PDA

View Full Version : Another Click.Giftload reappearing, MBR infected?



Cricket_Lover
2011-04-30, 03:57
Well, I got a drive-by while searching for Bluetooth drivers and, long story short, I suspect that I now have the TDSS rootkit on this computer's HD. As such, Windows is no longer permitted to connect to the network (without me monitoring traffic), and I have a SLAX CD going right now.

I have tried removing this, however, to no avail. I have done:
* MBAM scanning
* SpyBot scanning (finds Click.Giftload)
* ClamWin scanning
* ClamAV scanning
* Putting the HD into another XP box, and running Norton AV on it (found a few infected JARs in the Java cache for...LocalService?!
* Combofix (no script file supplied) (MS Recovery console installed)
* GMER scanning (no red text)
* Rootkit Buster
* SpyDLL Remover
* Tarballing the SYS32/Drivers dir, extracting on a clean PC, diffing the directories, and uploading any non-identical files from this box to VirusTotal, which only got false positives
* OTL
* HiJack This
* TDSSKiller

For ComboFix, OTL, HJT, TDSSKiller, and GMER, I used random file names.
TDSSKiller crashes at 80% of loading, which is why I suspect a MBR infection, from another thread here having the same problem.
If Windows runs for long enough, I get messages about some DLLs that are loaded not being valid Microsoft images (I am therefor running SLAX for the time being)

Additionally, I have the CrashOnCtrlScroll regkey in the registry, so, if need be, I can stop the kernel (and I have the system set up to do a full memory dump, just in case :) )

