Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Google redirect malware


  • This topic is locked This topic is locked
18 replies to this topic

#1 lambdrew

lambdrew

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 07 April 2009 - 12:38 AM

Hello,

I’m grappling with a malware issue and though I think I’ve made progress I want to be certain that I’m absolutely clean.

I began noticing the following strange behavior on April 4'th:
1. Clicking on Google or Firefox search results redirects to apparently random ad sites. (The status bar at the bottom of the browser repeatedly referred to js.doubleclick.net.)
2. Popular malware removal programs were almost invariably unsuccessful because they either failed to download (bogus broken link errors), failed to install, failed to start, or failed to update virus definitions
3. Failures in at least one of these cases rendered the machine unable to boot and I had to uninstall via safe mode.
4. Ctrl+Alt+Delete déjà-vu. On initial login the normal steps are:
a) View “Welcome to Windows…Press Ctrl+Alt+Delete to Begin” screen and press Ctrl+Alt+Delete
b) View “Unauthorized Use Prohibited…” notice and press “Ok”
c) View Login screen and login

What I suddenly began seeing however was:
a) View “Welcome to Windows…press Ctrl+Alt+Delete to begin” screen and press Ctrl+Alt+Delete
b) Very briefly the “Unauthorized Use Prohibited…” notice appears and then disappears to be replaced by the initial “Welcome to Windows” screen again
c) On the second Ctrl+Alt+Delete try the login proceeds normally.

When multiple malware removal tools failed to address the problem I began googling for reports of similar problems and came across topic # 212026. Because ComboFix was successful in this case I hastily downloaded and executed it with the XP Bootdisk…not realizing that this might be somewhat stupid.

In any event, ComboFix did in fact quarantine what appears to be a rootkit and the symptoms are vastly improved (from above):
1. Redirects are fixed
2. Malware removal tools which previously failed (e.g. Malwarebytes) now will install and run
3. However a crash of Spyware Doctor again forced me to reboot in safe mode and uninstall
4. I have continued to observe the Ctrl+Alt+Delete déjà-vu thing

This last symptom may in fact be harmless but any weirdness surrounding login behavior concerns me. I should also mention that a quick scan of Malwarebytes finds 5 threats (all registry related)
• Adware.PopCap (1)
• Disabled.SecurityCenter (1)
• Trojan.DNSChanger (3)

However, I’ve opted not to change anything until I posted a request since I know that there is still stuff quarantined from ComboFix.

I’m sorry—I know I’m doing this backwards and that I should have posted the request before taking action with ComboFix. But for what it’s worth I’m including results from DDS belatedly run after ComboFix. I’m hoping you can advise me on subsequent steps I still might need to take. I can also provide my ComboFix log but the forum guidelines expressly forbids posting without first being requested, so I’m holding off.

