hxxp://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=90685&view=by_date_ascending&page=1
I am performing tech support on my wife's laptop. Saturday Nov. 28 she apparently got infected by a drive-by malware attack. She got some popup warning about a virus infection. She doesn't think she clicked on anthing, but hse has been having browser hijacks taking her to random sites ever since, both with Mozilla and IE. I see Microsoft just released a bunch of security patches. A little late for us.
Anyway, McAfee was running when it got infected. I since uninstalled McAfee, installed Norton Internet Security 2010, superantispyware, malwarebytes. MRT and ran online scans from F-Secure and Trend Micro. Ocasionally something will turn up, but the redirects keep coming back. Norton has quarantined atapi.sys (Backdoor.Tidserv!inf) a couple of times today. GMER also previously identified c:\WINDOWS\system32\drivers\atapi.sys as having a suspicious modification.
I tried all the usual suggestions, but since the scans aren't finding much and there is some indication of suspicious activity, it has been suggested that we have a TDL3 rootkit.
Unfortunately, I don't think the laptop (Toshiba Satellite M1215 S3094) came with Windows install discs.
Here is the output from DDS:
DDS (Ver_09-12-01.01) - NTFSx86
Run by MA at 22:20:05.84 on Thu 12/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.900 [GMT -5:00]
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Utilities 14\nu.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\MySoftware\McAfee\McafeeRootkitDetective\Rootkit_Detective.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\MySoftware\DDS\dds.scr
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.1.0.19\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.1.0.19\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.1.0.19\coIEPlg.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NortonUtilities] c:\program files\norton utilities 14\nu.exe /H
uRun: [AOL Fast Start] "c:\program files\america online 9.0\AOL.EXE" -b
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162772332838
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260405740656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\ma\applic~1\mozilla\firefox\profiles\vaiioodi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1101000.013\SymDS.sys [2009-12-7 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1101000.013\SymEFA.sys [2009-12-7 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20091104.001\BHDrvx86.sys [2009-11-4 524848]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1101000.013\cchpx86.sys [2009-12-7 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1101000.013\Ironx86.sys [2009-12-7 114736]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.1.0.19\ccSvcHst.exe [2009-12-7 126392]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\engine\2.0.1.246\ccSvcHst.exe [2009-11-28 126392]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-8-13 6016]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-7 102448]
R3 f7aACF;f7aACF;c:\windows\system32\f7aACF.sys [2009-12-10 54624]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20091111.001\IDSXpx86.sys [2009-12-7 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20091210.023\NAVENG.SYS [2009-12-10 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20091210.023\NAVEX15.SYS [2009-12-10 1323568]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S?4 EraserSvc10923;Symantec Eraser Service;c:\program files\norton internet security\engine\17.1.0.19\ccSvcHst.exe [2009-12-7 126392]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\ma\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\ma\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 NIKIBP;NIKIBP;c:\docume~1\ma\locals~1\temp\nikibp.exe --> c:\docume~1\ma\locals~1\temp\NIKIBP.exe [?]
S3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [2009-3-19 91392]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\pedrv.sys --> c:\sysprep\PEDrv.sys [?]
S4 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\engine\2.0.1.246\SymcPCCULaunchSvc.exe [2009-11-28 123248]
=============== Created Last 30 ================
2009-12-11 03:04:50 54624 ----a-w- c:\windows\system32\f7aACF.sys
2009-12-11 03:04:32 2335270 ----a-w- c:\windows\system32\d1bACE.mht
2009-12-10 12:20:22 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-10 12:02:05 219 ----a-w- c:\windows\system32\MRT.INI
2009-12-10 04:47:10 0 d-----w- c:\windows\system32\CatRoot2
2009-12-10 03:51:26 0 d-----w- c:\program files\Microsoft Easy Assist
2009-12-10 03:51:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Applications
2009-12-09 04:11:04 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-09 04:11:04 0 d-----w- c:\documents and settings\ma\log
2009-12-09 02:49:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-09 02:49:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-08 03:32:01 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-08 03:32:01 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-08 03:32:01 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-12-08 03:32:01 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-08 03:32:01 0 d-----w- c:\program files\Symantec
2009-12-08 03:30:31 0 d-----w- c:\windows\system32\drivers\NIS
2009-12-08 03:30:28 0 d-----w- c:\program files\Norton Internet Security
2009-12-08 02:04:12 0 d-----w- c:\program files\Trend Micro
2009-12-06 19:47:17 5771264 ----a-w- c:\documents and settings\ma\s-1-5-21-1516350078-377577214-2716412152-1005.rrr
2009-12-06 17:37:06 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2009-12-06 17:37:06 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2009-12-06 17:37:05 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2009-12-06 17:37:02 0 d-----w- c:\program files\Norton Utilities 14
2009-12-02 01:13:00 0 d-----w- C:\My Music
2009-12-01 16:48:31 0 dc----w- c:\windows\system32\dllcache\cache
2009-12-01 16:38:38 98816 ----a-w- c:\windows\sed.exe
2009-12-01 16:38:38 161792 ----a-w- c:\windows\SWREG.exe
2009-11-29 05:47:07 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-29 05:47:04 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-29 05:46:54 0 d-----w- c:\windows\system32\drivers\NortonPCCheckup
2009-11-29 05:46:16 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2009-11-29 04:15:13 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-29 04:15:13 0 d-----w- c:\docume~1\ma\applic~1\SUPERAntiSpyware.com
2009-11-29 00:05:37 262144 ---ha-w- c:\documents and settings\ma\ntuser.dat.LOG1
2009-11-29 00:05:37 0 ---ha-w- c:\documents and settings\ma\ntuser.dat.LOG2
2009-11-28 18:57:51 0 d-----w- c:\program files\common files\Symantec Shared
2009-11-28 18:51:38 0 d-----w- c:\docume~1\ma\applic~1\Tific
2009-11-28 18:51:14 0 d-----w- c:\program files\Norton PC Checkup
2009-11-28 18:51:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2009-11-28 18:50:34 0 d-----w- c:\program files\NortonInstaller
2009-11-28 18:50:34 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-11-28 17:39:32 0 d-sh--w- c:\documents and settings\ma\IECompatCache
2009-11-28 17:38:50 0 d-sh--w- c:\documents and settings\ma\PrivacIE
2009-11-28 17:34:40 0 d-sh--w- c:\documents and settings\ma\IETldCache
2009-11-28 17:26:58 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-28 17:26:36 0 d-----w- c:\windows\ie8updates
2009-11-28 17:25:04 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-28 17:25:03 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-28 17:21:56 0 dc-h--w- c:\windows\ie8
2009-11-28 15:11:58 0 d-----w- c:\docume~1\ma\applic~1\Malwarebytes
2009-11-28 15:11:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 15:11:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 15:11:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 15:11:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-28 13:03:40 0 d-----w- c:\windows\system32\wbem\Repository
==================== Find3M ====================
2009-12-10 17:17:06 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-17 16:38:02 48248 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
============= FINISH: 22:21:50.25 ===============
I will attach the attach.txt and the RootRepeal log. The forum instructions said to attach these, but the attach file said not to. I won't have access to the laptop during the day, so I will attach them. Sorry if that is a problem.
Thanks in advance for any help you can provide.
Uncle Willie
Attached Files
Edited by Orange Blossom, 11 December 2009 - 08:08 PM.
Deactivate link. ~ OB