*End of manual message, log following*

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Chris at 16:59:35.91 on Fri 04/29/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.60 [GMT -8:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\trashVir\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 127.0.0.1:80
uInternet Settings,ProxyOverride = <local>
BHO: AutorunsDisabled - No File
BHO: JQSIEStartDetectorImpl - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz0.dll
uRun: [Alcohol.bin Autorun] c:\program files\alcohol soft\alcohol 120\Alcohol.bin /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SaiMfd] c:\program files\saitek\software\SaiMfd.exe
mRun: [Profiler] c:\program files\saitek\software\ProfilerU.exe
StartupFolder: c:\documents and settings\chris\start menu\programs\startup\HousecallLauncher.exe
StartupFolder: c:\docume~1\chris\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoStrCmpLogical = 1 (0x1)
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301092235348
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: {0D4A2D8C-656A-4DD5-952D-B00B7108E1DE} = 209.18.47.61,8.8.8.8,76.85.229.110
TCP: {9F1F2845-F134-4581-9544-EDF6B8FCE59D} = 8.8.8.8
TCP: {F3AFB128-E668-4305-8A2D-4EF371CB4C14} = 209.18.47.61,209.18.47.62,8.8.8.8
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\9az0l1dr.default\
FF - plugin: c:\documents and settings\chris\application data\mozilla\firefox\profiles\9az0l1dr.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-1-7 20744]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\chris\virtualcd\VCdRom.sys [2001-12-19 8576]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2002-8-8 11330]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2003-6-8 21922]
S2 AsUsbDrvXP;AsUsbDrvXP;c:\windows\system32\drivers\asusbdrvxp.sys --> c:\windows\system32\drivers\AsUsbDrvXP.sys [?]
S3 BTCOM;Bluetooth Serial port driver;c:\windows\system32\drivers\btcomport.sys --> c:\windows\system32\drivers\btcomport.sys [?]
S3 BTCOMBUS;Bluetooth Serial Port Bus Service;c:\windows\system32\drivers\btcombus.sys --> c:\windows\system32\drivers\btcombus.sys [?]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-7 30088]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2010-9-1 29184]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2010-11-14 272128]
S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2010-8-28 176640]
S4 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
.
=============== Created Last 30 ================
.
2011-04-29 16:34:04 -------- d-----w- C:\trashVir
2011-04-19 04:17:26 -------- d-----w- c:\program files\Windows Imaging
2011-04-19 04:05:45 -------- d-----w- c:\program files\Windows AIK
2011-04-19 03:19:14 -------- d-----w- C:\SpybotBootCD
2011-04-19 01:44:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-19 01:44:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-19 01:27:49 -------- d-----w- c:\docume~1\chris\applic~1\Safer Networking
2011-04-19 01:24:36 -------- d-----w- c:\program files\Safer Networking
2011-04-19 00:02:56 -------- d-----w- c:\docume~1\chris\applic~1\Abine
2011-04-18 22:50:45 -------- d-sha-r- C:\cmdcons
2011-04-18 20:41:14 47272 ----a-w- c:\windows\system32\drivers\btwusb.sys
2011-04-18 20:41:14 106557 ----a-w- c:\windows\system32\btw_ci.dll
2011-04-18 20:41:13 57384 ----a-w- c:\windows\system32\drivers\btwhid.sys
2011-04-18 20:41:13 156816 ----a-w- c:\windows\system32\drivers\btwdndis.sys
2011-04-18 20:41:12 991136 ----a-w- c:\windows\system32\drivers\btkrnl.sys
2011-04-18 20:41:12 37160 ----a-w- c:\windows\system32\drivers\btport.sys
2011-04-18 20:41:11 534312 ----a-w- c:\windows\system32\drivers\btaudio.sys
2011-04-18 20:40:26 -------- d-----w- c:\program files\WIDCOMM
2011-04-18 19:54:27 98816 ----a-w- c:\windows\sed.exe
2011-04-18 19:54:27 89088 ----a-w- c:\windows\MBR.exe
2011-04-18 19:54:27 256512 ----a-w- c:\windows\PEV.exe
2011-04-18 19:54:27 161792 ----a-w- c:\windows\SWREG.exe
2011-04-18 19:34:42 -------- d-----w- C:\found.000
2011-04-17 21:33:48 91176 ----a-w- c:\windows\system32\drivers\btwsecfl.sys
2011-04-17 07:55:06 -------- d-----w- c:\program files\IVT Corporation
2011-04-17 06:53:24 86016 ----a-w- c:\windows\unvise32.exe
2011-04-17 06:51:44 -------- d-----w- c:\program files\Parallel Port Joystick
2011-04-17 06:25:32 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
2011-04-17 06:25:30 -------- d-----w- c:\program files\Nokia
2011-04-17 06:25:17 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-04-17 06:24:28 -------- d-----w- c:\program files\PC Connectivity Solution
2011-04-17 05:47:50 -------- d-----w- c:\documents and settings\chris\Bluetooth Software
2011-04-17 05:44:53 237568 ----a-w- c:\windows\system32\BtwRSupport.dll
2011-04-17 05:03:16 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-04-17 05:03:16 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-04-17 02:04:28 291600 ----a-w- c:\windows\system\WININET.DLL
2011-04-17 02:04:27 -------- d-----w- C:\SIERRA
2011-04-17 01:25:13 -------- d-----w- c:\docume~1\chris\applic~1\Windows Search
2011-04-09 20:08:57 -------- d-----w- c:\documents and settings\chris\.dia
2011-04-09 20:08:22 -------- d-----w- c:\program files\Dia
.
==================== Find3M ====================
.
2011-03-26 04:23:01 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-03-26 04:23:01 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-03-26 04:22:47 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-02-03 05:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 03:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDT722516DLAT80 rev.V43OA96A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x832564F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8325c7d0]; MOV EAX, [0x8325c84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x83214AB8]
3 CLASSPNP[0xF7547FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000090[0x832CDF18]
5 ACPI[0xF7249620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8330EB58]
\Driver\atapi[0x832FAC80] -> IRP_MJ_CREATE -> 0x832564F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SI, 0x7c00; MOV DI, 0x7a00; MOV SS, AX; MOV SP, DI; MOV DS, AX; MOV ES, AX; MOV CX, 0x200; CLD ; REP MOVSB ; JMP FAR 0x0:0x7a1b; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8325633B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:02:27.67 ===============

Blottedisk
2011-04-30, 17:21
Hi Cricket_Lover,

Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


We will first try to determine if this is a MBR infection. To do so, we will need to boot the machine with a tool that is similar to slax cd: OTLPE. For this procedure you will need a burning CD machine (this could be the infected machine) and an USB stick.

Please do the following:


Download OTLPEStd.exe (http://oldtimer.geekstogo.com/OTLPEStd.exe) to the burning CD machine's desktop
Download 7548 and copy it on your USB memory.
Download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) and copy it on your USB memory.

Ensure that you have a blank CD in the drive
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)
As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)
Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
Double-click on the OTLPE icon.
Select the Windows folder of the infected drive if it asks for a location
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start.
Drag and drop this Scan.txt from USB memory into the Custom scans and fixes box

Press Run Scan to start the scan.
When finished, two files will be created C:\OTL.txt and C:\Physical0MBR.bin
IMPORTANT: Please rename Physical0MBR.bin into Physical0MBR.txt and attach it on your next reply
You can post the contents of C:\OTL.txt in your reply, don't attach it.
Remove the OTLPE CD from your drive and start Windows normally
Drag aswMBR.exe from your usb memory to your desktop and double click to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it

Cricket_Lover
2011-04-30, 21:55
Thing is not booting, has been stuck at a black screen for 50min now...

