Infected with malware, IE redirect - DDS hangs system

Status
Not open for further replies.
J

Jess Fixit

New member
This is my first post to a forum.

My computer was infected by something and running DDS completely hangs my system.

A fake virus removal tool popped up and starting scanning my system called “system check“. Before I could stop it, by shutting down my system, it hid all my files, disabled task manager, and deleted all icons from my desktop, except for recycle bin and Internet Explorer. It also started redirecting all my searches (bing) to ‘www.berlinfernsehturm.de’ then to a rotating list of bogus help websites.
I was able to 'unhide' my files and regain control of my desktop. A system restore removed the NoDriverTypeAutoRun error it created. I then ran Spybot and discovered a Fraud.DefenseCenter. I also found a program in ‘c:\Documents and Setting\AllUsers\ApplicationData’ called WgjpPxjtqGl.exe. I opened the file and the fake virus removal tool started again. Immediately, I shutdown my system. After restarting, I deleted that file and four others with the same timestamp using secure shredder. The Fraud.DefenseCenter was also removed from the SB recovery using the secure shredder.
I went through the steps in the Manual Removal Guide for Fraud.DefenseCenter. I did not find any of the files listed in any of the steps. I thought maybe I had stopped the virus before it had done too much damage.
I tried the search again using IE (bing). It was now directing me to ‘www.hipnoza.com’ then again to the rotating list of websites. During this, a different fake virus removal tool popped up called “internet security check”. I immediately ended the program by shutting down my system, using ‘shutdown‘. Task manager was not working but not disabled as before. I now have a file called isecurity.exe in ’c:\Documents and Setting\AllUsers\ApplicationData’ and a shortcut on my desktop.
After I restarted my system I ran Spybot and it came back clean. I scanned the isecurity.exe using Spybot and it came back clean.
There is something definitely hiding somewhere. Since I interrupted the program before it could complete, I don't know what the outcame would be.

I tried to run DDS before requesting assistance but my system hangs after 11 mins. Even the clock stops. It required a hard reboot to restart. I tried again in safe mode with the same results. Unfortunately, there are no logs or files to share.

I am way over my head on this. Your assistance and guidance would greatly be appreciated!!
 
:snwelcome:


Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR



You need to boot to safemode with networking

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode





  • Please download rkill (Courtesy of Bleepingcomputer.com).
  • There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
  • Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
  • Note: You only need to get one of the tools to run, not all of them.



  • Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.

    Run rkill repeatedly until it's able to do it's job. This may take a few tries.

    You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.






Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    MBAMCapture.jpg
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please






Download this program to your desktop
http://download.bleepingcomputer.com/grinler/unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
 
Greeting ken545,
Thank you for you assistance.

Here is the log from the Rkill and the Malwarebytes' Scan:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 02/08/2012 at 19:34:11.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 02/08/2012 at 19:35:26.

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.09.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Brenda Poland :: D6KX9PB1 [administrator]

Protection: Enabled

2/8/2012 8:04:14 PM
mbam-log-2012-02-08 (20-04-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 245244
Time elapsed: 33 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.AV2009) -> Quarantined and deleted successfully.

Files Detected: 1
C:\Documents and Settings\Brenda Poland\Local Settings\Temp\3A.tmp (Rogue.InternetSecurity) -> Quarantined and deleted successfully.

(end)


What, if any, is the next step?

Thank you kindly,
Jess
 
Jess,

Are your icons missing from your desktop, are there any files or folders you cant see that are hidden, if so you need to run the last program I posted. unhide


Sometimes when you have an infection like this there may be more hiding so lets look a bit further



Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
Good day ken545,

Last night, Malwarebytes would not run in Safe Mode. I had switched back to normal mode to run the Quick Scan. I provided the log with two items found in my previous post.

I did manage to unhide my desktop icons and files previously, but I ran the unhide to be safe. Everything seems normal, no new files or icons showed up. I did take advantage of the antispyware and security software being turned off and ran it again this morning. I did this based on the message from unhide : “Your files should now be visible. If you are still missing Start Menu items, please temporarily disable your antivirus or security programs and try again. In the event that they interfered with the restoral process.”
I figured it would not hurt to run Unhide again.

After I posted my reply last night, curiosity got the best of me and I ran Malwarebytes again using a Full Scan. Here is the log from the Full Scan:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.09.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Brenda Poland :: D6KX9PB1 [administrator]

Protection: Enabled

2/8/2012 10:18:27 PM
mbam-log-2012-02-08 (22-18-27).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 321632
Time elapsed: 1 hour(s), 6 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1724\A0195920.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1724\A0195921.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1727\A0196042.exe (Rogue.InternetSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1729\A0199155.exe (Rogue.InternetSecurity) -> Quarantined and deleted successfully.