Thanks very much,

Andrew




DDS (Ver_09-03-16.01) - NTFSx86
Run by AL3468 at 19:31:17.56 on 2009-04-06
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3003 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
FW: McAfee Host Intrusion Prevention Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\apps\apache\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CINGVPN\VPN Client\cvpnd.exe
C:\PROGRAM FILES\DRU\bin\DRUService.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\apps\apache\bin\httpd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Prot_srv.exe
C:\WINDOWS\system32\pstartSr.exe
C:\WINDOWS\system32\rcmdsvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\apps\apache\bin\ApacheMonitor.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\al3468\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.cnn.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SBCAssess] "c:\program files\compapps\sbcassess\SBCAssess.exe" 5
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Pointsec Tray] c:\program files\pointsec\pointsec for pc\P95Tray.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Dell QuickSet] c:\program files\dell\quickset\QuickSet.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\apps\apache\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
uPolicies-explorer: Btn_Media = 2 (0x2)
uPolicies-explorer: SpecifyDefaultButtons = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
mPolicies-system: MaxGPOScriptWait = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://attwm.webex.com/client/T25L10NSP41EP15-attwm/webex/ieatgpc.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\al3468\applic~1\mozilla\firefox\profiles\lkd4hzvx.default\
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2008-4-29 3840]
R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2008-2-12 220096]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-4 11608]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-4 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-4 185089]
R2 Apache2.2;Apache2.2;c:\apps\apache\bin\httpd.exe [2008-10-10 24636]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-4 55640]
R2 DRUAgent;DRUAgent;c:\program files\dru\bin\DRUService.exe [2008-4-29 139264]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2007-10-17 1455424]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-1-24 54608]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2008-2-12 367168]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2008-2-12 145984]
R2 Remote Command Server;Remote Command Server;c:\windows\system32\rcmdsvc.exe [2004-9-24 41472]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2007-9-20 42056]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2008-4-29 100104]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2008-4-29 30856]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2008-4-29 27976]
R3 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2008-4-29 46400]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-4-29 205608]
S2 ccmsetup;ccmsetup;c:\windows\system32\ccmsetup\ccmsetup.exe [2008-12-4 611360]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-1-24 144704]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2007-9-20 42056]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-4-29 72936]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-4-29 33960]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2008-4-29 15744]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-04-06 19:29 39,304 a------- c:\windows\system32\api_hook_list.dat
2009-04-06 19:29 75,072 a------- c:\windows\system32\HIPIS0e0015b.dll
2009-04-05 23:40 161,792 a------- c:\windows\SWREG.exe
2009-04-05 23:40 98,816 a------- c:\windows\sed.exe
2009-04-05 16:13 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-05 15:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-05 14:59 <DIR> --d----- c:\program files\Panda Security
2009-04-05 14:36 <DIR> --d----- c:\documents and settings\al3468\.housecall6.6
2009-04-04 17:23 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-04 17:23 <DIR> --d----- c:\program files\Avira
2009-04-04 17:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-04-04 16:30 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-04 16:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-04 16:08 558 a------- c:\windows\system32\Shortcut to msconfig.exe.lnk
2009-04-04 16:02 158,208 a------- c:\windows\system32\msconfig.exe
2009-04-04 09:11 <DIR> --d----- c:\program files\MalwarebytesAnti-Malware
2009-04-03 16:32 <DIR> --d----- c:\program files\PC Tools AntiVirus
2009-04-03 12:04 <DIR> --d----- c:\docume~1\al3468\applic~1\webex
2009-04-03 12:04 51,304 a------- c:\windows\system32\drivers\atnt40k.sys
2009-04-03 12:03 202,832 a------- c:\windows\system32\atasnt40.dll
2009-04-03 09:36 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-03 09:36 <DIR> --d----- c:\program files\Lavasoft
2009-04-03 07:40 39,008 a---h--- c:\windows\system32\mlfcache.dat
2009-04-03 07:39 905,728 a------- c:\windows\system32\Pano12.dll
2009-04-03 07:39 224,016 a------- c:\windows\system32\Tabctl32.ocx
2009-04-03 07:39 <DIR> --d----- c:\program files\PTAsmblr
2009-04-03 07:39 <DIR> --d----- c:\docume~1\al3468\applic~1\PTAssembler
2009-04-03 06:13 11,776 a------- c:\windows\system32\drivers\afc.sys
2009-04-03 06:13 303,104 a------- c:\windows\system32\MediaImpression Slideshow.scr
2009-04-03 06:12 <DIR> --d----- c:\windows\system32\MediaImpression Slideshow
2009-04-01 11:29 <DIR> --d-h--- C:\ProgramData
2009-03-09 20:42 5,632 a------- c:\windows\system32\ptpusb.dll
2009-03-09 20:42 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-03-09 20:42 159,232 a------- c:\windows\system32\ptpusd.dll
2009-03-09 20:42 15,104 a------- c:\windows\system32\drivers\usbscan.sys

==================== Find3M ====================

2009-04-06 16:29 191,074 a------- c:\windows\system32\nvModes.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 22:58 247,104 a------- c:\windows\system32\KevlarSigs.dll
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys

============= FINISH: 19:31:48.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,046 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:40 AM

