Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

Browser redirects[thread moved]

Thread Solved
1 2 3

Join Date: Dec 2006
Posts: 913
Reputation: PhilliePhan will become famous soon enough PhilliePhan will become famous soon enough 
Solved Threads: 43
Moderator
PhilliePhan's Avatar
PhilliePhan PhilliePhan is offline Offline
Posting Shark
 
0
  #11
20 Days Ago
Originally Posted by ferrysb View Post
err... i'm not so sure, what the tools did to my system, did it remove something ?
I do not think so - that log is clean.... This is the first time I've seen the new version of GooredFix, so maybe I'm misreading it.

I had been leaning toward a rootkitted malware being responsible for the issues - Just wanted to cover all bases, hence GooredFix. Frankly, I'd still like to have a further look.

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.

PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer

ASAP
Reply With Quote Quick reply to this message  
Join Date: Oct 2009
Posts: 12
Reputation: ferrysb is an unknown quantity at this point 
Solved Threads: 0
ferrysb ferrysb is offline Offline
Newbie Poster
 
0
  #12
20 Days Ago
Originally Posted by PhilliePhan View Post
I do not think so - that log is clean.... This is the first time I've seen the new version of GooredFix, so maybe I'm misreading it.

I had been leaning toward a rootkitted malware being responsible for the issues - Just wanted to cover all bases, hence GooredFix. Frankly, I'd still like to have a further look.

Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for me.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.

PP

seems you're correct.. now it still redirected my web...
I will do as you said tonight. and will get back to you if finished scanning.

Thanks for your help.
Reply With Quote Quick reply to this message  
Join Date: Dec 2006
Posts: 913
Reputation: PhilliePhan will become famous soon enough PhilliePhan will become famous soon enough 
Solved Threads: 43
Moderator
PhilliePhan's Avatar
PhilliePhan PhilliePhan is offline Offline
Posting Shark
 
0
  #13
20 Days Ago
Originally Posted by ferrysb View Post
seems you're correct.. now it still redirected my web...
I will do as you said tonight. and will get back to you if finished scanning.
Thanks for your help.
Happy to try to help!

There seem to be a lot of different variations of this redirecting malware going around these days. Usually MBAM will detect and remove some of the rootkit components, but I didn't see any in your log. Perhaps it is something new?

Let's see what the GMER scanlog has to say.

PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer

ASAP
Reply With Quote Quick reply to this message  
Join Date: Oct 2009
Posts: 12
Reputation: ferrysb is an unknown quantity at this point 
Solved Threads: 0
ferrysb ferrysb is offline Offline
Newbie Poster
 
0
  #14
19 Days Ago
Originally Posted by PhilliePhan View Post
Happy to try to help!

There seem to be a lot of different variations of this redirecting malware going around these days. Usually MBAM will detect and remove some of the rootkit components, but I didn't see any in your log. Perhaps it is something new?

Let's see what the GMER scanlog has to say.

PP

Hi Hi, below is my log for GMER. I run it with no internet connection, and my antivirus is disabled.
Pls help to check.
Thanks.
Thanks.

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-05 04:57:21
Windows 5.1.2600 Service Pack 2
Running: 2pe32u84.exe; Driver: C:\DOCUME~1\FSANTO~1\LOCALS~1\Temp\kfryypoc.sys


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AdjustWindowRectEx] [1002DE60] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AdjustWindowRect] [1002DED0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowLongA] [1002DEF0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [10001D00] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WININET.dll [USER32.dll!SetWindowLongA] [1002DEF0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [10001D20] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [10001D50] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [10001CE0] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
IAT C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[3224] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [10001050] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)

Device \Driver\iaStor \Device\Ide\iaStor0 [B9EAAD24] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9EAAD24] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \FileSystem\Fastfat \Fat savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----
Reply With Quote Quick reply to this message  
Join Date: Dec 2006
Posts: 913
Reputation: PhilliePhan will become famous soon enough PhilliePhan will become famous soon enough 
Solved Threads: 43
Moderator
PhilliePhan's Avatar
PhilliePhan PhilliePhan is offline Offline
Posting Shark
 
0
  #15
19 Days Ago
Originally Posted by ferrysb View Post
---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----
That log looks OK other than the above. Let's look at this one further:

Please go here ---> http://virusscan.jotti.org/ and use the Browse Button at the top of the page to navigate to C:\WINDOWS\system32\drivers\iaStor.sys and Upload it for analysis.
Let me know what you find.