(end)

Now for the results of the instructions in your last post.

  1. I downloaded Combofix and saved it to my desktop.
  2. I disabled MalwareBytes, Spybot TeaTimer, Windows XP firewall, TrendMicro Real-Time Protection, disable TrendMicro firewall.
  3. Double clicked ComboFix.exe
  4. MicroWindows Recovery Console was installed
  5. Continued with Malware scan
  6. Restore point point created HIV-backup
  7. AutoScan started at 10:25 am
  8. Computer clock stopped at 10:31 am - computer hung no keys or mouse control
  9. Finally shut down computer at 11:25 am - 1 hour later

  10. Restarted computer in safe mode
  11. Tried CF for the second time
  12. Autoscan started 11:31 am
  13. Watched task manager and noticed sevices.exe (user - SYSTEM) used most resources
  14. At 11:36 am task mgr window disappeared
  15. Clocked stopped at 11:38 am
  16. Turned off computer at 11:58 am - computer hung no keys or mouse control

  17. 3rd try - with safe mode with networking.
  18. Same senario - computer hung after about after 12 minutes.
Sorry, I have no C:\comboFix.txt. There is a ComboFix folder but no text file. I am so lost….. Am I doing something wrong?

Many thanks!

Jess
 
Hello Jess,

Those files that Malwarebytes found are in your System Restore Program, lets clear them all out and create a new restore point.

System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:
  1. Click Start > Run > copy and paste the following into the run box:
    %SystemRoot%\System32\restore\rstrui.exe
  2. Press OK. Choose Create a Restore Point then click Next.
  3. Name it (something you'll remember) and click Create.
  4. When the confirmation screen shows the restore point has been created click Close.

Then remove all previous Restore Points
  1. Click Start > Run > copy and paste the following into the run box:
    cleanmgr
  2. Choose to scan drive C:\ (if C:\ is your main drive).
  3. At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
  4. Click on the Yes button.
  5. When finished, click on Cancel button to exit.






  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    Go to
    StartBtn.gif
    -> Run -> copy/paste in the following single line command & click OK

    "%userprofile%\desktop\combofix.exe" /killall

    killall.JPG

  • Click OK and this will start ComboFix in a special way.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:
  • ComboFix.txt
 
ken545,

I am completely baffled…

The first two task for the creating a system restore and purging the old restore point was successful. No problems!

Running CF is another story.

I unplugged the internet connection from the PC and stopped all monitoring programs. Then followed your instructions. About 6 minutes into the special way of running CF using the command line, the window for “no connection to the internet is currently available. Etc.. Click to work offline or try again to reconnect.” I had not touched the keyboard or mouse after the click “OK” in the run window. The computer’s clock stopped also. I waited about 5 minutes before touching anything to verify the system had indeed hung.
I tried again. Reconnected the internet, thinking that was the issue. Clicked “OK” and things seemed fine. I had the yellow blinking cursor in the Autoscan window until about 6 minutes into the scan. The cursor stopped blinking and went solid. The clock stopped again. I waited another 5 minutes before touching the keyboard or mouse. Yes, the system was hung.

Do you have any words of wisdom you might be able to share on this baffling situation.

Thanks for being patient with me.
Jess
 
Hello Jess,

Run into this all the time with different programs, at this point I am not sure if its malware related of something on your system preventing Combofix from running. Lets set Combofix on the back burner for now.



Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
aswMBR1.png


On completion of the scan click save log, save it to your desktop and post in your next reply
aswMBR2.png
 
ken545,
I have Windows XP Service Pack 3 x86 NTFS. aswMBR.exe doesn't seem to want to run. I tried running each of the different compatibility modes and also running it as a different user and Admin. No Luck...
Help :sad:
Thank you for sharing your wisdom.
Jess
 
Not looking good, see if this one will run

Download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please post the contents of that file.
 
ken545,
Sucess! It ran. I don't kknow what the results mean but it doesn't look good to me...
Here is the log:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fc

