 01:20:15 978944 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-11-30 01:20:15 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-11-30 01:20:15 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-11-30 01:19:46 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-11-30 01:19:34 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-11-30 01:19:13 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-11-30 01:15:13 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-11-29 17:03:31 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-11-29 17:00:21 138496 ------w- c:\windows\system32\dllcache\afd.sys
2011-11-29 16:59:58 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-11-29 16:59:56 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-11-29 16:59:48 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2011-11-29 16:51:38 293376 ------w- c:\windows\system32\browserchoice.exe
2011-11-29 16:46:16 -------- d-----w- c:\program files\Foxit Software
2011-11-29 16:43:17 -------- d-----w- c:\program files\OpenOffice.org 3
2011-11-29 16:42:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-29 16:42:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-29 16:40:23 -------- d-----w- c:\program files\OpenOffice.org 3.3 (en-GB) Installation Files
2011-11-29 16:40:07 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-11-29 16:40:04 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2011-11-29 16:39:32 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-11-29 16:31:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-29 16:08:59 -------- d--h--w- c:\windows\$hf_mig$
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 03:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 03:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 03:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 18:33:59.21 ===============
 

Attachments

higgs03

Thread Starter
Joined
Dec 2, 2011
Messages
14
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-07 19:34:25
-----------------------------
19:34:25.062 OS Version: Windows 5.1.2600 Service Pack 3
19:34:25.062 Number of processors: 2 586 0x1C0A
19:34:25.062 ComputerName: PC-201008121243 UserName: Administrator
19:34:25.281 Initialize success
19:39:37.281 AVAST engine defs: 11120701
19:41:38.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:41:38.421 Disk 0 Vendor: CSD_CAZ250SF ________ Size: 238475MB BusType: 3
19:41:40.546 Disk 0 MBR read successfully
19:41:40.562 Disk 0 MBR scan
19:41:40.609 Disk 0 unknown MBR code
19:41:40.625 Disk 0 scanning sectors +488392065
19:41:40.703 Disk 0 scanning C:\WINDOWS\system32\drivers
19:41:49.562 Service scanning
19:41:49.843 Service MpKsl2db308aa C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{485D2AA5-76D1-4DD6-88F7-322BA3C51664}\MpKsl2db308aa.sys **LOCKED** 32
19:41:50.484 Modules scanning
19:41:59.187 Disk 0 trace - called modules:
19:41:59.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
19:41:59.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a397ab8]
19:41:59.281 3 CLASSPNP.SYS[ba0c8fd7] -> nt!IofCallDriver -> \Device\00000065[0x8a39d510]
19:41:59.328 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a3b7940]
19:41:59.703 AVAST engine scan C:\WINDOWS
19:42:01.531 File: C:\WINDOWS\newrun.exe **INFECTED** Win32:Trojan-gen
19:42:03.109 AVAST engine scan C:\WINDOWS\system32
19:43:36.484 AVAST engine scan C:\WINDOWS\system32\drivers
19:43:48.671 AVAST engine scan C:\Documents and Settings\Administrator
19:44:17.312 AVAST engine scan C:\Documents and Settings\All Users
19:44:21.765 Scan finished successfully
19:44:21.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
19:44:21.984 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
 

jeffce

Malware Specialist
Joined
May 10, 2011
Messages
1,727
Hi higgs03,

Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please post the contents of that file.
 