This seems familiar to me - I think I've seen it before.....

PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer

ASAP
Reply With Quote Quick reply to this message  
Join Date: Dec 2006
Posts: 913
Reputation: PhilliePhan will become famous soon enough PhilliePhan will become famous soon enough 
Solved Threads: 43
Moderator
PhilliePhan's Avatar
PhilliePhan PhilliePhan is offline Offline
Posting Shark
 
0
  #16
18 Days Ago
Originally Posted by PhilliePhan View Post
This seems familiar to me - I think I've seen it before.....
I'm fairly certain that this is infected. It may not show in the scan, but if it has been modified, the latest Combofix should catch and replace it.


Let's go ahead and do this:

If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix to your Desktop and run it:
http://www.bleepingcomputer.com/comb...o-use-combofix

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post the combofix log for me and let me know if you are still being redirected. Also, I'd be interested in the Jotti results from my previous post.

Cheers
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer

ASAP
Reply With Quote Quick reply to this message  
Join Date: Oct 2009
Posts: 12
Reputation: ferrysb is an unknown quantity at this point 
Solved Threads: 0
ferrysb ferrysb is offline Offline
Newbie Poster
 
0
  #17
18 Days Ago
Originally Posted by PhilliePhan View Post
I'm fairly certain that this is infected. It may not show in the scan, but if it has been modified, the latest Combofix should catch and replace it.


Let's go ahead and do this:

If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix to your Desktop and run it:
http://www.bleepingcomputer.com/comb...o-use-combofix

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post the combofix log for me and let me know if you are still being redirected. Also, I'd be interested in the Jotti results from my previous post.

Cheers
PP
wow, you really know a lot 'bout this
I Scanned using jotti's malware. And all of the scan found nothing on the file.

Will try using this combofix. And let you know the result.
Thanks.
Reply With Quote Quick reply to this message  
Join Date: Dec 2006
Posts: 913
Reputation: PhilliePhan will become famous soon enough PhilliePhan will become famous soon enough 
Solved Threads: 43
Moderator
PhilliePhan's Avatar
PhilliePhan PhilliePhan is offline Offline
Posting Shark
 
0
  #18
18 Days Ago
Originally Posted by ferrysb View Post
wow, you really know a lot 'bout this
I Scanned using jotti's malware. And all of the scan found nothing on the file.
Will try using this combofix. And let you know the result.
Thanks.
Well . . . I don't know as much as I'd like to - these baddies are constantly changing. I think I've seen this file modified before and I know combofix will address it if that is the case, so we might as well give it a try.
Please post me the entire combofix log when it finishes its run.

PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer

ASAP
Reply With Quote Quick reply to this message  
Join Date: Oct 2009
Posts: 12
Reputation: ferrysb is an unknown quantity at this point 
Solved Threads: 0
ferrysb ferrysb is offline Offline
Newbie Poster
 
0
  #19
18 Days Ago
Originally Posted by PhilliePhan View Post
Well . . . I don't know as much as I'd like to - these baddies are constantly changing. I think I've seen this file modified before and I know combofix will address it if that is the case, so we might as well give it a try.
Please post me the entire combofix log when it finishes its run.

