Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search is redirected to "Gala Search Directory"


  • This topic is locked This topic is locked
3 replies to this topic

#1 Pruco

Pruco

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 10 December 2009 - 02:23 PM

I don't seem to be be having any serious issues, yet, but I obviously have some sort of infection. Any information you could give me about what it is and what I should do about it would be very helpful.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Michael at 11:59:23.81 on Thu 12/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.130 [GMT -7:00]

AV: Additional Guard *On-access scanning enabled* (Updated) {FAAC0546-66E4-4A84-BF26-38C715DAC7AF}
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Additional Guard *enabled* {33A7E8AE-A38E-45E6-9078-A9A0FD7E95A1}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.1.0.19\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {27B829AC-FFA4-4CD5-8C68-71A98D75030C} - No File
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\958jgqw5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - search
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1101000.013\SymDS.sys [2009-12-10 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1101000.013\SymEFA.sys [2009-12-10 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\bashdefs\20091013.001\BHDrvx86.sys [2009-12-10 508976]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1101000.013\cchpx86.sys [2009-12-10 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1101000.013\Ironx86.sys [2009-12-10 114736]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.1.0.19\ccSvcHst.exe [2009-12-10 126392]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\ipsdefs\20090911.001\IDSxpx86.sys [2009-12-10 329080]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\virusdefs\20091210.003\naveng.sys [2009-12-10 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\virusdefs\20091210.003\navex15.sys [2009-12-10 1323568]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
R4 kl1;Kl1;\??\c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
R4 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys --> c:\windows\system32\drivers\klbg.sys [?]
R4 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys --> c:\windows\system32\drivers\klif.sys [?]

=============== Created Last 30 ================

2009-12-10 18:32:48 0 d-----w- c:\docume~1\michael\applic~1\Tific
2009-12-10 17:42:53 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-10 17:42:53 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-10 17:42:53 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-12-10 17:42:53 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-10 17:42:52 0 d-----w- c:\program files\Symantec
2009-12-10 17:42:52 0 d-----w- c:\program files\common files\Symantec Shared
2009-12-10 17:41:08 0 d-----w- c:\windows\system32\drivers\NAV
2009-12-10 17:41:04 0 d-----w- c:\program files\Norton AntiVirus
2009-12-10 17:41:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2009-12-10 17:40:51 0 d-----w- c:\program files\NortonInstaller
2009-12-10 17:40:51 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-12-10 17:26:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-12-10 17:13:20 0 d-----w- c:\docume~1\michael\applic~1\Simply Super Software
2009-12-10 17:09:49 0 d-----w- c:\windows\pss
2009-12-10 16:21:15 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-12-10 16:21:15 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-12-10 16:21:15 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-12-10 16:21:15 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-12-10 16:21:15 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-12-10 16:21:14 0 d-----w- c:\program files\Trojan Remover
2009-12-10 16:21:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-11-30 03:10:41 0 d-sh--w- c:\docume~1\michael\applic~1\Additional Guard
2009-11-30 03:10:40 0 d-sh--w- c:\docume~1\alluse~1\applic~1\WIHBYNAG
2009-11-30 03:09:47 0 d-sh--w- c:\docume~1\alluse~1\applic~1\0611d92
2009-11-25 23:08:39 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-25 23:08:34 0 d-----w- c:\program files\Avira
2009-11-17 04:15:04 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2009-11-17 04:14:58 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2009-11-17 04:14:19 0 d-----w- c:\docume~1\michael\applic~1\TuneUp Software
2009-11-17 04:13:45 0 d-----w- c:\program files\TuneUp Utilities 2010
2009-11-17 04:13:11 0 d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
2009-11-17 04:12:43 0 d-sh--w- c:\docume~1\alluse~1\applic~1\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2009-11-13 03:56:55 0 d-----w- c:\program files\ACW

==================== Find3M ====================

2009-11-10 00:38:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2001-03-30 20:19:42 32768 --sha-r- c:\windows\system32\scancodesmo.dll

============= FINISH: 12:00:16.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Pruco

Pruco
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:43 PM

Posted 17 December 2009 - 04:35 PM

I downloaded malwarebytes anti-malware and ran it as per the instructions on this site, but it did not remove additional guard from my computer. I'm not quite sure if this is the proper place to request help, but I would really appreciate it if someone could please instruct me on what to do next.

Thank you,

Mike (pruco)

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 21 December 2009 - 11:08 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 26 December 2009 - 09:40 AM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users