Author Topic: Malware (Read 25681 times)

earmic · « **Reply #30 on:** February 01, 2012, 03:38:59 PM »

Here is the aswMBR log:
17:26:26.656 is yellow and 17:26:32.015 is red.
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-01 16:51:05
-----------------------------
16:51:05.312 OS Version: Windows 5.1.2600 Service Pack 3
16:51:05.312 Number of processors: 2 586 0x403
16:51:05.312 ComputerName: D7SXQY91 UserName: Earl
16:51:05.625 Initialize success
17:00:43.890 AVAST engine defs: 12020100
17:26:14.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
17:26:14.093 Disk 0 Vendor: ST3808110AS 3.ADH Size: 76293MB BusType: 3
17:26:14.109 Disk 0 MBR read successfully
17:26:14.109 Disk 0 MBR scan
17:26:14.171 Disk 0 Windows XP default MBR code
17:26:14.171 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
17:26:14.203 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72990 MB offset 80325
17:26:14.218 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3255 MB offset 149565150
17:26:14.234 Disk 0 scanning sectors +156232125
17:26:14.296 Disk 0 scanning C:\WINDOWS\system32\drivers
17:26:26.390 Service scanning
17:26:26.656 Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
17:26:27.453 Modules scanning
17:26:31.968 Disk 0 trace - called modules:
17:26:32.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8ad9a6d9]<<
17:26:32.015 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b09eab8]
17:26:32.015 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8b085d98]
17:26:32.250 AVAST engine scan C:\WINDOWS
17:26:39.515 AVAST engine scan C:\WINDOWS\system32
17:29:14.718 AVAST engine scan C:\WINDOWS\system32\drivers
17:29:30.359 AVAST engine scan C:\Documents and Settings\Earl
17:33:18.328 AVAST engine scan C:\Documents and Settings\All Users
17:35:10.703 Scan finished successfully
17:35:42.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Earl\Desktop\MBR.dat"
17:35:42.359 The log file has been saved successfully to "C:\Documents and Settings\Earl\Desktop\aswMBR1.txt"

SuperDave · « **Reply #31 on:** February 01, 2012, 04:54:52 PM »

Please run the MBR check in Reply # 24

earmic · « **Reply #32 on:** February 02, 2012, 03:16:50 PM »

Okay, how's this..
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:      Windows XP Home Edition
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x0000000d