Posted 18 April 2009 - 03:50 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 lambdrew

lambdrew
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 18 April 2009 - 09:37 PM

Hello,

Here is a current DDS log:





DDS (Ver_09-03-16.01) - NTFSx86
Run by AL3468 at 19:20:10.07 on 2009-04-18
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3056 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
FW: McAfee Host Intrusion Prevention Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\apps\apache\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CINGVPN\VPN Client\cvpnd.exe
C:\PROGRAM FILES\DRU\bin\DRUService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Prot_srv.exe
C:\apps\apache\bin\httpd.exe
C:\WINDOWS\system32\pstartSr.exe
C:\WINDOWS\system32\rcmdsvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\apps\apache\bin\ApacheMonitor.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\al3468\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.cnn.com/
uDefault_Page_URL = hxxp://my-cingular.sbms.sbc.com/mycingular/index.jsp
mDefault_Page_URL = hxxp://my-cingular.sbms.sbc.com/mycingular/index.jsp
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SBCAssess] "c:\program files\compapps\sbcassess\SBCAssess.exe" 5
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Pointsec Tray] c:\program files\pointsec\pointsec for pc\P95Tray.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Dell QuickSet] c:\program files\dell\quickset\QuickSet.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\apps\apache\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\qteam-~1.lnk - c:\program files\q team-link messenger\jre1.5.0_12\bin\javaw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
uPolicies-explorer: Btn_Media = 2 (0x2)
uPolicies-explorer: SpecifyDefaultButtons = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
mPolicies-system: MaxGPOScriptWait = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://attwm.webex.com/client/T25L10NSP41EP15-attwm/webex/ieatgpc.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\al3468\applic~1\mozilla\firefox\profiles\lkd4hzvx.default\
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2008-4-29 3840]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-29 342960]
R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2008-2-12 220096]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-4 11608]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-4 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-4 185089]
R2 Apache2.2;Apache2.2;c:\apps\apache\bin\httpd.exe [2008-10-10 24636]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-4 55640]
R2 DRUAgent;DRUAgent;c:\program files\dru\bin\DRUService.exe [2008-4-29 139264]
R2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2008-2-12 367168]
R2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2008-2-12 145984]
R2 Remote Command Server;Remote Command Server;c:\windows\system32\rcmdsvc.exe [2004-9-24 41472]
S2 ccmsetup;ccmsetup;c:\windows\system32\ccmsetup\ccmsetup.exe [2008-12-4 611360]
S2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2009-2-23 1471808]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-1-24 144704]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-1-24 54608]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-4-7 68416]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2007-9-20 44680]
S3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2007-9-20 44680]
S3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2008-4-29 110384]
S3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2008-4-29 38200]
S3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2008-4-29 35584]
S3 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2009-4-7 34408]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-4-6 38496]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-4-29 72936]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-4-29 33960]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2008-4-29 15744]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-04-15 12:35 <DIR> --d----- c:\temp\Jad
2009-04-15 11:52 <DIR> --d----- c:\temp\NumberManagementServices
2009-04-07 11:06 68,416 a------- c:\windows\system32\mfevtps.exe
2009-04-06 19:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-06 19:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 23:40 161,792 a------- c:\windows\SWREG.exe
2009-04-05 23:40 98,816 a------- c:\windows\sed.exe
2009-04-05 15:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-05 14:59 <DIR> --d----- c:\program files\Panda Security
2009-04-05 14:36 <DIR> --d----- c:\documents and settings\al3468\.housecall6.6
2009-04-04 17:23 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-04 17:23 <DIR> --d----- c:\program files\Avira
2009-04-04 17:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-04-04 16:30 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-04 16:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-04 16:08 558 a------- c:\windows\system32\Shortcut to msconfig.exe.lnk
2009-04-04 16:02 158,208 a------- c:\windows\system32\msconfig.exe
2009-04-04 09:11 <DIR> --d----- c:\program files\MalwarebytesAnti-Malware
2009-04-03 16:32 <DIR> --d----- c:\program files\PC Tools AntiVirus
2009-04-03 12:04 <DIR> --d----- c:\docume~1\al3468\applic~1\webex
2009-04-03 12:04 51,304 a------- c:\windows\system32\drivers\atnt40k.sys
2009-04-03 12:03 202,832 a------- c:\windows\system32\atasnt40.dll
2009-04-03 09:36 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-03 09:36 <DIR> --d----- c:\program files\Lavasoft
2009-04-03 07:40 39,008 a---h--- c:\windows\system32\mlfcache.dat
2009-04-03 07:39 905,728 a------- c:\windows\system32\Pano12.dll
2009-04-03 07:39 224,016 a------- c:\windows\system32\Tabctl32.ocx
2009-04-03 07:39 <DIR> --d----- c:\program files\PTAsmblr
2009-04-03 07:39 <DIR> --d----- c:\docume~1\al3468\applic~1\PTAssembler
2009-04-03 07:19 <DIR> --d----- c:\program files\autostitch
2009-04-03 06:13 11,776 a------- c:\windows\system32\drivers\afc.sys
2009-04-03 06:13 303,104 a------- c:\windows\system32\MediaImpression Slideshow.scr
2009-04-03 06:12 <DIR> --d----- c:\windows\system32\MediaImpression Slideshow
2009-04-01 11:29 <DIR> --d-h--- C:\ProgramData
2009-03-20 11:50 3,358,720 a------- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2009-04-18 19:15 191,074 a------- c:\windows\system32\nvModes.dat
2009-04-09 01:17 247,104 a------- c:\windows\system32\KevlarSigs.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:00 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 03:01 728,576 a------- c:\windows\system32\lsasrv.dll
2009-02-09 03:01 617,984 a------- c:\windows\system32\advapi32.dll
2009-02-09 03:01 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 03:01 715,264 a------- c:\windows\system32\ntdll.dll
2009-02-06 03:29 2,142,720 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:22 110,592 a------- c:\windows\system32\services.exe
2009-02-06 02:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 02:49 2,020,864 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 13:08 55,808 a------- c:\windows\system32\secur32.dll