PP
seems that iastor.sys is the bad guy.
now looks like it's not redirected. but let me test a bit more later on. below is the combofix log.
Thanks


ComboFix 09-11-04.05 - FSantoso4859 11/06/2009 0:03.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2006.1551 [GMT 8:00]
Running from: c:\documents and settings\FSantoso4859\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-790525478-1958367476-682003330-1003
c:\recycler\S-1-5-21-790525478-1958367476-682003330-500
c:\windows\run.log
c:\windows\system32\1028x.exe
c:\windows\system32\3937169366.dat
c:\windows\system32\440199740.dat
c:\windows\system32\ac3acmq.exe
c:\windows\system32\accesshw.exe
c:\windows\system32\ahuiu.exe
c:\windows\system32\Cache
c:\windows\Temp\1185792423.exe
c:\windows\Temp\181391922.exe
c:\windows\Temp\2741779961.exe

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DMADMINHKHKG-SXF4859N1-SQL
-------\Legacy_DMSERVERHKHKG-SXF4859N1-SQL
-------\Legacy_LANMANSERVERCOMSYSAPP
-------\Legacy_RDSESSMGRLANMANWORKSTATION
-------\Legacy_SPOOLERHKHKG-SXF4859N1-CLASSIC
-------\Legacy_UPSSAMSS
-------\Service_dmadminHKHKG-SXF4859N1-SQL
-------\Service_dmserverHKHKG-SXF4859N1-SQL
-------\Service_lanmanserverCOMSysApp
-------\Service_RDSessMgrlanmanworkstation
-------\Service_SpoolerHKHKG-SXF4859N1-CLASSIC
-------\Service_UPSSamSs