higgs03

Thread Starter
Joined
Dec 2, 2011
Messages
14
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 109):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AE000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA4C4000 ACPIEC.sys
0xBA671000 \WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
0xB9F00000 nvrd32.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xBA0D8000 VolSnap.sys
0xB9EE8000 atapi.sys
0xB9ECB000 viamraid.sys
0xB9EB3000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xBA0E8000 disk.sys
0xB9E93000 fltMgr.sys
0xB9E7C000 KSecDD.sys
0xBA338000 usbohci.sys
0xB9E58000 \WINDOWS\system32\DRIVERS\USBPORT.SYS
0xBA4C8000 kbdhid.sys
0xBA340000 \WINDOWS\system32\DRIVERS\HIDPARSE.SYS
0xB9DCB000 Ntfs.sys
0xB9D9E000 NDIS.sys
0xBA5B0000 THREADACPI.SYS
0xB9D84000 Mup.sys
0xBA0F8000 agp440.sys
0xBA168000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9131000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9114000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xB8F71000 \SystemRoot\system32\DRIVERS\RT2860.sys
0xBA3D0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA178000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA560000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBA564000 \SystemRoot\system32\DRIVERS\fsvga.sys
0xBA728000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA188000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA568000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8F5A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA198000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8F49000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA400000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8F19000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5B4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8EF6000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8E98000 \SystemRoot\system32\DRIVERS\update.sys
0xBA584000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA1D8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB756D000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB7549000 \SystemRoot\system32\drivers\portcls.sys
0xBA1E8000 \SystemRoot\system32\drivers\drmk.sys
0xBA258000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5C2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB0B52000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xBA5F6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6E2000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5F8000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA450000 \SystemRoot\System32\drivers\vga.sys
0xB0636000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xBA5FA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5FC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA458000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA460000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB6B25000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB0603000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB05AA000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB055A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB0534000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB0512000 \SystemRoot\System32\drivers\afd.sys
0xBA288000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA298000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB0447000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB03D7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA2E8000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA468000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xAF9A9000 \SystemRoot\System32\Drivers\usbvideo.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB8484000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA470000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA78C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xAD841000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xACB94000 \SystemRoot\system32\drivers\wdmaud.sys
0xACCE9000 \SystemRoot\system32\drivers\sysaudio.sys
0xAC59F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAC47F000 \SystemRoot\system32\DRIVERS\srv.sys
0xAC25E000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA4A8000 \??\C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2AD8B3BB-DA84-4AD2-AB84-0570D0C004A0}\MpKslb6b16ab0.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 34):
0 System Idle Process
4 System
660 C:\WINDOWS\system32\smss.exe
720 csrss.exe
744 C:\WINDOWS\system32\winlogon.exe
788 C:\WINDOWS\system32\services.exe
800 C:\WINDOWS\system32\lsass.exe
964 C:\WINDOWS\system32\svchost.exe
1012 svchost.exe
1052 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1088 C:\WINDOWS\system32\svchost.exe
1136 svchost.exe
1228 svchost.exe
1500 C:\WINDOWS\system32\spoolsv.exe
1804 C:\WINDOWS\explorer.exe
180 C:\Program Files\Common Files\Java\Java Update\jusched.exe
184 C:\Program Files\Microsoft Security Client\msseces.exe
328 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
364 C:\WINDOWS\system32\ctfmon.exe
496 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
580 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1344 C:\Program Files\OpenOffice.org 3\program\soffice.exe
1548 C:\Program Files\OpenOffice.org 3\program\soffice.bin
1680 svchost.exe
1708 C:\Program Files\Java\jre6\bin\jqs.exe
1660 C:\WINDOWS\system32\KaraokeSer.exe
2076 C:\WINDOWS\system32\svchost.exe
2348 C:\WINDOWS\system32\wuauclt.exe
2772 wmiprvse.exe
2940 alg.exe
3692 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3776 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3920 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2908 C:\Documents and Settings\Administrator\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000e`58160200 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x0000001c`b02b8600 (NTFS)
\\.\F: --> \\.\PhysicalDrive0 at offset 0x0000002b`08410a00 (NTFS)

PhysicalDrive0 Model Number: CSDCAZ250SF, Rev:

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows 98 MBR code detected
SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E


Done!
 

jeffce

Malware Specialist
Joined
May 10, 2011
Messages
1,727
Hi higgs03,

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------
 

higgs03

Thread Starter
Joined
Dec 2, 2011
Messages
14
ComboFix 11-12-06.02 - Administrator 08/12/2011 0:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.2038.1454 [GMT 0:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\QQ.vbs
c:\documents and settings\All Users\Start Menu\Programs\Startup\qq.vbs
c:\documents and settings\Default User\Start Menu\Programs\Startup\QQ.vbs
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\qq.vbs
c:\windows\system32\msconfig.exe
c:\windows\system32\Thumbs.db
.
c:\windows\system32\srsvc.dll . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-11-08 to 2011-12-08 )))))))))))))))))))))))))))))))
.
.
2011-12-08 00:13 . 2011-12-08 00:13 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A3839531-EF4E-4C6D-BA54-0927DDEC571A}\MpKsl2e9f8432.sys
2011-12-08 00:13 . 2011-12-08 00:13 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A3839531-EF4E-4C6D-BA54-0927DDEC571A}\offreg.dll
2011-12-07 23:42 . 2011-11-21 02:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A3839531-EF4E-4C6D-BA54-0927DDEC571A}\mpengine.dll
2011-12-06 20:13 . 2011-12-06 20:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2011-12-02 18:51 . 2011-12-02 18:51 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-02 18:51 . 2011-12-02 18:51 -------- d-----w- c:\program files\Trend Micro
2011-12-02 00:25 . 2011-12-02 00:26 -------- dc-h--w- c:\windows\ie8
2011-12-02 00:19 . 2011-11-21 02:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-01 18:51 . 2011-04-30 03:01 758784 ----a-w- c:\windows\system32\dllcache\vgx.dll
2011-11-30 23:58 . 2009-10-15 14:55 2686976 ----a-w- c:\windows\system32\ig4dev32.dll
2011-11-30 23:58 . 2009-10-15 15:35 155648 ----a-w- c:\windows\system32\igfxCoIn_v1972.dll
2011-11-30 23:58 . 2009-10-15 15:18 3829760 ----a-w- c:\windows\system32\igdumd32.dll
2011-11-30 23:58 . 2009-10-15 14:55 4104192 ----a-w- c:\windows\system32\ig4icd32.dll
2011-11-30 23:58 . 2009-10-15 14:41 257536 ----a-w- c:\windows\system32\igfxTMM.dll
2011-11-30 23:58 . 2009-10-15 15:18 4805120 ----a-w- c:\windows\system32\drivers\igdkmd32.sys
2011-11-30 23:58 . 2009-10-15 15:12 536576 ----a-w- c:\windows\system32\igdumdx32.dll
2011-11-30 23:58 . 2009-10-15 14:41 59392 ----a-w- c:\windows\system32\oemdspif.dll
2011-11-30 22:09 . 2011-11-30 22:10 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-30 21:56 . 2008-04-14 04:00 24064 ----a-w- c:\windows\system32\pidgen.dll.wga
2011-11-30 21:56 . 2008-04-14 04:00 102912 ----a-w- c:\windows\system32\dpcdll.dll.wga
2011-11-30 21:56 . 2008-04-13 09:11 102912 ----a-w- c:\windows\system32\dllcache\dpcdll.dll
2011-11-30 21:56 . 2008-04-13 09:11 24064 ----a-w- c:\windows\system32\dllcache\pidgen.dll
2011-11-30 21:00 . 2011-11-30 21:00 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-11-30 20:19 . 2011-12-02 19:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-30 20:07 . 2011-11-30 20:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2011-11-30 20:07 . 2011-11-30 20:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-11-30 20:03 . 2011-11-30 20:03 -------- d-----w- c:\program files\CCleaner
2011-11-30 20:02 . 2011-11-30 20:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-11-30 20:01 . 2011-11-30 20:02 -------- d-----w- c:\program files\Google
2011-11-30 19:55 . 2011-11-30 19:55 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2011-11-30 19:53 . 2011-11-30 19:53 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-11-30 19:52 . 2011-11-30 19:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-11-30 19:51 . 2011-08-16 10:45 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
2011-11-30 19:49 . 2011-08-22 23:48 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-11-30 19:49 . 2011-08-22 23:48 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-11-30 19:49 . 2011-08-22 23:48 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-11-30 01:20 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-11-30 01:20 . 2010-08-16 08:45 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2011-11-30 01:20 . 2011-02-08 13:33 978944 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-11-30 01:20 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-11-30 01:20 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-11-30 01:19 . 2011-07-15 13:29 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-11-30 01:19 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-11-30 01:19 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2011-11-30 01:18 . 2011-11-30 01:18 -------- d-----w- c:\program files\Common Files\Java
2011-11-30 01:15 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-11-29 17:03 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-11-29 17:00 . 2011-08-17 13:49 138496 ------w- c:\windows\system32\dllcache\afd.sys
2011-11-29 16:59 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-11-29 16:59 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-11-29 16:59 . 2010-06-14 07:41 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2011-11-29 16:51 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2011-11-29 16:46 . 2011-11-29 16:46 -------- d-----w- c:\program files\Foxit Software
2011-11-29 16:43 . 2011-11-29 16:43 -------- d-----w- c:\program files\OpenOffice.org 3
2011-11-29 16:42 . 2011-10-02 21:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-29 16:42 . 2011-10-02 18:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-29 16:41 . 2011-11-30 01:17 -------- d-----w- c:\program files\Java
2011-11-29 16:40 . 2011-02-17 12:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-11-29 16:40 . 2010-07-12 12:55 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2011-11-29 16:39 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-11-29 16:31 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-29 16:08 . 2011-12-02 18:06 -------- d--h--w- c:\windows\$hf_mig$
2011-11-29 15:47 . 2011-11-29 15:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2008-11-24 11:22 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-14 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 03:41 . 2011-09-26 03:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 03:41 . 2008-04-14 04:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 03:41 . 2008-04-14 04:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-21 04:04 . 2011-11-29 15:47 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-22 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-22 150552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R0 THREADACPI;THREAD Firmware Extension Device Driver;c:\windows\system32\drivers\THREADACPI.sys [04/09/2011 13:55 6912]
R1 MpKsl2e9f8432;MpKsl2e9f8432;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A3839531-EF4E-4C6D-BA54-0927DDEC571A}\MpKsl2e9f8432.sys [08/12/2011 00:13 29904]
R2 KaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\KaraokeSer.exe [01/11/2011 05:04 88688]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [13/10/2011 18:11 1720928]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2011 20:02 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2011 20:02 136176]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [01/11/2011 05:04 2805744]
S4 ahcix86;ahcix86;c:\windows\system32\drivers\ahci8086.sys [03/06/2008 08:01 176136]
S4 iaStor5;Intel RAID Controller;c:\windows\system32\drivers\iastor5.sys [23/01/2008 09:20 874624]
S4 iaStor6;Intel AHCI Controller 6;c:\windows\system32\drivers\iastor6.sys [23/01/2008 09:20 250368]
S4 iaStor7;Intel AHCI Controller 7;c:\windows\system32\drivers\iastor7.sys [23/01/2008 09:20 308248]
S4 m5228;m5228;c:\windows\system32\drivers\m5228.sys [23/01/2008 09:20 45069]
S4 m5281;m5281;c:\windows\system32\drivers\m5281.sys [23/01/2008 09:20 51072]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [23/01/2008 09:20 103680]
S4 m5288;m5288;c:\windows\system32\drivers\m5288.sys [23/01/2008 09:20 210304]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [23/01/2008 09:20 52480]
S4 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\si3112r.sys [23/01/2008 09:20 102528]
S4 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [23/01/2008 09:20 68864]
S4 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [23/01/2008 09:20 17968]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL2E9F8432
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-30 20:02]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-30 20:02]
.
2011-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-839522115-1957994488-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-23 17:02]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-839522115-1957994488-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-23 17:02]
.
2011-12-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 15:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.1112.me
uInternet Connection Wizard,ShellNext = hxxp://www.google.ie
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9uqldack.default\
FF - prefs.js: browser.startup.homepage - www.google.ie
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-08 00:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-602162358-839522115-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,61,26,1a,e1,b2,91,47,ac,9b,1f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,61,26,1a,e1,b2,91,47,ac,9b,1f,\
.
Completion time: 2011-12-08 00:24:30
ComboFix-quarantined-files.txt 2011-12-08 00:24
.
Pre-Run: 54,816,256,000 bytes free
Post-Run: 54,875,656,192 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 5F4CE5E712DDBCC78C9D59B55397ACB9
 