Kernel Drivers (total 144):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7992000 \WINDOWS\system32\KDCOM.DLL
0xF78A2000 \WINDOWS\system32\BOOTVID.dll
0xF7363000 ACPI.sys
0xF7994000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7352000 pci.sys
0xF7492000 isapnp.sys
0xF7A5A000 pciide.sys
0xF7712000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF74A2000 MountMgr.sys
0xF7333000 ftdisk.sys
0xF7996000 dmload.sys
0xF730D000 dmio.sys
0xF771A000 PartMgr.sys
0xF74B2000 VolSnap.sys
0xF72F5000 atapi.sys
0xF74C2000 disk.sys
0xF74D2000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF72D5000 fltmgr.sys
0xF72C3000 sr.sys
0xF72AD000 DRVMCDB.SYS
0xF74E2000 PxHelp20.sys
0xF7296000 KSecDD.sys
0xF7283000 WudfPf.sys
0xF71F6000 Ntfs.sys
0xF71C9000 NDIS.sys
0xF71AF000 Mup.sys
0xF690B000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF66C7000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF66B3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF668B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF785A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6667000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7862000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6633000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF6610000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6511000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF646A000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF786A000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6444000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF7502000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF79C4000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF7512000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7522000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7B1B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7532000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF797E000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF642D000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7542000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7552000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7872000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF641C000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7562000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF787A000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7882000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF63EC000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7572000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF788A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7892000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79C6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF638E000 \SystemRoot\system32\DRIVERS\update.sys
0xF7172000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF61D0000 \SystemRoot\system32\DRIVERS\TM_CFW.sys
0xF7582000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF4083000 \SystemRoot\system32\drivers\sthda.sys
0xF405F000 \SystemRoot\system32\drivers\portcls.sys
0xF75C2000 \SystemRoot\system32\drivers\drmk.sys
0xF793E000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF75E2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79D2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF6824000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79D4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B88000 \SystemRoot\System32\Drivers\Null.SYS
0xF79D6000 \SystemRoot\System32\Drivers\Beep.SYS
0xF772A000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xF774A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7752000 \SystemRoot\System32\drivers\vga.sys
0xF79D8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79DA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF775A000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7762000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6818000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF3E94000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF3E3B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF3E13000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF6810000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF3DF1000 \SystemRoot\System32\drivers\afd.sys
0xF7602000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF3DB1000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF3DA0000 \SystemRoot\system32\DRIVERS\tmtdi.sys
0xF7622000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF3D75000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF3D05000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7632000 \SystemRoot\System32\Drivers\Fips.SYS
0xF776A000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF7772000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7966000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7642000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF796A000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF7782000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF796E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7976000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF7662000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF3CC5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79E6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF793A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77AA000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B22000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF049000 \SystemRoot\System32\ati2cqag.dll
0xBF07D000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2F4000 \SystemRoot\System32\ativvaxx.dll
0xBF391000 \SystemRoot\System32\ATMFD.DLL
0xF1428000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xF693B000 \SystemRoot\system32\DRIVERS\tmpreflt.sys
0xF1291000 \SystemRoot\system32\DRIVERS\vsapint.sys
0xF1226000 \SystemRoot\system32\drivers\TmXPFlt.sys
0xF692B000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xF7ABC000 \SystemRoot\System32\DLA\DLADResN.SYS
0xF1210000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xF13FC000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xF7A0A000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xF77CA000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xF11F8000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xF11E2000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xF108C000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys
0xF1BFD000 \SystemRoot\system32\DRIVERS\nwlnknb.sys
0xF11BE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF077B000 \SystemRoot\system32\DRIVERS\nwrdr.sys
0xF074E000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF106C000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys
0xF0649000 \SystemRoot\system32\drivers\wdmaud.sys
0xF697B000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7A02000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xF7A04000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xEF919000 \SystemRoot\System32\Drivers\HTTP.sys
0xEF899000 \SystemRoot\system32\DRIVERS\srv.sys
0xEF875000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEE87C000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 41):
0 System Idle Process
4 System
924 C:\WINDOWS\system32\smss.exe
972 csrss.exe
1000 C:\WINDOWS\system32\winlogon.exe
1044 C:\WINDOWS\system32\services.exe
1056 C:\WINDOWS\system32\lsass.exe
1308 C:\WINDOWS\system32\ati2evxx.exe
1324 C:\WINDOWS\system32\svchost.exe
1432 svchost.exe
1556 C:\WINDOWS\system32\svchost.exe
1592 C:\WINDOWS\system32\svchost.exe
1728 svchost.exe
2012 svchost.exe
332 C:\WINDOWS\system32\spoolsv.exe
412 svchost.exe
780 C:\WINDOWS\explorer.exe
1480 C:\WINDOWS\ehome\ehtray.exe
1492 C:\WINDOWS\stsystra.exe
1520 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
1580 C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
1696 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
1752 C:\WINDOWS\ehome\ehrecvr.exe
192 C:\WINDOWS\system32\ctfmon.exe
240 C:\WINDOWS\ehome\ehSched.exe
644 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
960 C:\Program Files\Digital Line Detect\DLG.exe
948 C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
2232 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2256 C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
2456 svchost.exe
2520 C:\WINDOWS\system32\svchost.exe
2876 C:\WINDOWS\system32\fxssvc.exe
2988 mcrdsvc.exe
3868 C:\WINDOWS\system32\dllhost.exe
3984 C:\WINDOWS\system32\dlcccoms.exe
2060 alg.exe
3620 C:\WINDOWS\ehome\ehmsas.exe
2884 C:\WINDOWS\system32\wscntfy.exe
1428 C:\Program Files\Internet Explorer\iexplore.exe
2200 C:\Documents and Settings\Brenda Poland\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD160JJ/P, Rev: ZM100-34