((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-05 16:15 . 2009-11-05 16:15 32 ------w- c:\windows\system32\440199740.dat
2009-11-05 15:58 . 2006-02-28 12:00 13952 -c--a-w- c:\windows\system32\dllcache\cbidf2k.sys
2009-11-05 15:58 . 2006-02-28 12:00 13952 ----a-w- c:\windows\system32\drivers\cbidf2k.sys
2009-11-05 15:58 . 2004-08-03 14:59 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-05 15:58 . 2004-08-03 14:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-05 12:33 . 2004-08-11 04:01 119864 ------w- c:\windows\system32\drivers\IpSecDrv.sys
2009-11-05 12:33 . 2004-08-11 05:22 61492 ------w- c:\windows\system32\cmondll.dll
2009-11-05 12:33 . 2004-08-11 05:22 28726 ------w- c:\windows\system32\SnPolicy.dll
2009-11-05 12:33 . 2004-08-11 05:22 188470 ------w- c:\windows\system32\IreComn.dll
2009-11-05 12:33 . 2004-07-30 05:20 521786 ------w- c:\windows\system32\drivers\Crypto.sys
2009-11-05 12:33 . 2004-07-30 05:20 90166 ------w- c:\windows\system32\IreSC.dll
2009-11-05 12:33 . 2004-07-30 05:19 335930 ------w- c:\windows\system32\IreCGX.dll
2009-11-05 12:33 . 2004-07-30 05:19 151612 ------w- c:\windows\system32\IreBase.dll
2009-11-05 12:33 . 2002-12-06 07:42 207120 ------r- c:\windows\system32\Msoss.dll
2009-11-05 12:32 . 2009-11-05 12:32 -------- d-----w- c:\program files\Juniper
2009-11-05 12:32 . 2004-08-11 05:22 323636 ------w- c:\windows\system32\IreMgmt.dll
2009-11-05 12:32 . 2002-12-06 07:42 78848 ------r- c:\windows\system32\soedber.dll
2009-11-05 12:32 . 2002-12-06 07:42 46080 ------r- c:\windows\system32\soedapi.dll
2009-11-05 12:32 . 2002-12-06 07:42 23552 ------r- c:\windows\system32\ossapi.dll
2009-11-05 12:32 . 2002-12-06 07:42 16896 ------r- c:\windows\system32\ossdmem.dll
2009-11-05 12:32 . 2002-12-06 07:42 11264 ------r- c:\windows\system32\soedoid.dll
2009-11-05 12:32 . 2002-12-06 07:42 28160 ------r- c:\windows\system32\cstrain.dll
2009-11-05 12:32 . 2001-11-07 03:48 143360 ------w- c:\windows\system32\nsldap32v50.dll
2009-11-03 14:45 . 2009-11-03 14:45 21504 ----a-w- c:\windows\system32\tdlwsp.dll
2009-10-23 12:57 . 2009-10-23 12:57 -------- d-----w- c:\program files\WinSCP
2009-10-21 14:33 . 2009-10-21 14:33 -------- d-----w- c:\program files\LibUSB-Win32
2009-10-21 14:33 . 2007-03-20 03:33 28672 ----a-w- c:\windows\system32\drivers\libusb0.sys
2009-10-21 14:33 . 2007-03-20 03:33 43520 ----a-w- c:\windows\system32\libusb0.dll
2009-10-21 14:28 . 2009-10-21 14:30 -------- d-----w- c:\program files\QuickFreedom
2009-10-21 14:26 . 2009-10-21 14:26 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2009-10-21 14:26 . 2009-10-21 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\iPodtoComputer
2009-10-21 14:25 . 2008-06-15 02:01 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-10-21 14:25 . 2003-03-18 14:20 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2009-10-21 14:25 . 2003-03-18 13:14 499712 ----a-w- c:\windows\system32\MSVCP71.DLL
2009-10-21 14:25 . 2009-10-21 14:25 -------- d-----w- c:\program files\Cucusoft
2009-10-21 14:25 . 2009-10-21 14:25 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-10-21 14:23 . 2009-10-21 14:25 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\GetRightToGo
2009-10-21 14:22 . 2009-10-21 14:24 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-10-21 14:21 . 2009-10-21 14:21 -------- d-----w- c:\program files\Microsoft SDKs
2009-10-21 13:53 . 2009-10-21 13:53 175752 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-21 13:53 . 2009-10-21 13:53 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-21 13:52 . 2009-10-21 13:52 -------- d-----w- c:\program files\Reference Assemblies
2009-10-21 13:51 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-21 13:51 . 2009-10-21 13:52 -------- d-----w- C:\36300c4706e967932a170e731a941f
2009-10-21 13:51 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-21 13:51 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-21 13:51 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-21 13:51 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-21 13:51 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-21 13:51 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-21 13:51 . 2009-10-21 13:57 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-17 14:00 . 2009-10-17 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-10-17 13:59 . 2009-10-17 13:59 836464 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe
2009-10-17 13:59 . 2009-10-17 13:59 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-17 13:59 . 2009-10-18 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-14 02:47 . 2007-02-12 09:46 3096576 ---ha-w- c:\documents and settings\FSantoso4859\Application Data\U3\temp\Launchpad Removal.exe
2009-10-12 03:23 . 2009-10-16 15:25 -------- d-----w- c:\program files\Millennium Trader 4
2009-10-09 02:36 . 2009-10-09 02:36 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\Malwarebytes
2009-10-09 02:36 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 02:36 . 2009-10-09 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-09 02:36 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 02:36 . 2009-10-30 08:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 15:49 . 2008-03-20 05:16 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\uTorrent
2009-11-05 12:32 . 2009-10-05 15:39 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-11-05 03:42 . 2009-06-12 02:03 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\webex
2009-10-21 14:27 . 2008-03-18 09:37 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-21 14:27 . 2008-03-18 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 14:23 . 2008-03-18 10:30 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-10-21 14:03 . 2008-03-18 10:25 80120 ----a-w- c:\documents and settings\FSantoso4859\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 13:28 . 2008-03-18 10:45 -------- d-----w- c:\program files\FlashGet
2009-10-14 06:00 . 2008-04-29 04:37 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\U3
2009-10-14 02:18 . 2008-03-18 07:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-02 12:24 . 2009-10-02 12:23 -------- d-----w- c:\program files\Microsoft
2009-10-02 12:24 . 2009-10-02 12:24 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-09-13 14:44 . 2009-09-13 14:44 64796 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-12 02:20 . 2008-11-02 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-12 02:18 . 2008-11-02 12:13 -------- d-----w- c:\documents and settings\FSantoso4859\Application Data\Apple Computer
2009-09-11 15:13 . 2009-09-11 15:12 -------- d-----w- c:\program files\iTunes
2009-09-11 15:13 . 2009-09-11 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-11 15:12 . 2009-09-11 15:12 -------- d-----w- c:\program files\iPod
2009-09-11 15:12 . 2008-11-02 12:10 -------- d-----w- c:\program files\Common Files\Apple
2009-09-11 15:10 . 2009-09-11 15:09 -------- d-----w- c:\program files\QuickTime
2009-09-11 14:41 . 2009-09-11 14:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-08-28 11:42 . 2009-03-15 16:09 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 11:42 . 2008-11-02 12:22 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 03:04 . 2008-03-18 03:36 87643 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2008-08-16 09:42 . 2008-08-16 09:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 09:42 . 2008-08-16 09:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 09:42 . 2008-08-16 09:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 09:42 . 2008-08-16 09:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 09:43 . 2008-08-16 09:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 09:42 . 2008-08-16 09:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 09:42 . 2008-08-16 09:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 00:41 . 2008-05-21 00:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 00:41 . 2008-05-21 00:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 00:41 . 2008-05-21 00:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 05:58 . 2008-06-05 05:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 09:42 . 2008-08-16 09:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2006-02-28 12:00 . 2006-02-28 12:00 61952 --sh--r- c:\windows\system32\1037su.exe
.

