Subscribe to AfterDawn's weekly newsletter.
Deadly 66.230.188.67 virus
#26
19 Oct 2010 @ 19:22
2oldGeek
Visit user's personal pageSend private message to this user
Senior Member
Avira AntiVir is the Best Free AV available.. Stay with it.
Ad-aware is Old technology that has not kept up with the times.. Let it go.
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using SpywareBlaster can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware
Use CCleaner to clean up Temp and old files, use Malwarebytes’ Anti-malware and SUPERAntispyware to scan your computer and then Defrag on a regular basis….
Other than that; Keep your nose clean and Happy Surfing :)
2oG
Ad-aware is Old technology that has not kept up with the times.. Let it go.
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using SpywareBlaster can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware
Use CCleaner to clean up Temp and old files, use Malwarebytes’ Anti-malware and SUPERAntispyware to scan your computer and then Defrag on a regular basis….
Other than that; Keep your nose clean and Happy Surfing :)
2oG
AfterDawn
Advertisement
#27
17 Nov 2010 @ 8:04
Hello,
I am having the same issue as slub77 and funkk. I keep getting redirected to various pages when ever i click links, checking what it normally redirects to me to: 66.230.188.67 : and then to a diffrent site. I ran a full Avast! scan, full MalwareBytes scan.But links still keeps getting redirected to various pages.
Then I followed what you suggested to funkk and I ran Combofix as you specified.
Here is the log file combofix.txt found in the computer. Please let me know if I still need to do anything else or combofix has rectified the problem. Thanks
----------------------------------------------------------------------------------------
ComboFix 10-11-16.05 - owner 17/11/2010 22:42:55.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.502.238 [GMT 11:00]
Running from: c:\documents and settings\owner\desktop\combofix.exe
Command switches used :: /killall
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\system volume information\Microsoft . . . . Failed to delete
c:\system volume information\Microsoft\services.exe . . . . Failed to delete
c:\system volume information\Microsoft\smss.exe . . . . Failed to delete
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive2 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive3 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive4 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive5 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive6 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive7 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive8 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive9 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive2 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive3 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive4 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive5 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive6 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive7 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive8 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive9 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 )))))))))))))))))))))))))))))))
.
2010-11-16 20:21 . 2010-11-16 20:21 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes
2010-11-16 20:21 . 2010-04-29 04:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-16 20:20 . 2010-11-16 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-16 20:20 . 2010-11-16 20:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-16 20:20 . 2010-04-29 04:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-15 21:50 . 2010-04-14 15:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-15 21:50 . 2010-04-14 15:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-15 21:50 . 2010-04-14 15:37 297552 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-11-15 21:50 . 2010-04-14 15:37 102736 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-11-15 21:50 . 2010-04-14 15:36 196048 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-11-15 21:50 . 2010-04-14 15:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-15 21:50 . 2010-04-14 15:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-15 21:50 . 2010-04-14 15:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-15 21:50 . 2010-04-14 15:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-15 21:50 . 2010-04-14 15:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-15 21:49 . 2010-03-19 20:10 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2010-11-15 21:49 . 2010-04-14 15:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-11-15 21:49 . 2010-04-14 15:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-15 21:49 . 2010-11-15 21:49 -------- d-----w- c:\program files\Alwil Software
2010-11-15 21:49 . 2010-11-15 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-11-15 19:07 . 2010-11-15 19:07 -------- d-----w- c:\program files\Safari
2010-11-15 19:07 . 2010-11-15 19:07 -------- d-----w- c:\program files\Bonjour
2010-11-09 14:07 . 2010-11-15 01:23 -------- d-----w- c:\windows\system32\Dexter Screen Saver dir
2010-10-29 14:54 . 2010-10-29 14:54 657179 ----a-w- c:\windows\Condition Zero Uninstaller.exe
2010-10-29 14:49 . 2010-10-29 14:49 -------- d-----w- C:\Valve
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-05 02:59 . 2010-06-27 10:56 16184 ----a-w- c:\windows\system32\ROBoot.exe
.
