Need help with spyware/malware

mark_sch · 01-08-2012, 11:21 AM

My computer seems to still have a problem after removing malware with Malwarebytes. It seems to be busy even when no programs are running. Automatic updates gets turned off. Malwarebytes program is blocking "access to a potentially malicious website: 206.161.121.3 outgoing". My sound will quit working while machine is idle. I have already run the dds scan.

**chemist** · 01-12-2012, 07:44 AM

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

We want all our members to perform the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post/attach the logs in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

------------------------------------------------------

mark_sch · 01-12-2012, 05:26 PM

I do have slipstream disk with SP2 i believe. Attached are the files you need I hope. Thanks for helping.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Run by Mark at 13:52:32 on 2012-01-08
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.250 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdxserv.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://flvtubesearch.co/?tmp=toolbar_FlvTube_homepage&prt=flvtubetb04ie&clid=51bed044a2544b27918d8747e16c9ea5
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [HLBackupScheduler] c:\program files\verizon v cast media manager\V CAST Backup Scheduler.exe
mRun: [F5D7050v3] c:\program files\belkin\f5d7050v3\Belkinwcui.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [lxdxmon.exe] "c:\program files\lexmark 3600-4600 series\lxdxmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 3600-4600 series\ezprint.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Alcmtr] ALCMTR.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\mark\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{03303BB0-945E-47BC-8E22-BBD1525D5B0B} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D4F1AB67-9052-46DE-8373-6C94857E5012} : DhcpNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mark\application data\mozilla\firefox\profiles\hehe5zgv.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo-FlvTube
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://flvtubesearch.co/?prt=02ff&clid=&subid=&Keywords=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HBLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl02c2f090;MpKsl02c2f090;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0b1f6497-cd34-4009-a7b2-f84f181990e9}\mpksl02c2f090.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0b1f6497-cd34-4009-a7b2-f84f181990e9}\MpKsl02c2f090.sys [?]
R1 MpKsl4d0af548;MpKsl4d0af548;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0b1f6497-cd34-4009-a7b2-f84f181990e9}\mpksl4d0af548.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0b1f6497-cd34-4009-a7b2-f84f181990e9}\MpKsl4d0af548.sys [?]
R1 MpKsla6f2b5e0;MpKsla6f2b5e0;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fdddeba8-554e-4377-9e57-b8a259a39bc0}\MpKsla6f2b5e0.sys [2012-1-8 29904]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [2011-3-20 98984]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-31 652872]
R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2011-4-26 223088]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-31 20464]
S1 MpKsl4ab67024;MpKsl4ab67024;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{649b8b82-7788-412d-b332-5446679e6dea}\mpksl4ab67024.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{649b8b82-7788-412d-b332-5446679e6dea}\MpKsl4ab67024.sys [?]
S1 MpKsl4fd701b3;MpKsl4fd701b3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{649b8b82-7788-412d-b332-5446679e6dea}\mpksl4fd701b3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{649b8b82-7788-412d-b332-5446679e6dea}\MpKsl4fd701b3.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
.
=============== Created Last 30 ================
.
2012-01-08 18:38:28 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fdddeba8-554e-4377-9e57-b8a259a39bc0}\MpKsla6f2b5e0.sys
2012-01-08 18:38:11 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fdddeba8-554e-4377-9e57-b8a259a39bc0}\offreg.dll
2012-01-08 18:38:06 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fdddeba8-554e-4377-9e57-b8a259a39bc0}\mpengine.dll
2012-01-07 03:01:59 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-07 03:01:59 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-07 03:01:58 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-07 03:01:58 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-05 00:28:48 -------- d-----w- c:\program files\CodeStuff
2012-01-02 19:27:33 5886 ----a-w- c:\documents and settings\all users\SPLCE.tmp
2011-12-31 17:45:06 -------- d-----w- c:\documents and settings\mark\application data\Malwarebytes
2011-12-31 17:44:52 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-31 17:44:50 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-31 17:44:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-28 03:31:15 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-12-26 15:03:49 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-26 14:54:44 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-18 17:56:32 36632 ----a-w- c:\documents and settings\all users\SPLBB.tmp
.
==================== Find3M ====================
.
2011-11-18 00:22:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-16 23:09:37 7168 ----a-w- c:\windows\system32\0.07842418165061693.exe
2011-11-16 23:05:37 6886 ----a-w- c:\windows\system32\0.6227328381581145.exe
2011-11-16 23:05:18 7168 ----a-w- c:\windows\system32\0.7342712083227625.exe
2011-11-16 23:05:13 7168 ----a-w- c:\windows\system32\0.778519560124772.exe
2011-10-24 15:16:42 602112 ----a-w- c:\windows\system32\xvid.dll
2011-10-16 21:47:06 36546 ----a-w- c:\documents and settings\all users\SPL16.tmp
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: ST3250820AS rev.3.ADG -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8640B49F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86412728]; MOV EAX, [0x8641289c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8678CAB8]
3 CLASSPNP[0xF7665FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000064[0x867A68A8]
5 ACPI[0xF74FC620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86721D98]
\Driver\atapi[0x8642C218] -> IRP_MJ_CREATE -> 0x8640B49F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8640B2C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:54:42.90 ===============