Keyboard seems locked up, resolution is at 720x400, 70Hz...any Linux-based procedure availible?

Additional (interesting?) details you might want to know:
* Computer is NOT a Dell
* There is NO recovery partition
* Apparently, to sync a WiiMote w/ a WIDCOMMv5 Bluetooth stack, you have to press Alt+S at the passcode screen to skip it. (Would have been nice to know this BEFORE I got the infection!)

In the house, I have availible a clean WinXP-Professional box (I am at right now), and a VectorLinux 6.0 box down in my room (only Dell in the house, and only computer without a burner). The infected computer is WinXP-Home (latest service pack).

Additionally, when this is all over, could you tell me the registry key which disables prompting to activate Automatic Updates? I do updating manually, as I know of a couple XP boxes that have become infected because of fake updates sent to it through Automatic Update.

Cricket_Lover
2011-05-01, 03:20
I am sorry, but in the interest of progress, I have proceeded with logical steps, which I have listed below in the exact order I did them, aligned by process:
* Power button held, doesn't look like the CD even loaded an OS
* Booted up the MS Recovery Console
** Executed "FIXMBR"
*** Warned that the MBR structure was unreconized, asked to continue
*** Typed "y"
** EXIT
* Booted up SLAX (note: never typed a semicolon)
** # cd /mnt/hda1
** # find | grep -i "/t[dl][dl]" | less -S
*** Command returned three files; tdlen.nb is from Mathematica; two files called tlds.gif and tlds.js were in the FF "/extensions/optout@dubfire.net" directory tree
** # startx
*** In Firefox, I downloaded TDSSKiller to the "Start Menu/Startup" directory
** # init 6
* Booted Windows
** Logged in
*** TDSSKiller starts initialisation
*** Spybot House-something-or-other starts, I close it
*** TDSSKiller finishes initialisation
**** I run a scan
* Shutdown

The scan from TDSSKiller only returned one (locked) file "sptd.sys", attached in archive. It did not find an infection.

Blottedisk
2011-05-01, 10:44
I have re-uploaded sptd.sys to VirosTotal and it's clean.


Can you try to copy aswMBR.exe on the infected machine and run it with the instructions above?

Cricket_Lover
2011-05-01, 20:57
I have run the scan that you requested, as well as running a number of other scans (the OS was behaving nicely at the time ;) ) But I did NOT save the scanner to the desktop; it went into the startup dir.

Attached are all of the results:

DDS.txt - Standard forum scan
Attach.txt - Standard forum scan
MBR.dat - File created from your scan. Notice that I had yesterday rewritten the MBR
aswMBR.txt - Log of your scan. See above note
TDSSKiller.txt - TDSSKiller scan results for today, filename reduced
hijackthis.log - Hijack This log (ping.exe)
OTL.Txt - OTL Viewer scan, all users (DinoScan.exe) (It's OLDtimer, right?)

Not attached:
Extras.txt - Never was created, only Extras.txt in the directory was last modified last year


And I do NOT want to use my FD in the computer while running XPHome right now; FD sees numerous computers on a daily basis (including Win7, but 64-bit), and the Autorun calcellation that I have to do when it gets infected from a subset of computers at my school (from a virus I nicknamed after one of the teachers, from the first infection I found) is annoying to say the least. But SLAX gives me access to all non-encrypted files on the NTFS, as well as Firefox and NT Offline Password Changer and Registry Editor, so it's better than a FD in this case.

NOTE: I think you guys should write out a procedure for handling the TDL3 and sticky it to aid in all the infections that are being made by it.

Blottedisk
2011-05-02, 17:06
Hi Cricket_Lover,


Please delete your current version of Combofix, and do the following:


Visit the following and have a look how you can disable your security software.

How to disable your security programs (http://forums.whatthetech.com/index.php?showtopic=96260 )

After disabling your security programs, download Combofix from any of the links below and save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe )
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe )

--------------------------------------------------------------------

Double click on Combofix.exe & follow the prompts.
When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix )

Cricket_Lover
2011-05-03, 04:20
Here is the output

Blottedisk
2011-05-03, 16:03
Good morning,

Do you recognize the following IP addresses?

