Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Results Hijacked -- AVG Claims No Viruses


  • This topic is locked This topic is locked
22 replies to this topic

#1 zman25

zman25

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 07 October 2009 - 06:39 PM

Hello to all-

First, let me thank everyone who volunteers their time to help everyone with computer problems. It's awesome to see people helping strangers without hope of financial gain. Thanks so much to all.

I'm stumped, so I'm turning to the experts for help. Since Sunday, my Google results (I'm using IE v. 7.0.5730.11) appear normal, but the links redirect me to a different website. The redirect site has changed: I've gotten reliablewindow.com, z43523673.cn, tulsamusic.com, and web-cincinnati.com. Often, there is a "Not Found" message. Another time (when I searched for "dell") there was a scammy ad for a MacBook deal.

Other details:
(1) The problem is intermittent. I just did three or four google searches (espn, target, amazon), and the correct page loaded (espn.com, target.com, amazon.com) when I clicked on a link. Then, on the next search (dell), the MacBook deal site came up when I clicked on the result link for dell.com.
(2) The problem occurs in Yahoo, also.

I've tried the following steps to cure the problem:
(1) AVG Free, which is installed and supposedly always running in the background: no malware found.
(2) TrendMicro Free Online Scan: no malware found.
(3) CWShredder: no malware found.
(4) AdAware: the program claimed that it was already scanning and refused to start a new scan. AdAware also could not update its malware profile.
(5) Safe Mode: I could not start the computer in safe mode--it kept looping back to the DOS prompt until I chose "Normal Startup." I'm not sure if I've ever had to start this machine in safe mode, and I've had problems with this computer associated with shut down/standby, so this is very possibly not the result of the malware.

I'm terribly sorry that I can't offer any more clues, but I'm happy to test out anything that may provide helpful information.

Here is the DDS log:


DDS (Ver_09-09-29.01) - NTFSx86
Run by C at 18:00:24.23 on Wed 10/07/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.477 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRAY.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mspaint.exe
C:\Documents and Settings\C\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,Ir32_c.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Thunder Browser Helper: {63b2d652-ead9-4d6e-93ed-2cc51d22cf02} - c:\windows\system32\XunLeiBHO_001.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mExplorerRun: [AAAA] c:\windows\system32\hf1001.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com\clientapps
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com/lib/stanford/support/plugins/ebraryRdr.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167672898468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167673156905
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: __c00B8E8C - c:\windows\system32\__c00B8E8C.dat
SEH: N/A: {3fdeb171-8f86-0005-0001-69b8db553683} - c:\windows\system32\sysff11.dll
SEH: N/A: {3fdeb171-8f86-0002-0001-69b8db553683} - c:\windows\system32\systemtl2jp.dll
SEH: N/A: {3fdeb171-8f86-1107-0001-69b8db553683} - c:\windows\system32\sysjpred.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-28 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-28 27784]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-29 297752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-5-11 106808]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070208.017\naveng.sys [2007-2-8 80472]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070208.017\navex15.sys [2007-2-8 852600]
S2 download02;Remote Access;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
S2 Wingms;Wingms;c:\windows\system32\msn.exe -u --> c:\windows\system32\msn.exe -u [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 usbmouseb;usbmouseb;\??\c:\windows\system32\drivers\msn.sys --> c:\windows\system32\drivers\msn.sys [?]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]

=============== Created Last 30 ================


==================== Find3M ====================

2009-08-23 20:24 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 20:24 11,952 a------- c:\windows\system32\avgrsstx.dll

============= FINISH: 18:02:46.48 ===============

Thanks so much!

Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:11:43 PM

Posted 24 October 2009 - 08:00 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 zman25

zman25
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 25 October 2009 - 01:09 PM

Thanks for your response. My situation has not changed. I must emphasize that the problem is intermittent -- sometimes, the first search result from Google/Yahoo will take me to the correct site, but the second search result will redirect to some bogus site. I am keeping this machine turned off while waiting to receive some help, so very little should have changed. I did run AVG again, and it is still not finding any problems.

Please see my first post in this thread for a somewhat detailed description. Let me know if there are any questions I can answer to help assess the situation.

Here is a new DDS log. I've also attached a zip file with the new attach.txt file. Thanks!


DDS (Ver_09-10-24.04) - NTFSx86
Run by C at 13:00:59.92 on Sun 10/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.551 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRAY.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\C\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,Ir32_c.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Thunder Browser Helper: {63b2d652-ead9-4d6e-93ed-2cc51d22cf02} - c:\windows\system32\XunLeiBHO_001.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mExplorerRun: [AAAA] c:\windows\system32\hf1001.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com\clientapps
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com/lib/stanford/support/plugins/ebraryRdr.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167672898468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167673156905
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: __c00B8E8C - c:\windows\system32\__c00B8E8C.dat
SEH: N/A: {3fdeb171-8f86-0005-0001-69b8db553683} - c:\windows\system32\sysff11.dll
SEH: N/A: {3fdeb171-8f86-0002-0001-69b8db553683} - c:\windows\system32\systemtl2jp.dll
SEH: N/A: {3fdeb171-8f86-1107-0001-69b8db553683} - c:\windows\system32\sysjpred.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-28 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-29 297752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-5-11 106808]
S2 download02;Remote Access;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
S2 Wingms;Wingms;c:\windows\system32\msn.exe -u --> c:\windows\system32\msn.exe -u [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 usbmouseb;usbmouseb;\??\c:\windows\system32\drivers\msn.sys --> c:\windows\system32\drivers\msn.sys [?]

=============== Created Last 30 ================


==================== Find3M ====================

2009-08-24 01:24:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 13:02:54.87 ===============

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:43 AM

Posted 26 October 2009 - 06:11 AM

Hello zman25,
Hello ,
And :( to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.


ROOTREPEAL
-------------
We need to check for rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
In your next reply, please include the following:
  • RootRepeal.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 zman25

zman25
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 26 October 2009 - 07:31 PM

Thanks so much for volunteering to help out! Here is the Root Repeal report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/26 19:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF2653000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B9F000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEF9B4000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070511.019\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86725268

Stealth Objects
-------------------
Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 1400) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: tdlwsp.dll]
Process: Explorer.EXE (PID: 2320) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: tdlwsp.dll]
Process: iexplore.exe (PID: 2680) Address: 0x10000000 Size: 28672

==EOF==

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:43 AM

Posted 27 October 2009 - 04:37 AM

Hi again, it seems you have a new variant of the TDSS rootkit. Lets see if we can confirm this. Since this is a relative new infection, the cleaning process may take some time.

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

In your next reply, please include the following:
  • Combofix.txt
  • GMER log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 zman25

zman25
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 27 October 2009 - 10:06 PM

Elise-

Here are the logs you requested:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-27 22:04:24
Windows 5.1.2600 Service Pack 2
Running: we8y3q1p.exe; Driver: C:\DOCUME~1\C\LOCALS~1\Temp\fxtdqpod.sys


---- System - GMER 1.0.15 ----

SSDT 862BDB40 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\C\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fastfat \Fat EF786C8A

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

Attached Files



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:43 AM

Posted 28 October 2009 - 06:16 AM

Hello zman25,

Good job, the rootkit is gone :( But we have still quite a bit of cleanup to do here. Please let me know after performing the following steps, how everything is running. Still having redirects and other problems?

Click Start > Run, and type notepad in the box that opens. Press enter.
Copy/paste the text in the codebox below in Notepad and save it as export.bat to your desktop.
@echo off
regedit /e "export.txt" "HKey_Local_Machine\System\CurrentControlSet\Services\download02"
start export.txt
Exit Notepad and doubleclick export.bat to run it. A command window will flash briefly and a Notepad window will open. Please copy the text in your next reply. If the text file is empty, please let me know.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.