Kernel Drivers (total 140):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F31000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9F11000 fltmgr.sys
0xB9EFF000 sr.sys
0xBA338000 PxHelp20.sys
0xB9EE8000 KSecDD.sys
0xB9E5B000 Ntfs.sys
0xB9E2E000 NDIS.sys
0xBA340000 speedfan.sys
0xB9E14000 Mup.sys
0xBA671000 giveio.sys
0xBA348000 avgrkx86.sys
0xBA4BC000 AVGIDSEH.Sys
0xBA298000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB96CD000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB96B9000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9691000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA418000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB966D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA420000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9639000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB9616000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9517000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB9470000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA428000 \SystemRoot\System32\Drivers\Modem.SYS
0xB944A000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xBA430000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA761000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA438000 \SystemRoot\system32\DRIVERS\rasirda.sys
0xBA440000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA2D8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA594000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9433000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA448000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA450000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA308000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA458000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA460000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5D2000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB93D5000 \SystemRoot\system32\DRIVERS\update.sys
0xBA5A0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB93A7000 \SystemRoot\system32\DRIVERS\MarvinBus.sys
0xBA318000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA57C000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xA8F79000 \SystemRoot\system32\drivers\sthda.sys
0xA8F55000 \SystemRoot\system32\drivers\portcls.sys
0xBA188000 \SystemRoot\system32\drivers\drmk.sys
0xBA158000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA616000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA498000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB9155000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA198000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xBA61A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA7CB000 \SystemRoot\System32\Drivers\Null.SYS
0xBA61C000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA4A8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA3D0000 \SystemRoot\System32\drivers\vga.sys
0xA8E8D000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA208000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA662000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA664000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA3D8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3E0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA588000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xBA3E8000 \??\C:\WINDOWS\system32\drivers\OAnet.sys
0xA8E5A000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xBA218000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xA8E01000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA228000 \??\C:\WINDOWS\system32\drivers\OAmon.sys
0xA8DBA000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xA8D6C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA8D44000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB9149000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA8D22000 \SystemRoot\System32\drivers\afd.sys
0xBA238000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA8D00000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xBA3F0000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xA8CD5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB980A000 \??\C:\WINDOWS\system32\drivers\pclepci.sys
0xBA258000 \??\C:\WINDOWS\system32\drivers\oahlp32.sys
0xA8CA4000 \??\C:\WINDOWS\system32\drivers\OADriver.sys
0xA8C34000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA268000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA3F8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA8B5D000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0xBA288000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB97EA000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xBA358000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA558000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA8ACE000 \SystemRoot\system32\drivers\wisgostrm.sys
0xBA568000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA8EE5000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA8A16000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA650000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8A4E000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3C0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7B7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBF16E000 \SystemRoot\System32\ATMFD.DLL
0xA8820000 \SystemRoot\system32\DRIVERS\irda.sys
0xA899E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA85F4000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA849F000 \SystemRoot\system32\drivers\wdmaud.sys
0xA8688000 \SystemRoot\system32\drivers\sysaudio.sys
0xA824C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA5B2000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xA84B8000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0xA8228000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA81A4000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA390000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0xA8044000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0xA7C6B000 \SystemRoot\System32\Drivers\HTTP.sys
0xA7379000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):
0 System Idle Process
4 System
512 C:\WINDOWS\system32\smss.exe
544 C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
576 C:\Program Files\AVG\AVG2012\avgcsrvx.exe
780 csrss.exe
812 C:\WINDOWS\system32\winlogon.exe
856 C:\WINDOWS\system32\services.exe
868 C:\WINDOWS\system32\lsass.exe
1044 C:\WINDOWS\system32\svchost.exe
1092 svchost.exe
1172 C:\WINDOWS\system32\svchost.exe
1300 svchost.exe
1348 svchost.exe
1672 C:\WINDOWS\explorer.exe
1748 C:\Program Files\Online Armor\oacat.exe
1780 C:\Program Files\Online Armor\oasrv.exe
748 C:\WINDOWS\system32\spoolsv.exe
2112 svchost.exe
2344 C:\Program Files\AVG\AVG2012\avgwdsvc.exe
2852 C:\WINDOWS\system32\svchost.exe
3164 wdfmgr.exe
3376 C:\WINDOWS\system32\wuauclt.exe
3512 C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
3788 C:\Program Files\AVG\AVG2012\avgnsx.exe
3880 C:\Program Files\AVG\AVG2012\avgemcx.exe
2588 alg.exe
3276 C:\Program Files\AVG\AVG2012\avgtray.exe
3340 C:\Program Files\Online Armor\oaui.exe
4076 C:\Program Files\Online Armor\oahlp.exe
2176 C:\WINDOWS\system32\svchost.exe
1744 wmiprvse.exe
4200 C:\Program Files\Internet Explorer\iexplore.exe
4296 C:\Program Files\Internet Explorer\iexplore.exe
5256 C:\Program Files\Internet Explorer\iexplore.exe
5532 C:\Program Files\Internet Explorer\iexplore.exe
2572 C:\Program Files\AVG\AVG2012\avgmfapx.exe
2388 C:\Documents and Settings\Earl\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: ST3808110AS, Rev: 3.ADH

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644 A

Done!

SuperDave · « **Reply #33 on:** February 03, 2012, 12:09:03 PM »

Now that the MBR code is repaired please update and run scans with SAS and MBAM and post the logs.

earmic · « **Reply #34 on:** February 03, 2012, 05:23:54 PM »

Updated and ran SAS, then MBAM
Administrator

Memory items scanned : 403
Memory threats detected : 0
Registry items scanned : 35444
Registry threats detected : 1
File items scanned : 96553
File threats detected : 51