**chemist** · 01-12-2012, 06:53 PM

Hello mark_sch.

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download aswMBR.exe to your desktop.

Double-click aswMBR.exe to run it.
When asked to download latest Avast! virus definitions, please choose No
Click the Scan button to start scan.
Wait until it says, 'Scan finished successfully'. ( Note - do not select any Fix at this time)
Click Save log, and save it to your desktop.
Click Exit.
Please post the contents of that log, aswMBR.txt, in your next reply.

There shall also be a file on your desktop named MBR.dat. Right-click that file and select Send To > Compressed (zipped) folder. Please attach that zipped file in your next reply.

------------------------------------------------------

mark_sch · 01-13-2012, 09:08 PM

The file "MBR.dat" did not appear on the desktop. The text file is attached.

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-13 23:53:59
-----------------------------
23:53:59.575 OS Version: Windows 5.1.2600 Service Pack 3
23:53:59.575 Number of processors: 2 586 0xF02
23:53:59.607 ComputerName: MARK-8B81B92A31 UserName: Mark
23:54:03.810 Initialize success
23:54:42.450 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:54:42.450 Disk 0 Vendor: ST3250820AS 3.ADG Size: 238418MB BusType: 3
23:54:42.466 Device \Driver\atapi -> DriverStartIo 864392c6
23:54:42.497 Disk 0 MBR read successfully
23:54:42.513 Disk 0 MBR scan
23:54:42.529 Disk 0 TDL4@MBR code has been found
23:54:42.544 Disk 0 Windows XP default MBR code found via API
23:54:42.560 Disk 0 MBR hidden
23:54:42.560 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
23:54:42.591 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 98304
23:54:42.607 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 228129 MB offset 21069824
23:54:42.622 Disk 0 MBR [TDL4] **ROOTKIT**
23:54:42.638 Disk 0 trace - called modules:
23:54:42.654 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8643949f]<<
23:54:42.700 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86707ab8]
23:54:42.779 3 CLASSPNP.SYS[f7665fd7] -> nt!IofCallDriver -> \Device\00000062[0x867a5bd0]
23:54:42.872 5 ACPI.sys[f74fc620] -> nt!IofCallDriver -> [0x86709940]
23:54:42.950 \Driver\atapi[0x86456c90] -> IRP_MJ_CREATE -> 0x8643949f
23:54:43.044 Scan finished successfully
23:55:15.497 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mark\Desktop\MBR.dat"
23:55:15.716 The log file has been saved successfully to "C:\Documents and Settings\Mark\Desktop\aswMBR.txt"

**chemist** · 01-13-2012, 09:55 PM

Hello again, mark_sch.

Open Notepad and copy/paste the entire contents of the quotebox into Notepad:

Quote:

@echo off
if exist log.txt del /s/q log.txt
dir /a /s "c:\mbr.dat" > log.txt
notepad log.txt
del %0

Save this Notepad file as check.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on check.bat and allow it to run. Please be patient. A Notepad file will open. Post its contents in your next reply.

------------------------------------------------------

mark_sch · 01-14-2012, 10:37 AM

Volume in drive C has no label.
Volume Serial Number is E4F4-FA26

Is this what you are looking for?

**chemist** · 01-14-2012, 11:55 AM

Hello again, mark_sch. Yes, thanks. Weird why the tool isn't making a backup. We can do it manually.

Go Start > Run and copy/paste the following into the Run box and click OK:

MBR -c 0 1 c:\Backup_MBR.dat

Navigate to c:\Backup_MBR.dat

then right-click Backup_MBR.dat > Send To > Compressed (zipped) Folder

This will create c:\Backup_MBR.zip

Please attach that zipped folder to your next reply.

