Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 shaunee

shaunee

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 22 April 2009 - 03:03 PM

My computer has recently been infected with these symptoms, with my attachments in brackets:
1. Cannot update Ad-Aware AE definition file, neither automatically nor manually - browser fails to connect to download site, but connects fine to Lavasoft (AA_download_error.JPG)
2. Cannot do MS Update (MS_update_error.JPG)
3. Yahoo Search and some Google Search results are redirected (results are good, but clicking on them goes to wrong websites)

I have taken the following steps in attempts to identify and remove the infection(s), but above symptoms persisted after each step:
1. Ran Symantec AntiVirus manual scans with latest defs, which detected 1 threat on Apr. 17 (Symantec_history.JPG)
2. Ran Ad-Aware SE Plus with Mar. 30 defs, with no findings (latest defs for SE version cuz SE discontinued Apr. 1)
3. Ran Ad-Aware AE with 0146.0000 defs - no findings
4. Restored my Windows XP to Mar. 23
5. Ran Dr. Web Cure It with Apr. 21 defs, found and cured ~6 threats
6. Tested for Conficker Worm, indicating that my computer doesn't have it (Conficker_test.JPG)
7. Ran Kaspersky scan - no findings (Kaspersky_scan.JPG)
8. Installed and tried to run Spybot - S&D: cannot update defs, Spybot scan doesn't launch (Resident is in tray) but "SpybotSD.exe" shows up in Windows Task Manager Processes list
9. Ran HijackThis (hijackthis.log)
10. Ran DDS (Attach.txt)

C: is my computer's hard drive, E: is an external hard drive connected via USB 2.0. I've always had Ad-Aware Watch, Symantec Auto-Protect, and Windows Firewall (with exceptions for Ad-Aware) running. Any help would be appreciated.
Thanks,
Shaun
*P.S. - UPLOAD not working on Firefox 3.0.8, so switching to IE 7.0


DDS (Ver_09-03-16.01) - NTFSx86
Run by Shaun Luong at 12:29:58.23 on 04/22/09
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.510.51 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\System Tools\Symantec AntiVirus\DefWatch.exe
C:\Media Tools\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\slserv.exe
C:\System Tools\Symantec AntiVirus\Rtvscan.exe
C:\Office Tools\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\SYSTEM~2\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\System Tools\Matrix Screen Locker\matrix.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Media Tools\Mozilla Firefox\firefox.exe
C:\System Tools\Spybot - S&D\TeaTimer.exe
C:\HijackThis\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\System Tools\Spybot - S&D\SpybotSD.exe
C:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = proxy.crc.ca:3128
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\media tools\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\system tools\spybot - s&d\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\system tools\spybot - s&d\TeaTimer.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\ATIPTAXX.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\system~2\symant~1\VPTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\office tools\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\shaunl~1\startm~1\programs\startup\matrix~1.lnk - c:\system tools\matrix screen locker\matrix.exe
StartupFolder: c:\docume~1\shaunl~1\startm~1\programs\startup\memeoa~1.lnk - c:\program files\memeo\autobackup\MemeoLauncher.exe
StartupFolder: c:\docume~1\shaunl~1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{90110409-6000-11d3-8cfe-0150048383c9}\outicon.exe
StartupFolder: c:\docume~1\shaunl~1\startm~1\programs\startup\tvshow~1.lnk - e:\TV Shows
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\office~1\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\office~1\micros~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\system tools\spybot - s&d\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230582395562
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230582377406
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.67,85.255.112.170
TCP: {C6258337-8052-4781-826A-B4BCB3D11619} = 85.255.112.67,85.255.112.170
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shaunl~1\applic~1\mozilla\firefox\profiles\ij8u3uss.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - hxxps://maps.aeroplan.com/en/#3
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=56939&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\shaun luong\application data\mozilla\firefox\profiles\ij8u3uss.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\shaun luong\application data\mozilla\firefox\profiles\ij8u3uss.default\extensions\{f02289b7-b23a-49b1-a7da-b60880e69629}\components\Engine.dll
FF - component: c:\media tools\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\media tools\divx\divx content uploader\npUpload.dll
FF - plugin: c:\media tools\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\media tools\divx\divx web player\npdivx32.dll
FF - plugin: c:\media tools\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\media tools\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\media tools\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\media tools\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\media tools\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\media tools\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\media tools\quicktime\plugins\npqtplugin7.dll
FF - plugin: c:\media tools\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\media tools\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\media tools\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\media tools\vlc player\npvlc.dll
FF - plugin: c:\office tools\adobe\reader 8.0\reader\browser\nppdf32.dll
FF - plugin: c:\photo tools\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-20 64160]
R1 SAVRT;SAVRT;c:\system tools\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 SAVRTPEL;SAVRTPEL;c:\system tools\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090421.006\naveng.sys [2009-4-21 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090421.006\navex15.sys [2009-4-21 876144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]