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 57BDF501CE769EF2720C705B6C71C893DA31574E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Thanks for not giving up on this!
Jess
 
Lets try another, if I suspect what you may be infected with this may not run either, but no need for alarm just yet



Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)
 
Jess, still not 100% sure but you have signs that your Master Boot Record may be infected, lots of this going around lately.

What I need you to do is get me an offline dump of your MBR, be sure to use Firefox and not Internet Explorer for the downloads as IE has been really messing it up. Then we can look at it and determine if it is indeed infected, if it is it can be fixed, if its not we can look at other options

I would print this out so you can follow along real well.



  1. xPUD

    We will need a USB stick and access to an uninfected machine.

    We need to prepare the USB stick. It is not absolutely essential that it is formatted, but it may help if it is:
    • Insert your USB drive ino the uninfected machine.
    • Click on Start > My Computer > right click your USB drive > choose Format > Quick format.

    Next
    • Download both http://sourceforge.net/projects/une...stom/unetbootin-xpud-windows-387.exe/download and http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of the uninfected machine.
    • Make sure you have the formatted USB stick in the uninfected system.
    • Double click on the unetbootin-xpud-windows-387.exe that you just downloaded.
    • Press Run and then OK.
    • Select the DiskImage option then click the browse button located on the right side of the textbox field.
    • Browse to and select the xpud-0.9.2.iso file you downloaded.
    • Verify the correct drive letter is selected for your USB device then click OK.
    • It will install a little bootable OS on your USB device
    • After it has completed do not choose to reboot the clean computer, simply close the installer.

    Next

    Next
    • Take the USB to the infected computer and boot with it.
    • The computer must be set to boot from the USB (as soon as BIOS is loaded tap F12 and choose to boot from the USB drive).
    • A Welcome to xPUD screen will appear.
    • Press File.
    • Expand mnt.
    • sda1,2...usually corresponds to your HDD.
    • sdb1 is likely your USB drive.
    • Click on the folder that represents your USB drive (sdb1 ?).
    • Confirm that you see dumpit that you downloaded there.
    • Double click on dumpit.
    • Once completed, a file called mbr.zip will be saved to the USB drive.
    • Take the USB drive back to the uninfected system and attach the mbr.zip in your next reply.


    If you encounter any diffuculties just let me know.
 
ken545,
Does the uninfected machine need to be the some OS as the infected machine?

There is a message at the end of each post, "Just a reminder that threads will be closed if no reply in 3 days."
I will be out of town for the weekend, back Sun pm. Getting to an uninfected machine, back, then to the uninfected machine may take some time.
Just in case, please do not close the thread. I will be back!

Thank you for your persistence.
Jess
 
ken545,

I checked the link for ".... to download dumpit from the following link: http://noahdfear.net/downloads/dumpit"

There were no downloads. A page full of symbols and characters showed up.

Did the link get truncated?

Thanks,
Jess
 
Jess,

Let me check on that link for you, it may have changed. You should use a computer with the NTFS file system which is XP, Vista or Win 7.

Not to worry about this thread, I will keep it open for you
 
ken545,
Thank you for keeping the thread open for me, much appreciated.

I was not using Firefox to download the dumpit. I was reviewing your procedures using my machine and IE, default browser, to make sure I fully understood before proceeding to use a friend's PC. Today, I switched to Firefox and the window for "save file" came up for dumpit. It is working fine. Sorry, my bad.

I see that it is imperative to have Firefox on my friend's PC before starting the the offline dump procedure. She will be dropping off her laptop today during her lunch break. It is a newer PC and should have Win 7. Definitely, will download Firefox, if it is not already there. Hopefully, I'll have something today before I leave for the weekend.

Once again, thank you ken545 for your help.
Jess
 
Hello Jess,

Yep, you will need FF to download those files and then if your friend dont like it she can uninstall it, myself, been a FF fan for many years.
 
Status
Not open for further replies.
Back
Top