Antispyware XP

[rstoddard]

O.K.

Here is the log:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{AD34AA71-F36B-6160-7CE6-4BD40C5CB10D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD34AA71-F36B-6160-7CE6-4BD40C5CB10D}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\magicjack.com\my\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mcafee.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\talk4free.com\reg\ deleted successfully.
Starting removal of ActiveX control {A7EA8AD2-287F-11D3-B120-006008C39542}
C:\WINDOWS\Downloaded Program Files\default.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A7EA8AD2-287F-11D3-B120-006008C39542}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7EA8AD2-287F-11D3-B120-006008C39542}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A7EA8AD2-287F-11D3-B120-006008C39542}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7EA8AD2-287F-11D3-B120-006008C39542}\ not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes
 
User: HelpAssistant
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 51587035 bytes
->Flash cache emptied: 260252 bytes
 
User: HP_Administrator
->Temp folder emptied: 13196961 bytes
->Temporary Internet Files folder emptied: 117303285 bytes
->Java cache emptied: 3314937 bytes
->FireFox cache emptied: 146764507 bytes
->Flash cache emptied: 3903313 bytes
 
User: Justin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 8775949 bytes
 
User: Justin2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 157915 bytes
->Java cache emptied: 317402 bytes
->FireFox cache emptied: 33491060 bytes
->Flash cache emptied: 17490 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: LocalService.NT AUTHORITY.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: LocalService.NT AUTHORITY.001
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: LocalService.NT AUTHORITY.002
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: LocalService.NT AUTHORITY.003
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: LocalService.NT AUTHORITY.004
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: LocalService.NT AUTHORITY.005
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: LocalService.NT AUTHORITY.006
->Temp folder emptied: 989880 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: NetworkService
->Temp folder emptied: 989880 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 518248 bytes
%systemroot%\System32 .tmp files removed: 27872582 bytes
%systemroot%\System32\dllcache .tmp files removed: 31611904 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 127473030 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 39608671 bytes
 
Total Files Cleaned = 580.00 mb
 
 
OTL by OldTimer - Version 3.1.37.3 log created on 03272010_225406

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Perflib_Perfdata_a98.dat not found!
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF4E5B.tmp moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\2kb2uh0s.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\2kb2uh0s.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\2kb2uh0s.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\2kb2uh0s.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\2kb2uh0s.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\2kb2uh0s.default\XUL.mfl moved successfully.
File move failed. C:\WINDOWS\temp\av1.tmp scheduled to be moved on reboot.
C:\WINDOWS\temp\iswift.dat moved successfully.
C:\WINDOWS\temp\sfdb.dat moved successfully.
File\Folder C:\WINDOWS\temp\ZLT019d9.TMP not found!

Registry entries deleted on Reboot...

[Dr Jay]

Please download and save HelpAsst_mebroot_fix.exe

• Double click to run the tool.
• When complete, run mbr -f then reboot.
  
• After reboot, provide the log for me.

[rstoddard]

Hello

I have done as you instructed, but I cannot find a log. Was it supposed to appear in my desktop?

[Dr Jay]

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

• Double-click mbr.exe to start the program.
  
• When done scanning, it will save a log on the Desktop called mbr.log.
  
• Please post the contents of that log in your next reply.

[rstoddard]

O.K., this is what it produced:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01749DA10
malicious code @ sector 0x01749DA13 !
PE file found in sector at 0x01749DA29 !

[Dr Jay]

Go here, and download SWReg:

http://www.xs4all.nl/~fstaal01/downloads/swreg.exe

When installed, go to Start | Run and type the following. You may want to copy/paste, just to make sure:

swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f

============


Please open Command Prompt (Start > Run and type CMD and press OK [Vista/7: Start search: CMD and press enter])
Enter the following in to the black box, pressing enter after each line:

Code: [Select]

cd desktop

mbr.exe -f

exit

Post a log (MBR.log).

[rstoddard]

Here's the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01749DA10
malicious code @ sector 0x01749DA13 !
PE file found in sector at 0x01749DA29 !

[Dr Jay]

Do you have an XP cd?

[rstoddard]

Yes, I do.

[Dr Jay]

Please reboot your computer in to the setup disc, and while in setup, press "R" for the Recovery Console.

Once in the RC, type in "fixmbr" and hit Enter.



Type 'y' if asked to, and allow it to do it's job.

Once it's done that and shows the next bit for another command, type "exit"

This will reboot your machine again, allow it to boot normally this time.

[rstoddard]

Please excuse the delay. I had to work.

When I enter the recovery console, I am asked:

"Which Windows installation would you like to log into? 1=J:\I386, 2=J:\MiniNT"

Which one should I choose?

[Dr Jay]

Try option 1.

[rstoddard]

O.K., I have completed what you instructed.

Next step, please.

[Dr Jay]

Now, boot back in to XP. Re-run the MBR tool and post a log.

[rstoddard]

O.K., here it is:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01749DA10
malicious code @ sector 0x01749DA13 !
PE file found in sector at 0x01749DA29 !