------- Sigcheck -------
[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\spoolsv.exe
c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-04-14 15:33 140288 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-04 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 06:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 01:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 11:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 04:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-04-05 10:23 114688 ----a-w- c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 04:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemProtector]
2010-10-05 02:59 10000184 ----a-w- c:\program files\Advanced System Optimizer 3\systemprotector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Q3Ademo\\quake3.exe"=
"c:\\Valve\\Condition Zero\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [16/11/2010 8:49 AM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [16/11/2010 8:50 AM 196048]
R0 hotcore;hotcore;c:\windows\system32\drivers\hotcore.sys [4/12/2009 12:06 PM 30820]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/06/2010 7:03 PM 691696]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [16/11/2010 8:50 AM 102736]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [16/11/2010 8:50 AM 297552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [16/11/2010 8:50 AM 162768]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [8/03/2005 7:46 PM 61440]
R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\Advanced System Optimizer 3\ASO3DefragSrv.exe [27/06/2010 9:40 PM 239928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [16/11/2010 8:50 AM 19024]
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [16/11/2010 8:49 AM 119200]
S3 ADASPROT;SYSTWEAKASO;c:\program files\Advanced System Optimizer 3\adasprot32.sys [27/06/2010 9:40 PM 6656]
.
Contents of the 'Scheduled Tasks' folder
2010-11-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 05:07]
2010-11-17 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-05-25 12:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://g.live.com/9uxp9en-us/hpg_lnk2
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: {A75224EB-83FC-4A72-B393-E03B017EF1FE} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\oidocpx1.default\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-BDAgent - c:\program files\BitDefender\BitDefender 2010\bdagent.exe
MSConfigStartUp-BitDefender Antiphishing Helper - c:\program files\BitDefender\BitDefender 2010\IEShow.exe
MSConfigStartUp-Google Update - c:\documents and settings\owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-{835FBE3E-57D2-BDB6-FE6A-58FBB8030F06} - c:\documents and settings\owner\Application Data\Qivuid\caawh.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-17 23:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82D44446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82d4a504]; MOV EAX, [0x82d4a580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\Harddisk0\DR0[0x82D35908]
3 CLASSPNP[0xF857605B] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> [0x82C718D0]
\Driver\atapi[0x82D285A0] -> IRP_MJ_CREATE -> 0x82D44446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x80; PUSH EAX; MOV EAX, 0x337; POP EAX; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x628; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82D44292
\Driver\atapi -> 0x82d861f8
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3464)
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Internet Explorer\iexplore.exe
c:\system volume information\Microsoft\services.exe
c:\system volume information\Microsoft\smss.exe
.
**************************************************************************
.
Completion time: 2010-11-17 23:08:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-17 12:08
ComboFix2.txt 2010-07-04 06:40
Pre-Run: 33,667,829,760 bytes free
Post-Run: 33,662,070,784 bytes free
Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - F766F5762499471F2B805E3DC5185E5E
I am having the same issue as slub77 and funkk. I keep getting redirected to various pages when ever i click links, checking what it normally redirects to me to: 66.230.188.67 : and then to a diffrent site. I ran a full Avast! scan, full MalwareBytes scan.But links still keeps getting redirected to various pages.
Then I followed what you suggested to funkk and I ran Combofix as you specified.
Here is the log file combofix.txt found in the computer. Please let me know if I still need to do anything else or combofix has rectified the problem. Thanks
----------------------------------------------------------------------------------------
ComboFix 10-11-16.05 - owner 17/11/2010 22:42:55.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.502.238 [GMT 11:00]
Running from: c:\documents and settings\owner\desktop\combofix.exe
Command switches used :: /killall
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\system volume information\Microsoft . . . . Failed to delete
c:\system volume information\Microsoft\services.exe . . . . Failed to delete
c:\system volume information\Microsoft\smss.exe . . . . Failed to delete
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive2 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive3 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive4 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive5 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive6 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive7 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive8 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive9 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive2 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive3 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive4 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive5 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive6 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive7 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive8 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive9 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 )))))))))))))))))))))))))))))))
.
2010-11-16 20:21 . 2010-11-16 20:21 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes
2010-11-16 20:21 . 2010-04-29 04:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-16 20:20 . 2010-11-16 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-16 20:20 . 2010-11-16 20:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-16 20:20 . 2010-04-29 04:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-15 21:50 . 2010-04-14 15:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-15 21:50 . 2010-04-14 15:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-15 21:50 . 2010-04-14 15:37 297552 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-11-15 21:50 . 2010-04-14 15:37 102736 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-11-15 21:50 . 2010-04-14 15:36 196048 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-11-15 21:50 . 2010-04-14 15:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-15 21:50 . 2010-04-14 15:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-15 21:50 . 2010-04-14 15:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-15 21:50 . 2010-04-14 15:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-15 21:50 . 2010-04-14 15:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-15 21:49 . 2010-03-19 20:10 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2010-11-15 21:49 . 2010-04-14 15:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-11-15 21:49 . 2010-04-14 15:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-15 21:49 . 2010-11-15 21:49 -------- d-----w- c:\program files\Alwil Software
2010-11-15 21:49 . 2010-11-15 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-11-15 19:07 . 2010-11-15 19:07 -------- d-----w- c:\program files\Safari
2010-11-15 19:07 . 2010-11-15 19:07 -------- d-----w- c:\program files\Bonjour
2010-11-09 14:07 . 2010-11-15 01:23 -------- d-----w- c:\windows\system32\Dexter Screen Saver dir
2010-10-29 14:54 . 2010-10-29 14:54 657179 ----a-w- c:\windows\Condition Zero Uninstaller.exe
2010-10-29 14:49 . 2010-10-29 14:49 -------- d-----w- C:\Valve
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-05 02:59 . 2010-06-27 10:56 16184 ----a-w- c:\windows\system32\ROBoot.exe
.
------- Sigcheck -------
[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\spoolsv.exe
c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-04-14 15:33 140288 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-04 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 06:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 01:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 11:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 04:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-04-05 10:23 114688 ----a-w- c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 04:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemProtector]
2010-10-05 02:59 10000184 ----a-w- c:\program files\Advanced System Optimizer 3\systemprotector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Q3Ademo\\quake3.exe"=
"c:\\Valve\\Condition Zero\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [16/11/2010 8:49 AM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [16/11/2010 8:50 AM 196048]
R0 hotcore;hotcore;c:\windows\system32\drivers\hotcore.sys [4/12/2009 12:06 PM 30820]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/06/2010 7:03 PM 691696]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [16/11/2010 8:50 AM 102736]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [16/11/2010 8:50 AM 297552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [16/11/2010 8:50 AM 162768]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [8/03/2005 7:46 PM 61440]
R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\Advanced System Optimizer 3\ASO3DefragSrv.exe [27/06/2010 9:40 PM 239928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [16/11/2010 8:50 AM 19024]
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [16/11/2010 8:49 AM 119200]
S3 ADASPROT;SYSTWEAKASO;c:\program files\Advanced System Optimizer 3\adasprot32.sys [27/06/2010 9:40 PM 6656]
.
Contents of the 'Scheduled Tasks' folder
2010-11-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 05:07]
2010-11-17 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-05-25 12:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://g.live.com/9uxp9en-us/hpg_lnk2
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: {A75224EB-83FC-4A72-B393-E03B017EF1FE} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\oidocpx1.default\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-BDAgent - c:\program files\BitDefender\BitDefender 2010\bdagent.exe
MSConfigStartUp-BitDefender Antiphishing Helper - c:\program files\BitDefender\BitDefender 2010\IEShow.exe
MSConfigStartUp-Google Update - c:\documents and settings\owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-{835FBE3E-57D2-BDB6-FE6A-58FBB8030F06} - c:\documents and settings\owner\Application Data\Qivuid\caawh.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-17 23:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82D44446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82d4a504]; MOV EAX, [0x82d4a580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\Harddisk0\DR0[0x82D35908]
3 CLASSPNP[0xF857605B] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> [0x82C718D0]
\Driver\atapi[0x82D285A0] -> IRP_MJ_CREATE -> 0x82D44446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x80; PUSH EAX; MOV EAX, 0x337; POP EAX; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x628; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82D44292
\Driver\atapi -> 0x82d861f8
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3464)
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Internet Explorer\iexplore.exe
c:\system volume information\Microsoft\services.exe
c:\system volume information\Microsoft\smss.exe
.
**************************************************************************
.
Completion time: 2010-11-17 23:08:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-17 12:08
ComboFix2.txt 2010-07-04 06:40
Pre-Run: 33,667,829,760 bytes free
Post-Run: 33,662,070,784 bytes free
Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - F766F5762499471F2B805E3DC5185E5E
This discussion thread has been automatically closed, as it hasn't received any new posts during the last 180 days. This means that you can't post replies or new questions to this discussion thread.
If you have something to add to this topic, use this page to post your question or comments to a new discussion thread.
If you have something to add to this topic, use this page to post your question or comments to a new discussion thread.