Adware.SelectRebates
   C:\Program Files\SELECTREBATES\FFToolbar\chrome\sahtoolbar.jar
   C:\Program Files\SELECTREBATES\FFToolbar\chrome
   C:\Program Files\SELECTREBATES\FFToolbar\chrome.manifest
   C:\Program Files\SELECTREBATES\FFToolbar\defaults\preferences\sahtoolbar.js
   C:\Program Files\SELECTREBATES\FFToolbar\defaults\preferences
   C:\Program Files\SELECTREBATES\FFToolbar\defaults
   C:\Program Files\SELECTREBATES\FFToolbar\install.rdf
   C:\Program Files\SELECTREBATES\FFToolbar
   C:\Program Files\SELECTREBATES\SahImages\alert.png
   C:\Program Files\SELECTREBATES\SahImages\check.png
   C:\Program Files\SELECTREBATES\SahImages\close.png
   C:\Program Files\SELECTREBATES\SahImages
   C:\Program Files\SELECTREBATES\SelectAlerts.dat
   C:\Program Files\SELECTREBATES\SelectRebates.exe
   C:\Program Files\SELECTREBATES\SelectRebates.ini
   C:\Program Files\SELECTREBATES\SelectRebatesA.dat
   C:\Program Files\SELECTREBATES\SelectRebatesApi.exe
   C:\Program Files\SELECTREBATES\SelectRebatesB.dat
   C:\Program Files\SELECTREBATES\SelectRebatesBT.dat
   C:\Program Files\SELECTREBATES\SelectRebatesDownload.exe
   C:\Program Files\SELECTREBATES\SelectRebatesUninstall.exe
   C:\Program Files\SELECTREBATES\SRebates.dll
   C:\Program Files\SELECTREBATES\SRFF3.dll
   C:\Program Files\SELECTREBATES\Toolbar\AddtoList.bmp
   C:\Program Files\SELECTREBATES\Toolbar\basis.xml
   C:\Program Files\SELECTREBATES\Toolbar\Basis.xml.dym
   C:\Program Files\SELECTREBATES\Toolbar\Blank.bmp
   C:\Program Files\SELECTREBATES\Toolbar\Cache
   C:\Program Files\SELECTREBATES\Toolbar\CashBack.bmp
   C:\Program Files\SELECTREBATES\Toolbar\Coupons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\GroceryCoupon.bmp
   C:\Program Files\SELECTREBATES\Toolbar\icons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\ImageCache
   C:\Program Files\SELECTREBATES\Toolbar\i_magnifying.bmp
   C:\Program Files\SELECTREBATES\Toolbar\logo.bmp
   C:\Program Files\SELECTREBATES\Toolbar\logo_24.bmp
   C:\Program Files\SELECTREBATES\Toolbar\logo_HotSpots.bmp
   C:\Program Files\SELECTREBATES\Toolbar\ReviewSite.bmp
   C:\Program Files\SELECTREBATES\Toolbar\RightControls.dym
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-alert.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-go.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-grocerycoupons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-icons.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-restaurant.bmp
   C:\Program Files\SELECTREBATES\Toolbar\sahtb-wishlist.bmp
   C:\Program Files\SELECTREBATES\Toolbar\Scissors.bmp
   C:\Program Files\SELECTREBATES\Toolbar
   C:\Program Files\SELECTREBATES
   C:\WINDOWS\Prefetch\SELECTREBATES.EXE-072AFA89.pf
   C:\WINDOWS\Prefetch\SELECTREBATESDOWNLOAD.EXE-053B5128.pf

Adware.ShopAtHomeSelect
   HKU\S-1-5-21-2856773612-2364928292-2262524725-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}

Adware.CouponBar
   C:\WINDOWS\SYSTEM32\CPNPRT2.CID
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.03.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Earl :: D7SXQY91 [administrator]

2/3/2012 6:11:17 PM
mbam-log-2012-02-03 (18-11-17).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 270947
Time elapsed: 37 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0

SuperDave · « **Reply #35 on:** February 03, 2012, 07:27:41 PM »

Thanks. How's your computer working now?

earmic · « **Reply #36 on:** February 04, 2012, 07:54:09 AM »

No real change. this thing continues to make an appearance at random times. You know, this computer isn't that far out of the box, it doesn't have any photos, files of any major concern, or anything that I can't afford to lose. I have a WD backup that's been off now for 2 months so I know it's clean and it has got anything I might need on it. This dell has the "out of the box" option which will wipe the HD clean except the Windows XP I think. I've got to go back in and read about it again. I used it when I inherited it to begin with. I'm now begining to think this might be the final solution. If I wipe this clean and start it "right out of the box", except for the OS, will the malware/virus survive? does it hide there, amoung other places? You are welcome to try a few other things, and I have plenty of time to do them. But like I said, I don't depend on this machine every day for anything.

SuperDave · « **Reply #37 on:** February 04, 2012, 11:50:08 AM »

If you nothing to lose doing a Recovery would be the best option.

earmic · « **Reply #38 on:** February 04, 2012, 08:04:07 PM »

Okay, I'll give it a try... thanks

SuperDave · « **Reply #39 on:** February 05, 2012, 11:51:03 AM »

Quote from: earmic on February 04, 2012, 08:04:07 PM

Okay, I'll give it a try... thanks

Please let me know the results.

earmic · « **Reply #40 on:** February 10, 2012, 01:05:23 PM »

Dave,
I wiped the drive and upgraded to Windows 7. Reinstalled AVG, MBAM, SAS, Online armor. Everything normal, "been a week now, ain't been sick once." Thanks, now that have a disk, it'll be easier next time.

SuperDave · « **Reply #41 on:** February 10, 2012, 07:43:55 PM »

Quote from: earmic on February 10, 2012, 01:05:23 PM

Dave,
I wiped the drive and upgraded to Windows 7. Reinstalled AVG, MBAM, SAS, Online armor. Everything normal, "been a week now, ain't been sick once." Thanks, now that have a disk, it'll be easier next time.

You're welcome. You'll be happy with Windows 7. I will lock this thread. If you need it re-opened, please send me a pm.

Computer Hope Forum

News:

Author Topic: Malware (Read 25681 times)

earmic

Re: Malware

SuperDave

Re: Malware

earmic

Re: Malware

SuperDave

Re: Malware

earmic

Re: Malware

SuperDave

Re: Malware

earmic

Re: Malware

SuperDave

Re: Malware

earmic

Re: Malware

SuperDave

Re: Malware

earmic

Re: Malware

SuperDave

Re: Malware