------------------------------------------------------

mark_sch · 01-14-2012, 12:34 PM

Well, I tried that but I get an error message immediately: Windows cannot find 'MBR' check spelling....

**chemist** · 01-14-2012, 01:01 PM

Hello again, mark_sch. Sorry, I forgot I hadn't run ComboFix yet.

Download mbr.exe from here and save it to your desktop.

Go Start > Run and copy/paste the following into the Run box and click OK:

"%userprofile%\desktop\MBR.exe" -c 0 1 c:\Backup_MBR.dat

Navigate to c:\Backup_MBR.dat

then right-click Backup_MBR.dat > Send To > Compressed (zipped) Folder

This will create c:\Backup_MBR.zip

Please attach that zipped folder to your next reply.

------------------------------------------------------

mark_sch · 01-14-2012, 02:29 PM

Okay, got it.

**chemist** · 01-14-2012, 03:27 PM

Run aswMBR.exe again and click the Scan button.

Upon completion of the scan, click the Fix button. Wait for the tool to report 'Infection fixed successfully', and reboot when prompted.

After rebooting, run aswMBR.exe again and click the Scan button.

Upon completion of the scan, click Save log and post the contents of the aswMBR.txt in your next reply.

------------------------------------------------------

mark_sch · 01-14-2012, 05:20 PM

When I run MBR.exe the run box comes up momentarily and disappears.

mark_sch · 01-14-2012, 05:24 PM

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: ST3250820AS rev.3.ADG -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

error: Read A device attached to the system is not functioning.
0x1 sector(s) have been successfully saved to "c:\Backup_MBR.dat".

**chemist** · 01-14-2012, 05:41 PM

We're running aswMBR, not MBR.

mark_sch · 01-14-2012, 06:16 PM

Sorry, asw was in my temp folder. here is the result of the second scan. I think we are getting somewhere.

**chemist** · 01-14-2012, 06:36 PM

Hello again, mark_sch. Good job!

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:

Please click Yes to continue scanning for malware.
Your desktop may go blank. This is normal. It will return when ComboFix is done.
ComboFix may reboot your machine. This is normal.
When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

mark_sch · 01-14-2012, 06:54 PM

I got the warning that AVG Anti-virus free edition 2012 is running, but it's not in the taskbar and not in installed programs. I uninstalled it when I installed MSE. Now what? Is it malware disguised as AVG?

**chemist** · 01-14-2012, 07:08 PM

Hello again, mark_sch.

Please follow these instructions for de-registering AVG:

**Note: Make sure you only delete AVG products.

Go Start > Run and copy/paste wbemtest into the Run box and click 'OK'.
Click 'Connect'.
Copy/paste root\securitycenter into the box and click 'Connect'.
Click 'Query'.
Copy/paste SELECT * FROM AntiVirusProduct under 'Enter Query' and click 'Apply'.
If there is more than one result, it means there is more than one Antivirus program registered.
Double-click on each result to view the properties for that Antivirus product.
Identify the product(s) registered by scrolling down to 'companyName' then click 'Close'.
In the 'Query Result' window, click 'Delete' for any Antivirus software that is no longer installed.
Click 'Close', then 'Exit'.

------------------------------------------------------

Do a search for AVG then right-click and delete any AVG folder you find. Try ComboFix again. Let me know.

------------------------------------------------------

mark_sch · 01-14-2012, 07:48 PM

Okay, I did it.
I re-enabled MSE but not Malwarebytes.