jeffce

Malware Specialist
Joined
May 10, 2011
Messages
1,727
Hi higgs03,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    *srsvc.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 

higgs03

Thread Starter
Joined
Dec 2, 2011
Messages
14
SystemLook 30.07.11 by jpshortstuff
Log created at 08:18 on 08/12/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "*srsvc.dll"
No files found.

-= EOF =-
 

jeffce

Malware Specialist
Joined
May 10, 2011
Messages
1,727
Hi higgs,

Lets re-run SystemLook....

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    srsvc.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 

higgs03

Thread Starter
Joined
Dec 2, 2011
Messages
14
SystemLook 30.07.11 by jpshortstuff
Log created at 20:28 on 08/12/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "srsvc.dll"
No files found.

-= EOF =-
 

higgs03

Thread Starter
Joined
Dec 2, 2011
Messages
14
Internet explorer seems to be working ok now. The home page is staying the same and when IE is set as default browser and you click on a link in a program it redirects you to the correct page.So not sure if all is ok now????
 

jeffce

Malware Specialist
Joined
May 10, 2011
Messages
1,727
Hi higgs,

So not sure if all is ok now????
No we still have some work to do. :)
-------------

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    Code:
    DDS::
    uStart Page = hxxp://www.1112.me
    uInternet Connection Wizard,ShellNext = hxxp://www.google.ie
    uInternet Settings,ProxyServer = 0.0.0.0:80
    TCP: Interfaces\{EC1E7F15-E225-41DE-9167-3AA899ABD015} : DhcpNameServer = 202.96.134.133 202.96.128.166
    
    RegLock::
    [HKEY_USERS\S-1-5-21-602162358-839522115-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top