============= FINISH: 19:20:34.50 ===============

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:40 PM

Posted 19 April 2009 - 07:35 AM

Hi

You seem to have both Avira AntiVir Personal - Free Antivirus (outdated) and McAfee VirusScan Enterprise installed. Decide which one to keep.

Please post contents of ComboFix log back here.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 lambdrew

lambdrew
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 20 April 2009 - 12:30 AM

Hello,

Avira AntiVir has been uninstalled and I have attached the ComboFix log.

Thanks much,
Andrew

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:40 PM

Posted 20 April 2009 - 11:03 AM

Hi Andrew

Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!

After that, please run MBAM and let it quarantine its findings. Post back the log it creates together with a fresh dds.txt log. How's the system running?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 lambdrew

lambdrew
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 21 April 2009 - 09:36 AM

Hi,

Thanks for helping on this. I ran MBAM and it did quarantine some items which appear in the attached log.

It also immediately deleted two items:
- One under C:\Qoobox (ComboFix quarantine)
- The other I'm afraid I can't remember

I expected both of these to show up in the MBAM log though I don't see either.

Regarding system behavior, since running ComboFix ithe machine has performed normally. The only strange activity I continue to see is the need to hit Press Ctrl+Alt+Delete twice on first login after startup.

Attached Files



#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:40 PM

Posted 21 April 2009 - 11:50 AM

Hi

Uninstall these vulnerable Javas:
J2SE Development Kit 5.0 Update 16
J2SE Development Kit 5.0 Update 17
J2SE Runtime Environment 5.0 Update 16
J2SE Runtime Environment 5.0 Update 17
Java 2 Runtime Environment, SE v1.4.2_12
Java 2 SDK, SE v1.4.2_12


The only strange activity I continue to see is the need to hit Press Ctrl+Alt+Delete twice on first login after startup.

When did this thing begin to happen?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 lambdrew

lambdrew
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 22 April 2009 - 10:31 AM

Hello,

I removed the java 1.4 package as well as the older of the two java 5 packages; unfortunately I have to keep one for ongoing development projects that don't support java 6.