209.18.47.61
76.85.229.110
209.18.47.62

Cricket_Lover
2011-05-03, 19:30
209.18.47.61
209.18.47.62
^^^ Current DNS server addresses assigned by RoadRunner

76.85.229.110
^^^ Old DNS server address (from the older version of my internet connection)

Both DNS servers are known safe.

Blottedisk
2011-05-04, 01:07
Alright, please do the following:


ComboFix - CFScript

WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!

You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Please open Notepad and copy/paste all the text below... into the window:


DDS::
uInternet Settings,ProxyServer = 127.0.0.1:80
uInternet Settings,ProxyOverride = <local>

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:

http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif

This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Cricket_Lover
2011-05-04, 04:32
Attached is the log.

And just a question, but does Windows reconize Spybot as an antivirus?

Blottedisk
2011-05-04, 16:58
Hi there,


No, it doesn't. Why do you ask?



How's the machine running?
Please do the following:


Step 1 | Please download CCleaner (freeware) (http://www.majorgeeks.com/download4191.html )

Run the installer.
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:


http://i210.photobucket.com/albums/bb164/jedi_030/CCleanerA.png

Next: click Options (in the left panel) and click the Advanced button.
Uncheck: "Only delete files in Windows Temp folders older than 24 hours."
Go back to Cleaner (in the left panel) and click the Run Cleaner button (bottom right). Then exit CCleaner.


Step 2 | Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php ) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

Cricket_Lover
2011-05-05, 03:23
CCleaner finished, and there were no infections for MBAM. I'm in the middle of a Spybot scan right now.

And I was wondering if Spybot was automatically counted as an AV becuase you had me enable automatic AV checking

Cricket_Lover
2011-05-05, 03:24
And just found a Click.giftload (stupid no edit button)

Cricket_Lover
2011-05-05, 04:08
Spybot finished, the Click.Giftload was just a registry key. Now I am going to run that one online scanner you guys always say to run

Cricket_Lover
2011-05-06, 02:29
ESET scan finished; besides quaritines, these are the only things that came up:
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\58\c72e3fa-358c052b a variant of Java/TrojanDownloader.OpenConnection.AC trojan
I:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP582\A0111737.exe Win32/PowerReg application
(I am not sure what the latter is from. Drive I: is an external USB hard drive, and that restore point could be from any of a number of computers)

