Sign In
Create Account
1
This topic is locked
This is my stepsons computer and I am compleatly baffeled. I have been working on this all weekend(since yesterday anyhow) and just seem to be getting nowhere.
I believe this is all of the info you need to sart according to here :
http://forums.malwar...?showtopic=9573
I work 2 jobs so I might not be able to do things right away so please let me know if that is going to be a problem.
I have to upload this from my computer because the infected one blocks your site when I try to upload from there.
Thank You,
Willd
MBAM LOG:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5394
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
12/25/2010 2:51:57 PM
mbam-log-2010-12-25 (14-51-57).txt
Scan type: Quick scan
Objects scanned: 169944
Time elapsed: 19 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JP595IR86O (Trojan.FraudPack) -> Value: JP595IR86O -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\Temp\Oz1.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Oz0.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Oz2.exe (Trojan.FraudPack) -> Delete on reboot.
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
DDS:
DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 19:10:55.34 on Sat 12/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.177 [GMT -6:00]
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:59274
uSearchAssistant =
mSearchAssistant =
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DW6]
uRun: [dejfphmx] c:\docume~1\owner\locals~1\temp\uubicvqdq\jqwvkdiaffm.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CHotkey] zHotkey.exe
mRun: [BearShare] "c:\program files\bearshare\BearShare.exe" /pause
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: live.com\onecare
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://albertsons.coupons.smartsource.com/download/cscmv5X.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1293234691093
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
============= SERVICES / DRIVERS ===============
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S0 adwikxd;adwikxd;c:\windows\system32\drivers\bekr.sys --> c:\windows\system32\drivers\bekr.sys [?]
S2 NNServ;NNServ;"c:\program files\newdotnet\nnrun.exe" "c:\program files\newdotnet\nncore.dll" servicestart --> c:\program files\newdotnet\nnrun.exe [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2010-11-16 267568]
=============== Created Last 30 ================
2010-12-25 23:56:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-25 23:56:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-25 18:14:13 -------- d-----w- C:\ee6b30a673b1b541293562ab4ca0d8
2010-12-25 16:30:55 -------- d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-12-25 16:30:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-25 16:30:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-25 04:20:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-25 04:20:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-25 03:19:08 -------- d-----w- c:\program files\Loaris
2010-12-25 00:16:48 -------- d--h--w- c:\program files\WindowsUpdate
2010-12-25 00:12:38 -------- d-----w- c:\docume~1\owner\applic~1\ElevatedDiagnostics
2010-12-24 23:26:57 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\FixItCenter
2010-12-24 23:25:07 -------- d-----w- c:\windows\MATS
2010-12-24 23:25:04 -------- d-----w- c:\program files\Microsoft Fix it Center
2010-12-24 22:32:59 76800 ------w- c:\windows\system32\msshavmsg.dll
2010-12-24 22:26:08 4255 ------w- c:\windows\system32\drivers\adv01nt5.dll
2010-12-24 22:24:32 19569 ----a-w- c:\windows\002788_.tmp
2010-12-24 22:18:32 -------- d-----w- c:\windows\EHome
2010-12-24 14:26:19 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
2010-12-24 05:53:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-24 05:24:22 -------- d-----w- c:\windows\pss
2010-12-24 05:23:54 -------- d-----w- C:\0dd941d7f2610f30b7d323a55326
2010-12-24 05:23:53 -------- d-----w- C:\2aaeaeff91a25884dc00e8
2010-12-24 05:23:52 -------- d-----w- C:\487a6b61adb0c567cb
2010-12-24 05:23:50 -------- d-----w- C:\c6783c46a2fe735c7d298838b81471
2010-12-24 05:23:46 -------- d-----w- C:\70c4babbaf749f43a4
2010-12-24 04:18:40 -------- d-----w- C:\0219c6c091bc11352e6d91
2010-12-24 04:17:05 -------- d-----w- C:\5088597288c1ba94e3
2010-12-24 04:16:56 -------- d-----w- C:\893ffd6facbecd1bdae1
2010-12-24 04:16:45 -------- d-----w- C:\08156ec3aa9500a47e
2010-12-24 04:16:21 -------- d-----w- C:\571aaf439bdc918cee53a21c5ec8c032
2010-12-24 04:15:58 -------- d-----w- C:\3750f0569d0635b1411e1f2cb15517ac
2010-12-24 04:15:47 -------- d-----w- C:\57f3331fb5c8dbb83238abb4b325c9be
2010-12-24 04:14:32 -------- d-----w- C:\1fe66f0e39f02e4b019637a4df013928
2010-12-24 04:14:11 -------- d-----w- C:\31925ef44076c8c61d69
2010-12-24 04:13:58 -------- d-----w- C:\da0db74252d895d3143228
2010-12-24 04:13:55 -------- d-----w- C:\f43a6c60d2d752d174b3b450d2
2010-12-24 02:15:05 -------- d-----w- C:\718f3e9d89c2bd59606e
2010-12-24 02:14:53 -------- d-----w- C:\ce472f0a452fcd55f1a101c5f3af8b
2010-12-24 02:14:32 -------- d-----w- C:\13f53ddf082dc6787a140ba7
==================== Find3M ====================
2010-11-16 07:10:14 65328 ----a-w- c:\windows\apppatch\matsshim.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600BB-22GUA0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort4 P4T0L0-1f
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8336E446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x83374504]; MOV EAX, [0x83374580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x83341030]
3 CLASSPNP[0xF76FCFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000007f[0x833D45B8]
5 ACPI[0xF7513620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x833D4770]
\Driver\atapi[0x832F39A8] -> IRP_MJ_CREATE -> 0x8336E446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP4T0L0-1f -> \??\IDE#DiskWDC_WD1600BB-22GUA0_____________________08.02D08#5&df90ce5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8336E292
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
============= FINISH: 19:12:28.75 ===============
Attached Files
-
Attach.zip 5.32K
7 downloads
Back to top