The double Ctrl+Alt+Delete thing:

On initial login the expected steps are:
1) View “Welcome to Windows…Press Ctrl+Alt+Delete to Begin” screen
2) Press Ctrl+Alt+Delete
3) View “Unauthorized Use Prohibited…” notice
4) Press “Ok”
5) View Login screen and login

What I suddenly began seeing however was:
1) View “Welcome to Windows…press Ctrl+Alt+Delete to begin” screen
2) *Immediately* press Ctrl+Alt+Delete
3) Very briefly the “Unauthorized Use Prohibited…” notice appears and then disappears to be replaced by the initial “Welcome to Windows” screen again
4) Again hit Ctrl+Alt+Delete
5) Then everything proceeds normally

So it's step #3 where things get weird. I noticed this for the very first time the same day I realized I was infected. In my attempts to disinfect I was restarting my computer over and over again. I found that if I was impatient (i.e. I hit Ctrl+Alt+Delete *immediately* when the box appeared) I would have to do the steps twice. If I was patient (i.e. I waited 5 seconds before hitting Ctrl+Alt+Delete) everything behaved normally. I should also note that the strange behavior never happens in safe mode no matter how fast I jump on Ctrl+Alt+Delete. The behavior I'm describing happens very consistently.

It is possible that this is unrelated to the infection--perhaps I only noticed it then because I was restarting my computer many, many times and (naturally) doing so with increasing impatience.

On an unrelated note, I ran a full Kaspersky scan and came up clean.

Thanks,
Andrew

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:40 PM

Posted 22 April 2009 - 12:01 PM

Hi again,

Could you check if event viewer has any related events at the same moment you do a login? Please look here for instructions how to access Event viewer and how to view the event details.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 lambdrew

lambdrew
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 23 April 2009 - 04:59 PM

I really didn't find anything useful. The only error occurred (I think) after login:

Event Type: Error
Event Source: NetBT
Event Category: None
Event ID: 4307
Date: 2009-04-23
Time: 14:37
User: N/A
Computer: M980119KFLRH1
Description:
Initialization failed because the transport refused to open initial Addresses.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 58 00 ......X.
0008: 00 00 00 00 d3 10 00 c0 ....Ó..À
0010: 01 00 00 00 07 02 00 c0 .......À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........



Also:

McAfee threw up an alert this morning during an automated scan:

4/23/2009 8:54:31 AM Deleted CINGULARUS\AL3468 C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\al3468\Local Settings\Application Data\Google\Toolbar History\urls\00000002 Exploit-ObscuredHtml (Trojan)

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:40 PM

Posted 24 April 2009 - 10:33 AM

Hi

That looks like older item there.


Let's see what Virustotal says about these two files:
c:\windows\system32\api_hook_list.dat
c:\windows\system32\HIPIS0e011a2.dll

Upload those and post back the results, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 lambdrew

lambdrew
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 27 April 2009 - 09:37 AM

***** api_hook_list.dat *****
MD5: 1abb68744347b68b5686713e0bc01357
First received: -
Date: 04.27.2009 16:17:33 (CET) [<1D]
Results: 0/40
Permalink: analisis/4d0115476a5e72191a26945107010522


***** HIPIS0e011a2.dll *****
MD5: c7e82385094e32c0c06bd0ab43731a36
First received: -
Date: 04.27.2009 16:22:09 (CET) [<1D]
Results: 0/40
Permalink: analisis/c2bd0cd7d1a2395a04ac74c198e93740



I'm not sure what info might be useful so I've also attached the full results.

Attached Files



#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:40 PM

Posted 27 April 2009 - 12:42 PM

Hi

Looks like the files are ok. In earlier ComboFix log there were some group policy related registry entries listed. Is the system part of some network?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 lambdrew

lambdrew
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 28 April 2009 - 03:01 PM

I do use this notebook on a company network though the ~\group policy\... entries are not anything I recognize. I'm definitely willing to mess with them if you think they might be worth looking at.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users