And here is a new, up-to-date DDS log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Chris at 16:17:59.07 on Thu 05/05/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\SysInternals\Process Explorer\procexp.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.bin
C:\Program Files\ClamWin\bin\clamscan.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\trashVir\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: AutorunsDisabled - No File
BHO: JQSIEStartDetectorImpl - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz0.dll
uRun: [Alcohol.bin Autorun] c:\program files\alcohol soft\alcohol 120\Alcohol.bin /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SaiMfd] c:\program files\saitek\software\SaiMfd.exe
mRun: [Profiler] c:\program files\saitek\software\ProfilerU.exe
mPolicies-explorer: NoStrCmpLogical = 1 (0x1)
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301092235348
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: {0D4A2D8C-656A-4DD5-952D-B00B7108E1DE} = 209.18.47.61,8.8.8.8,76.85.229.110
TCP: {9F1F2845-F134-4581-9544-EDF6B8FCE59D} = 8.8.8.8
TCP: {F3AFB128-E668-4305-8A2D-4EF371CB4C14} = 209.18.47.61,209.18.47.62,8.8.8.8
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
IFEO: taskmgr.exe - "c:\program files\sysinternals\process explorer\PROCEXP.EXE"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\9az0l1dr.default\
FF - plugin: c:\documents and settings\chris\application data\mozilla\firefox\profiles\9az0l1dr.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R? AsUsbDrvXP;AsUsbDrvXP
R? BTCOM;Bluetooth Serial port driver
R? BTCOMBUS;Bluetooth Serial Port Bus Service
R? btnetBUs;Bluetooth PAN Bus Service
R? dsiarhwprog;dsiarhwprog
R? IvtBtBUs;IVT Bluetooth Bus Service
R? mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit
R? SaiH075C;SaiH075C
S? BtHidBus;Bluetooth HID Bus Service
S? PPJoyBus;Parallel Port Joystick Bus device driver
S? PPortJoystick;Parallel Port Joystick device driver
S? RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver
S? vcdrom;Virtual CD-ROM Device Driver
.
=============== Created Last 30 ================
.
2011-05-05 02:38:36 -------- d-----w- c:\program files\ESET
2011-05-04 15:23:57 -------- d-----w- c:\program files\CCleaner
2011-04-29 16:34:04 -------- d-----w- C:\trashVir
2011-04-19 04:17:26 -------- d-----w- c:\program files\Windows Imaging
2011-04-19 04:05:45 -------- d-----w- c:\program files\Windows AIK
2011-04-19 03:19:14 -------- d-----w- C:\SpybotBootCD
2011-04-19 01:44:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-19 01:44:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-19 01:27:49 -------- d-----w- c:\docume~1\chris\applic~1\Safer Networking
2011-04-19 01:24:36 -------- d-----w- c:\program files\Safer Networking
2011-04-19 00:02:56 -------- d-----w- c:\docume~1\chris\applic~1\Abine
2011-04-18 22:50:45 -------- d-sha-r- C:\cmdcons
2011-04-18 20:41:14 47272 ----a-w- c:\windows\system32\drivers\btwusb.sys
2011-04-18 20:41:14 106557 ----a-w- c:\windows\system32\btw_ci.dll
2011-04-18 20:41:13 57384 ----a-w- c:\windows\system32\drivers\btwhid.sys
2011-04-18 20:41:13 156816 ----a-w- c:\windows\system32\drivers\btwdndis.sys
2011-04-18 20:41:12 991136 ----a-w- c:\windows\system32\drivers\btkrnl.sys
2011-04-18 20:41:12 37160 ----a-w- c:\windows\system32\drivers\btport.sys
2011-04-18 20:41:11 534312 ----a-w- c:\windows\system32\drivers\btaudio.sys
2011-04-18 20:40:26 -------- d-----w- c:\program files\WIDCOMM
2011-04-18 19:54:27 98816 ----a-w- c:\windows\sed.exe
2011-04-18 19:54:27 89088 ----a-w- c:\windows\MBR.exe
2011-04-18 19:54:27 256512 ----a-w- c:\windows\PEV.exe
2011-04-18 19:54:27 161792 ----a-w- c:\windows\SWREG.exe
2011-04-18 19:34:42 -------- d-----w- C:\found.000
2011-04-17 21:33:48 91176 ----a-w- c:\windows\system32\drivers\btwsecfl.sys
2011-04-17 07:55:06 -------- d-----w- c:\program files\IVT Corporation
2011-04-17 06:53:24 86016 ----a-w- c:\windows\unvise32.exe
2011-04-17 06:51:44 -------- d-----w- c:\program files\Parallel Port Joystick
2011-04-17 06:25:32 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
2011-04-17 06:25:30 -------- d-----w- c:\program files\Nokia
2011-04-17 06:25:17 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-04-17 06:24:28 -------- d-----w- c:\program files\PC Connectivity Solution
2011-04-17 05:47:50 -------- d-----w- c:\documents and settings\chris\Bluetooth Software
2011-04-17 05:44:53 237568 ----a-w- c:\windows\system32\BtwRSupport.dll
2011-04-17 05:03:16 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-04-17 05:03:16 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-04-17 02:04:28 291600 ----a-w- c:\windows\system\WININET.DLL
2011-04-17 02:04:27 -------- d-----w- C:\SIERRA
2011-04-17 01:25:13 -------- d-----w- c:\docume~1\chris\applic~1\Windows Search
2011-04-09 20:08:57 -------- d-----w- c:\documents and settings\chris\.dia
2011-04-09 20:08:22 -------- d-----w- c:\program files\Dia
.
==================== Find3M ====================
.
2011-03-26 04:23:01 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-03-26 04:23:01 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-03-26 04:22:47 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
.
============= FINISH: 16:24:04.92 ===============

Blottedisk
2011-05-09, 14:27
Hi,


Sorry for the delay. The ESET log shows a threat in your Java's cache. Please follow these steps to remove older version Java components and update.

Click on the following link to visit java website: Java Runtime Environment (JRE) 6 (http://www.oracle.com/technetwork/java/javase/downloads/index.html )

Scroll down to where it says "JDK 6 Update 24 (JDK or JRE)".
Click the "Download" button to the right column (JRE).
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue. The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the recently downloaded java installer icon to install the newest version.
After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
Applications and AppletsTrace and Log Files
Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.
When finished, please rerun DDS and post both dds.txt and attach.txt

tashi
2011-06-18, 08:25
Date of archive.