------- Sigcheck -------

[7] 2006-02-28 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2007-03-14 49168]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-12-11 1044480]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-10 294912]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-10 208896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TrackPointSrv"="tp4mon.exe" - c:\windows\system32\tp4mon.exe [2004-08-04 82432]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-11-22 181536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-02-28 53760]

c:\documents and settings\FSantoso4859\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-8 245760]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-11-26 576104]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-18 50688]
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-11-5 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-14 14:17 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Dynamics NAV\\CSIDE Client\\AtDebug.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Navision\\Client\\Parsons\\Nav. Client 3.7b\\AtDebug.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Huawei technologies\\Huawei UMTS Data Card\\3 DataModem HSDPA.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Navision\\Installer\\NAV5SP1\\CSIDE Client\\AtDebug.exe"=
"c:\\Navision\\Installer\\5.0 SP1 NA\\DVD_Signed\\CsideClient\\program files\\Microsoft Dynamics NAV\\CSIDE Client\\AtDebug.exe"=
"c:\\Navision\\Installer\\NAV4\\AtDebug.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16272:TCP"= 16272:TCP:BitCometLite 16272 TCP
"16272:UDP"= 16272:UDP:BitCometLite 16272 UDP

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 18:32 19504]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [3/18/2008 17:11 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [3/18/2008 17:11 38528]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [11/5/2009 20:33 521786]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [6/3/2009 17:06 80936]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/14/2007 22:10 11152]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [8/15/2008 11:11 36188]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [10/21/2009 22:33 28672]
S2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [11/5/2009 20:33 119864]
S2 RDSessMgrW3SVC;Remote Desktop Help Session Manager RDSessMgrW3SVC;c:\windows\system32\1037su.exe srv --> c:\windows\system32\1037su.exe srv [?]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [8/21/2008 20:04 98304]
S3 CAM1690;USB 2.0 Compliance JPEG Video Camera;c:\windows\system32\drivers\cam1690.sys [8/29/2007 12:01 153344]
S3 HeathDev;Application Server for Microsoft Dynamics NAV HeathDev;c:\navision\Application Server\nassql.exe [8/28/2009 10:17 1930360]
S3 HeathDev_2;Application Server for Microsoft Dynamics NAV HeathDev_2;c:\navision\Application Server 2\nassql.exe [8/28/2009 14:04 1930360]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [3/11/2009 23:24 42112]
S3 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [3/3/2007 23:12 202096]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 ZSMC302;PLEOMAX PWC-3800;c:\windows\system32\Drivers\usbvm302.sys --> c:\windows\system32\Drivers\usbvm302.sys [?]
S4 HKHKG-SXF4859N1-CLASSIC;Microsoft Dynamics NAV Application Server HKHKG-SXF4859N1-CLASSIC;c:\program files\Microsoft Dynamics NAV\Application Server\nas.exe [2/14/2008 16:50 1860728]
S4 HKHKG-SXF4859N1-SQL;Microsoft Dynamics NAV Application Server HKHKG-SXF4859N1-SQL;c:\program files\Microsoft Dynamics NAV\Application Server\nassql.exe [2/14/2008 16:51 1930360]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 07:01 2799808]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [1/13/2009 01:10 14976]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-03-18 17:30]

2009-10-30 c:\windows\Tasks\Weekly Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-01-22 16:45]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: microsoft.com\mbs
FF - ProfilePath - c:\documents and settings\FSantoso4859\Application Data\Mozilla\Firefox\Profiles\papnscwi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://hk.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: keyword.enabled - false
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-P2kAutostart - (no file)
AddRemove-HDMI - c:\windows\system32\igxpun.exe
AddRemove-HijackThis - c:\documents and settings\FSantoso4859\Desktop\xxxxx\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 00:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\windows\system32\vrlogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll

- - - - - - - > 'lsass.exe'(540)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll

- - - - - - - > 'explorer.exe'(2640)
c:\windows\system32\btmmhook.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Juniper\NetScreen-Remote\IPSecMon.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\windows\System32\TPHDEXLG.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-05 0:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 16:30

Pre-Run: 18,721,177,600 bytes free
Post-Run: 19,121,467,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
Reply With Quote Quick reply to this message  
Join Date: Dec 2006
Posts: 913
Reputation: PhilliePhan will become famous soon enough PhilliePhan will become famous soon enough 
Solved Threads: 43
Moderator
PhilliePhan's Avatar
PhilliePhan PhilliePhan is offline Offline
Posting Shark
 
0
  #20
18 Days Ago
Originally Posted by ferrysb View Post
seems that iastor.sys is the bad guy.
now looks like it's not redirected. but let me test a bit more later on. below is the combofix log.
Thanks
Happy to help

Let me know if you are still being redirected.

-- Looks to me as though you tried to clean this (or another infection) before posting here? Another typically infected file is missing....


Please do the following:

1) Click START > RUN > type cmd ENTER
At the command prompt, type ipconfig /flushdns and hit ENTER
-- Note there is a space between g <space> /

2) With the command prompt still open, type:
copy c:\windows\system32\dllcache\eventlog.dll c:\windows\system32\ and hit ENTER
You should get a message stating "1 file<s> copied."
-- Note there are spaces between copy <space> c:\ and .dll <space> c:\

3) Please Download ATF-Cleaner.exe by Atribune to the Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, click No at the prompt.
Click Exit on the Main menu to close the program.

Let me know how things are working and we can wrap this up.

Cheers
PP
Last edited by PhilliePhan; 18 Days Ago at 11:42 pm. Reason: Added info....
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer

ASAP
Reply With Quote Quick reply to this message  
Reply
1 2 3

Quick Reply to Thread
This thread has been marked solved.
Perhaps start a new thread instead?
Message:



Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit fake fancheckvirus gaming gtaiv gumblar halloween hijack hosting internet iphone kaspersky legal mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile parents patch phishing police policeprovirusmba-mblockedinternetaccess president pro problem redirect reliability report research risk rogueantivirus samhain sans school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC