Author Topic: Trouble removing Malware/Trojan causing browser hijack (Read 12997 times)

surgesound · « **Reply #15 on:** May 25, 2011, 09:28:22 PM »

Oops! I don't see the OTS log in my previous post---here it is.

---Jim.

essexboy · « **Reply #16 on:** May 25, 2011, 09:54:12 PM »

I see that you have run Combofix could you attach the log

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\cmutilwow.exe" -> [C:\WINDOWS\cmutilwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\hnetmonwow.exe" -> [C:\WINDOWS\hnetmonwow.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\19.tmp" -> [C:\WINDOWS\system32\19.tmp:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\1E.tmp" -> [C:\WINDOWS\system32\1E.tmp:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\1F.tmp" -> [C:\WINDOWS\system32\1F.tmp:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\system32\dsquery32.exe" -> [C:\WINDOWS\system32\dsquery32.exe:*:Enabled:Windows Update Service]
YN -> "C:\WINDOWS\wmdmpswow.exe" -> [C:\WINDOWS\wmdmpswow.exe:*:Enabled:Windows Update Service]
[Files/Folders - Modified Within 30 Days]
NY ->  4df5eed -> C:\WINDOWS\System32\4df5eed
NY ->  606413462 -> C:\WINDOWS\System32\606413462
NY ->  68094394 -> C:\WINDOWS\System32\68094394
NY ->  sl1710136104 -> C:\WINDOWS\System32\sl1710136104
NY ->  unrar.exe -> C:\WINDOWS\System32\unrar.exe
NY ->  787566237 -> C:\WINDOWS\System32\787566237
[Files - No Company Name]
NY ->  4df5eed -> C:\WINDOWS\System32\4df5eed
NY ->  606413462 -> C:\WINDOWS\System32\606413462
NY ->  sl1710136104 -> C:\WINDOWS\System32\sl1710136104
NY ->  unrar.exe -> C:\WINDOWS\System32\unrar.exe
NY ->  68094394 -> C:\WINDOWS\System32\68094394
NY ->  787566237 -> C:\WINDOWS\System32\787566237
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

surgesound · « **Reply #17 on:** May 25, 2011, 10:21:51 PM »

Here's the ComboFix log you requested.

---Jim.

essexboy · « **Reply #18 on:** May 25, 2011, 10:27:15 PM »

This should get it

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

File::
c:\windows\system32\msshavmsg32.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"=-

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt .

surgesound · « **Reply #19 on:** May 25, 2011, 10:37:13 PM »

Quote from: essexboy on May 25, 2011, 10:27:15 PM

This should get it

1. Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
File::
c:\windows\system32\msshavmsg32.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"=-

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt .

Essexboy:

Should I do this First, BEFORE the OTS fix you specified, or AFTER I apply the OTS fix?

---Jim.

essexboy · « **Reply #20 on:** May 25, 2011, 10:44:43 PM »

Do the OTS first please - then the combofix

surgesound · « **Reply #21 on:** May 25, 2011, 11:55:59 PM »

Essexboy:

Here is the post-fix OTS log you requested.

---Jim.

surgesound · « **Reply #22 on:** May 26, 2011, 02:18:36 AM »

Essexboy:

Here is the ComboFix log you requested.

---Jim.

essexboy · « **Reply #23 on:** May 26, 2011, 07:29:45 PM »

Just one to clear - I will use OTS as it is faster, once done what problems remain

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Custom Items]
:Files
c:\documents and settings\William J. Wickstrom\ffgmiktqcy.tmp
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

surgesound · « **Reply #24 on:** May 28, 2011, 06:42:33 PM »

Essexboy:

Here is the OTS log you requested.

---Jim.

essexboy · « **Reply #25 on:** May 28, 2011, 06:50:05 PM »

Nope can't see it

How is the computer behaving now ?

Segmentage · « **Reply #26 on:** May 29, 2011, 04:17:34 AM »

Essexboy here is the results

aswMBR version 0.9.5.317 Copyright(c) 2011 AVAST Software
Run date: 2011-05-29 10:14:16
-----------------------------
10:14:16.701 OS Version: Windows 6.0.6001 Service Pack 1
10:14:16.701 Number of processors: 2 586 0xF0D
10:14:16.703 ComputerName: USER-PC UserName: user
10:14:17.460 Initialize success
10:14:20.719 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
10:14:20.723 Disk 0 Vendor: ST3250310AS 3.AHC Size: 238475MB BusType: 3
10:14:22.745 Disk 0 MBR read successfully
10:14:22.748 Disk 0 MBR scan
10:14:22.752 Disk 0 unknown MBR code
10:14:24.762 Disk 0 scanning sectors +488391120
10:14:24.790 Disk 0 scanning C:\Windows\system32\drivers
10:14:29.258 Service scanning
10:14:30.750 Disk 0 trace - called modules:
10:14:30.766 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8560a1f8]<<
10:14:30.770 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85feaac8]
10:14:30.775 3 CLASSPNP.SYS[88ba6745] -> nt!IofCallDriver -> [0x85660918]
10:14:30.779 5 acpi.sys[807b56a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8564cba0]
10:14:30.784 \Driver\atapi[0x85648cd8] -> IRP_MJ_CREATE -> 0x8560a1f8
10:14:33.131 Unsigned kernel modules:
10:14:33.145 0x82e91000 System32\Drivers\splb.sys
10:14:55.050 Scan finished successfully
10:16:09.464 Disk 0 MBR has been saved successfully to "C:\Users\user\Documents\gboy\MBR.dat"
10:16:09.471 The log file has been saved successfully to "C:\Users\user\Documents\gboy\aswMBR.txt"

essexboy · « **Reply #27 on:** May 29, 2011, 12:22:05 PM »

Quote from: Segmentage on May 29, 2011, 04:17:34 AM

Essexboy here is the results

aswMBR version 0.9.5.317 Copyright(c) 2011 AVAST Software
Run date: 2011-05-29 10:14:16
-----------------------------
10:14:16.701 OS Version: Windows 6.0.6001 Service Pack 1
10:14:16.701 Number of processors: 2 586 0xF0D
10:14:16.703 ComputerName: USER-PC UserName: user
10:14:17.460 Initialize success
10:14:20.719 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
10:14:20.723 Disk 0 Vendor: ST3250310AS 3.AHC Size: 238475MB BusType: 3
10:14:22.745 Disk 0 MBR read successfully
10:14:22.748 Disk 0 MBR scan
10:14:22.752 Disk 0 unknown MBR code
10:14:24.762 Disk 0 scanning sectors +488391120
10:14:24.790 Disk 0 scanning C:\Windows\system32\drivers
10:14:29.258 Service scanning
10:14:30.750 Disk 0 trace - called modules:
10:14:30.766 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8560a1f8]<<
10:14:30.770 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85feaac8]
10:14:30.775 3 CLASSPNP.SYS[88ba6745] -> nt!IofCallDriver -> [0x85660918]
10:14:30.779 5 acpi.sys[807b56a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8564cba0]
10:14:30.784 \Driver\atapi[0x85648cd8] -> IRP_MJ_CREATE -> 0x8560a1f8
10:14:33.131 Unsigned kernel modules:
10:14:33.145 0x82e91000 System32\Drivers\splb.sys
10:14:55.050 Scan finished successfully
10:16:09.464 Disk 0 MBR has been saved successfully to "C:\Users\user\Documents\gboy\MBR.dat"
10:16:09.471 The log file has been saved successfully to "C:\Users\user\Documents\gboy\aswMBR.txt"

Is this from a different thread ?

Author Topic: Trouble removing Malware/Trojan causing browser hijack (Read 12997 times)

surgesound

Re: Trouble removing Malware/Trojan causing browser hijack

essexboy

Re: Trouble removing Malware/Trojan causing browser hijack

surgesound

Re: Trouble removing Malware/Trojan causing browser hijack

essexboy

Re: Trouble removing Malware/Trojan causing browser hijack

surgesound

Re: Trouble removing Malware/Trojan causing browser hijack

essexboy

Re: Trouble removing Malware/Trojan causing browser hijack

surgesound

Re: Trouble removing Malware/Trojan causing browser hijack

surgesound

Re: Trouble removing Malware/Trojan causing browser hijack

essexboy

Re: Trouble removing Malware/Trojan causing browser hijack

surgesound

Re: Trouble removing Malware/Trojan causing browser hijack

essexboy

Re: Trouble removing Malware/Trojan causing browser hijack

Segmentage

Re: Trouble removing Malware/Trojan causing browser hijack

essexboy

Re: Trouble removing Malware/Trojan causing browser hijack