ComboFix 12-01-13.05 - Mark 01/14/2012 22:21:05.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.349 [GMT -5:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\SPL16.tmp
c:\documents and settings\All Users\SPL63.tmp
c:\documents and settings\All Users\SPLAD.tmp
c:\documents and settings\All Users\SPLBB.tmp
c:\documents and settings\All Users\SPLCE.tmp
c:\documents and settings\Mark\WINDOWS
C:\Install.exe
c:\windows\system32\0.07842418165061693.exe
c:\windows\system32\0.6227328381581145.exe
c:\windows\system32\0.7342712083227625.exe
c:\windows\system32\0.778519560124772.exe
c:\windows\system32\SET16C.tmp
c:\windows\system32\SET170.tmp
c:\windows\system32\SET171.tmp
c:\windows\system32\SET178.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-12-15 to 2012-01-15 )))))))))))))))))))))))))))))))
.
.
2012-01-15 01:52 . 2012-01-15 01:52 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5A593E72-5563-4B51-A964-79DCB4D1A1D9}\MpKsl141286e0.sys
2012-01-15 01:52 . 2012-01-15 01:52 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5A593E72-5563-4B51-A964-79DCB4D1A1D9}\offreg.dll
2012-01-14 19:35 . 2011-11-21 07:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5A593E72-5563-4B51-A964-79DCB4D1A1D9}\mpengine.dll
2012-01-09 05:57 . 2012-01-09 05:57 -------- d-----w- C:\logs
2012-01-08 21:45 . 2012-01-08 21:47 -------- dc-h--w- c:\windows\ie8
2012-01-08 21:31 . 2012-01-08 21:31 -------- d-sh--w- c:\documents and settings\Mark\IECompatCache
2012-01-08 21:29 . 2012-01-08 21:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-01-08 21:28 . 2012-01-08 21:28 -------- d-sh--w- c:\documents and settings\Mark\IETldCache
2012-01-07 03:01 . 2012-01-07 03:01 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-07 03:01 . 2012-01-07 03:01 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-07 03:01 . 2012-01-07 03:01 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-07 03:01 . 2012-01-07 03:01 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-05 00:28 . 2012-01-05 00:28 -------- d-----w- c:\program files\CodeStuff
2012-01-03 13:22 . 2012-01-03 13:22 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:22 . 2012-01-03 13:22 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2012-01-02 00:37 . 2012-01-02 00:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-12-31 17:45 . 2011-12-31 17:45 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes
2011-12-31 17:44 . 2011-12-31 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-31 17:44 . 2011-12-31 19:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-31 17:44 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-31 04:22 . 2011-12-31 04:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-12-28 03:31 . 2011-11-21 07:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-26 15:03 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-26 14:54 . 2011-12-26 14:55 -------- d-----w- c:\program files\Microsoft Security Client
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-14 22:26 . 2012-01-14 22:26 538 ----a-w- C:\Backup_MBR.zip
2011-11-18 00:22 . 2011-06-22 23:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 15:16 . 2011-10-24 15:16 602112 ----a-w- c:\windows\system32\xvid.dll
2012-01-07 03:02 . 2011-03-29 23:24 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-11-18 00:29 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-18 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-18 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"HLBackupScheduler"="c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe" [2011-10-23 5013128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-02 16851456]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]
"EzPrint"="c:\program files\Lexmark 3600-4600 Series\ezprint.exe" [2008-06-13 107176]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-06-28 273544]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Mark\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\lxdxcoms.exe"=
"c:\\WINDOWS\\system32\\lxdxcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\ezprint.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxwbgw.exe"=
"c:\\Program Files\\Verizon V CAST Media Manager\\verizon.exe"=
.
R1 MpKsl141286e0;MpKsl141286e0;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5A593E72-5563-4B51-A964-79DCB4D1A1D9}\MpKsl141286e0.sys [1/14/2012 8:52 PM 29904]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [3/20/2011 12:37 PM 98984]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/31/2011 12:44 PM 652872]
R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [4/26/2011 3:23 PM 223088]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 4:38 AM 92008]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/31/2011 12:44 PM 20464]
S1 MpKsl4ab67024;MpKsl4ab67024;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{649B8B82-7788-412D-B332-5446679E6DEA}\MpKsl4ab67024.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{649B8B82-7788-412D-B332-5446679E6DEA}\MpKsl4ab67024.sys [?]
S1 MpKsl4fd701b3;MpKsl4fd701b3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{649B8B82-7788-412D-B332-5446679E6DEA}\MpKsl4fd701b3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{649B8B82-7788-412D-B332-5446679E6DEA}\MpKsl4fd701b3.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 9:08 PM 135664]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL141286E0
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 02:08]
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 02:08]
.
2012-01-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-01-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1708537768-688789844-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2012-01-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1708537768-688789844-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2012-01-15 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-11-18 00:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://flvtubesearch.co/?tmp=toolbar_FlvTube_homepage&prt=flvtubetb04ie&clid=51bed044a2544b27918d8747e16c9ea5
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\hehe5zgv.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo-FlvTube
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://flvtubesearch.co/?prt=02ff&clid=&subid=&Keywords=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-Install Manager - c:\program files\Install Manager\InstallManager.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-01-14 22:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-01-14 22:34:51
ComboFix-quarantined-files.txt 2012-01-15 03:34
.
Pre-Run: 220,147,662,848 bytes free
Post-Run: 222,321,721,344 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B2BE04F9F0D0371A02A3AB0536C313B1