Groups

    Computer Virus - help needed please!

    Im after some help please!
    Im trying to fix my dads netbook. Its running XP, service pack 3.
    We have recently had windows 2010 virus and removed it.
    Now though, on start up my anti virus is disabled. I have to open MSE and start it manually.
    Also, on internet explorer, in tools, internet options, security all my settings are on custom. I have to go in and restore to default.
    This appears to work, but every now and again, web pages redirect to pages offering antivirus packs etc.
    This happens every time i boot up. And now, it seems the system maybe unsecure, as it doesnt always boot up.
    Any advice???
    I have run spybot, malwarebytes and have MSE running. I have run scans in safe and normal but whatever it is i cannot shift it!!
    Many thanks if you are able to offer advice.

    11 Comments

    format c:


    maybe try a restore
    Edited by: "davver99" 27th Mar 2011

    Original Poster

    Can you tell me how i do this please!

    start in safe mode with networking f8 on start up keep on hitting f8 until you get the option to start in safe mode with networking

    run malwarebytes clean any infected files

    then download combifix run after malwarebytes

    let it clean out the registry restart in normal mode hopefully you should be sorted

    let me know if it works


    Edited by: "shedboy66" 27th Mar 2011

    If in doubt theres always a how to on youtube

    Original Poster

    shedboy, im trying your suggestion!!!
    I run the combofix i safe - it says detects a rootkit and needs to reboot. However, when it reboots nothing loads up!!!
    Any advice?

    Original Poster

    progress!! Completed 3 stages so far whoop!
    Hopefully on my way to clearing this thing before it goes out the window!

    Original Poster

    ComboFix 11-03-26.02 - sid 27/03/2011 20:52:45.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.616 [GMT 1:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\NetworkService\Local Settings\Application Data\ttm.exe
    C:\ksdfghk.Bin
    c:\ksdfghk.bin\config.bin
    c:\ksdfghk.bin\ksdfghk.Bin.exe
    c:\program files\Internet Explorer\complete.dat
    c:\program files\Internet Explorer\dmlconf.dat
    c:\windows\system32\Thumbs.db
    .
    .
    \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-27 to 2011-03-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-27 20:09 . 2011-03-27 20:09 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsl5015cd83.sys
    2011-03-27 19:05 . 2011-03-27 19:05 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsl62c02861.sys
    2011-03-27 19:02 . 2011-03-27 19:02 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKslb669e428.sys
    2011-03-27 18:55 . 2011-03-27 18:55 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsld9dc4360.sys
    2011-03-27 17:58 . 2011-03-27 17:58 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsld0db18f0.sys
    2011-03-27 17:55 . 2011-03-27 17:55 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsld7b635b6.sys
    2011-03-27 16:48 . 2011-03-27 16:48 -------- d-----w- c:\documents and settings\sid\Application Data\DriverCure
    2011-03-27 16:48 . 2011-03-27 16:48 -------- d-----w- c:\documents and settings\sid\Application Data\ParetoLogic
    2011-03-27 16:47 . 2011-03-27 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
    2011-03-27 16:02 . 2011-03-27 20:09 -------- d-----w- c:\windows\system32\CatRoot2
    2011-03-27 15:09 . 2011-03-27 15:09 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsl8099200c.sys
    2011-03-26 20:07 . 2011-03-23 10:11 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\mpengine.dll
    2011-03-26 20:07 . 2011-02-02 18:11 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-03-26 19:02 . 2011-03-26 19:02 -------- d-----w- c:\program files\Microsoft Security Client
    2011-03-26 17:47 . 2011-03-27 15:04 -------- d-----w- c:\documents and settings\sid\Application Data\gsp3odhbhvdts2exdxzozq3zuwhxbcz2
    2011-03-26 17:47 . 2011-03-26 17:49 -------- d-----w- c:\documents and settings\sid\Application Data\Hoycy
    2011-03-22 20:00 . 2011-03-22 20:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-03-22 19:17 . 2011-03-26 14:01 -------- d-----w- c:\program files\tmprer
    2011-03-13 19:10 . 2011-03-13 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-03-13 19:10 . 2011-03-13 19:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-03-13 18:16 . 2011-03-13 18:16 -------- d--h--w- c:\windows\PIF
    2011-03-13 18:12 . 2011-03-13 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-03-13 17:20 . 2011-03-13 17:21 -------- d-----w- c:\documents and settings\Administrator
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-09 13:53 . 2009-08-11 13:03 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2009-08-11 13:03 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58 . 2009-08-11 13:13 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2009-08-11 13:13 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2009-08-11 13:03 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2009-08-11 13:03 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2009-08-11 13:03 1854976 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2009-07-27 397312]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
    "RTHDCPL"="RTHDCPL.EXE" [2009-04-27 17881088]
    "AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-17 630784]
    "AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
    "AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-17 118784]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
    "SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
    "LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2009-06-25 712704]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    c:\documents and settings\sid\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-8-11 376832]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2007-10-11 02:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R1 MpKsl5015cd83;MpKsl5015cd83;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsl5015cd83.sys [27/03/2011 21:09 28752]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [28/04/2009 02:59 38912]
    R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [20/08/2009 13:24 1015424]
    S1 piiwijgq;piiwijgq;\??\c:\windows\system32\drivers\piiwijgq.sys --> c:\windows\system32\drivers\piiwijgq.sys [?]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/08/2009 20:00 1684736]
    S3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS --> c:\windows\system32\drivers\AmUStor.SYS [?]
    S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [28/04/2009 06:47 39040]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSL5015CD83
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-27 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 12:26]
    .
    2011-03-27 c:\windows\Tasks\MpIdleTask.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 12:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://wanadoo.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btse [snipped by DBA for length]

    Original Poster

    Any ideas now anyone???
    Cheers!!

    Its normally the rootkit infection that keeps reloading everything you clean out with malwarebytes
    so hopefully if this has been carried out with crossed fingers no more problems.
    The proof will be if the redirects start up again or not

    Original Poster

    Hopefully!
    Saw this on the scan results:

    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    Could it be this - i dont know what it all means!!!

    Prolly should ask for help at specialist forum in case get stuck (like now) eg. this problem looks similar to yours and wasn't exactly straightforward :
    forums.techguy.org/vir…tml
    Post a comment
    Avatar
    @
      Text
      Top Discussions
      1. I have 2 spare netflix slots and a spotify share.917
      2. I want to talk about the WEATHER no politics no religion19047185
      3. The HUKD home for Star Trek: Discovery1627
      4. Xbox One - Buying from Other Regions *WITH* A VPN (Virtual Private Network)64491

      See more discussions