In your next reply, please include the following:
  • export.txt
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 zman25

zman25
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 28 October 2009 - 09:50 PM

Thanks so much for the help thus far. I wish the people in my firm's IT department knew as much as you!

Here is export.txt:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\download02]
"Type"=dword:00000120
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Remote Access"
"ObjectName"="LocalSystem"
"Description"="Portable Number Service"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\download02\Parameters]
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4c,00,6b,00,\
61,00,37,00,37,00,30,00,5f,00,31,00,36,00,31,00,2e,00,64,00,6c,00,6c,00,00,\
00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\download02\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\download02\Enum]
"0"="Root\\LEGACY_DOWNLOAD02\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001




Here is the MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 3050
Windows 5.1.2600 Service Pack 2

10/28/2009 9:42:03 PM
mbam-log-2009-10-28 (21-42-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 161602
Time elapsed: 52 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd4f7a6d-0107-4bdf-b72b-021b717b06ce} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\smss.TMP (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:43 AM

Posted 29 October 2009 - 03:06 AM

Hi again :(

Thanks so much for the help thus far. I wish the people in my firm's IT department knew as much as you!

Well, they are paid to know....

To doublecheck thins here, I want to look up the filename I translated from the hex-value you posted first. Otherwise we may end up deleting a perfectly legit service and thats not what we want :(

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    lka0_161.dll
    lka*_161.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 zman25

zman25
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 29 October 2009 - 08:22 PM

The IT department would still be asking me to try CTRL+ALT+DEL. You guys are great.

Here is the log you requested:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:17 on 29/10/2009 by C (Administrator - Elevation successful)

========== filefind ==========

Searching for "lka0_161.dll"
No files found.

Searching for "lka*_161.dll"
No files found.

-=End Of File=-

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:43 AM

Posted 30 October 2009 - 02:44 AM

Hello zman25,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
KillAll::

Driver::
download02

NetSvc::
download02

DDS::
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com\clientapps
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 zman25

zman25
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 30 October 2009 - 09:13 PM

ComboFix 09-10-27.03 - C 10/30/2009 20:56.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.520 [GMT -5:00]
Running from: c:\documents and settings\C\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\C\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOWNLOAD02
-------\Service_download02


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))
.

2009-10-29 01:46 . 2009-10-29 01:46 -------- d-----w- c:\documents and settings\C\Application Data\Malwarebytes
2009-10-29 01:46 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 01:46 . 2009-10-29 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-29 01:46 . 2009-10-29 01:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 01:46 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 15:17 . 2008-08-14 13:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-05 19:00 . 2007-02-21 00:30 -------- d--h--w- c:\documents and settings\C\Application Data\Move Networks
2009-08-24 01:24 . 2009-01-30 01:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-24 01:24 . 2008-11-28 21:39 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-24 01:24 . 2008-11-28 21:39 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2005-12-19 1347584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-03-29 413696]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-25 2025752]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2008-6-2 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 01:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=c:\windows\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"DefWatch"=2 (0x2)
"cisvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"LiveUpdate"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA SPORTS\\2006 FIFA World Cup ™\\FIFAWC06.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/28/2008 4:39 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 8:02 PM 297752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/11/2007 1:39 PM 106808]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
a
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 21:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(176)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1856)
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\bcmwltry.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\combofix\CF12894.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-31 21:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-31 02:11
ComboFix2.txt 2009-10-28 01:59

Pre-Run: 40,570,613,760 bytes free
Post-Run: 40,609,521,664 bytes free

- - End Of File - - 0905421F50E01E6D28FCC7AAA53B4E23

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:43 AM

Posted 31 October 2009 - 03:13 AM

Hello zman25,

Looking good so far!

TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Symantec. In this case, I would recommend to remove AVG, since its an outdated version and since Symantec is a paid product.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
In your next reply, please include the following:
  • ESET online scan results
  • A new DDS log
  • A description of any remaining problem

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:43 AM

Posted 03 November 2009 - 04:32 AM

Hi again, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users