=============== Created Last 30 ================

2009-04-22 12:02 <DIR> -cd----- C:\HijackThis
2009-04-22 11:48 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-21 13:32 <DIR> -cd----- c:\documents and settings\shaun luong\DoctorWeb
2009-04-21 10:54 15,688 ac------ c:\windows\system32\lsdelete.exe
2009-04-20 22:35 64,160 ac------ c:\windows\system32\drivers\Lbd.sys
2009-04-20 22:34 <DIR> -cd----- c:\program files\Lavasoft
2009-04-20 22:23 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-17 00:10 0 ac--h--- c:\windows\BIT258.tmp
2009-04-16 22:56 93,504 ac---r-- c:\windows\QTW16DEL.EXE
2009-04-16 22:56 190 ac------ c:\windows\QTW.INI
2009-04-16 22:56 2,037,248 ac---r-- c:\windows\QTINSTAL.EXE
2009-04-16 22:55 60 ac------ c:\windows\RESULT.QTW
2009-04-15 14:00 0 ac--h--- c:\windows\BIT1BF.tmp
2009-04-15 12:42 0 ac--h--- c:\windows\BIT1B8.tmp
2009-04-15 12:34 0 ac--h--- c:\windows\BIT1B5.tmp
2009-04-08 20:23 <DIR> -cd----- c:\program files\TomTom International B.V
2009-03-31 22:31 <DIR> -cd----- c:\program files\common files\xing shared
2009-03-31 22:24 499,712 ac------ c:\windows\system32\msvcp71.dll
2009-03-31 21:55 <DIR> -cd----- c:\windows\system32\KB905474
2009-03-31 21:10 <DIR> -cd----- c:\program files\common files\DivX Shared
2009-03-31 13:41 27,496 ac------ c:\windows\system32\mucltui.dll.mui
2009-03-31 13:41 268,648 ac------ c:\windows\system32\mucltui.dll

==================== Find3M ====================

2009-04-19 20:40 195,042 ac------ c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-03-21 08:06 989,696 ac------ c:\windows\system32\kernel32(2).dll
2009-03-02 18:18 826,368 ac------ c:\windows\system32\wininet(2).dll
2009-02-24 13:34 90,112 ac------ c:\windows\system32\dpl100.dll
2009-02-24 13:34 823,296 ac------ c:\windows\system32\divx_xx0c.dll
2009-02-24 13:34 823,296 ac------ c:\windows\system32\divx_xx07.dll
2009-02-24 13:34 815,104 ac------ c:\windows\system32\divx_xx0a.dll
2009-02-24 13:34 802,816 ac------ c:\windows\system32\divx_xx11.dll
2009-02-24 13:34 684,032 ac------ c:\windows\system32\DivX.dll
2009-02-20 12:09 1,160,192 ac------ c:\windows\system32\urlmon(2).dll
2009-02-20 12:09 105,984 ac------ c:\windows\system32\url(2).dll
2009-02-20 12:09 268,288 ac------ c:\windows\system32\iertutil(2).dll
2009-02-09 06:10 729,088 ac------ c:\windows\system32\lsasrv(2).dll
2009-02-09 06:10 714,752 ac------ c:\windows\system32\ntdll(2).dll
2009-02-09 06:10 617,472 ac------ c:\windows\system32\advapi32(2).dll
2009-02-09 06:10 401,408 ac------ c:\windows\system32\rpcss(2).dll
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 05:11 110,592 ac------ c:\windows\system32\services(2).exe
2009-02-03 13:59 56,832 ac------ c:\windows\system32\secur32(2).dll
2008-05-14 17:12 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051420080515\index.dat
2009-01-18 17:26 16,384 ac-sh--- c:\windows\temp\cookies\index.dat
2009-01-18 17:26 16,384 ac-sh--- c:\windows\temp\history\history.ie5\index.dat
2009-01-18 17:26 32,768 ac-sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 12:31:02.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shaunee

shaunee
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 27 April 2009 - 12:01 AM

Well, on the advice of my ISP, I ran Windows Live OneCare safety scanner, and it got rid of the infection! I still don't know what the infection was, but all the above symptoms are gone, and so far, no side effects. I uninstalled Ad-Aware since I have decided to use Spybot instead. It's weird that none of my other scanners got rid of the infection, but a free one from MS did.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:55 AM

Posted 03 May 2009 - 11:45 PM

Thanks for informing us.
Good Luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users