Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirects (IE and FF) from search results, seemingly started with removal of 'Security Tool'


  • This topic is locked This topic is locked
15 replies to this topic

#1 malwarewritersbegone

malwarewritersbegone

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 30 December 2009 - 05:31 AM

Browser redirects (IE and FF) from search results, seemingly started with removal of 'Security Tool'. I think I got rid of Security Tool but not sure if done correctly.

I also had a weird thing when moving emails within Outlook Express where most of them disappeared, BUT they are still in online email and I have not started OE since for fear of loosing emails; not sure if related or not.

Pretty much what I explain in opening, I also sometimes see when I try to browse back from one of the redirected pages, thinking it will go to the search results page that it goes to some other page as well, maybe that as the last redirected-to page?
concerned
Anyway. There does not seem to be a common page that I get redirected to like I see in some posts, seems random and sometimes (very very rarely and seems more at the first selected pages) it will go to the page it is supposed to.

Please help, we have done regular financial transactions online (not since noticing this, or the 'Security Tool') and I am very concerned.

Thank you.

I was directed to post the following 'DDS.txt' file and I have also attached 'attach.txt' and 'ark.txt' files as instructed:



DDS (Ver_09-12-01.01) - NTFSx86
Run by Jennifer at 21:27:17.04 on Tue 12/29/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2015.1110 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Jennifer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.lenovo.com/us/en/
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/us/en/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
mWinlogon: Shell=Explorer.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] c:\progra~1\micros~4\wcescomm.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MWLExe] c:\program files\mcafee\mwl\MWLGui.exe /Start
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [eligmini] c:\program files\fisher-price\easy-link internet launch pad\Easy-Link internet launch pad.exe 0
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\jennifer\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\jennifer\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\jennifer\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\NkbMonitor.exe.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Windows Desktop Search.lnk.disabled
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {DA320635-F48C-4613-8325-D75A933C549E} - c:\program files\lenovo\system update\sulauncher.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: PCANotify - PCANotify.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jennifer\applic~1\mozilla\firefox\profiles\xiesr325.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50fftrie7
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\jennifer\application data\mozilla\firefox\profiles\xiesr325.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-12-13 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-12-13 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-13 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-13 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-13 360584]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 31192]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-8-16 214664]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-22 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2009-12-22 2303680]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-12-22 5832712]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-28 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-8-16 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-8-16 144704]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2006-7-14 3968]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-5 24652]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-12-13 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-12-13 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-12-13 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-12-13 25736]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-8-16 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-8-16 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-8-16 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-8-16 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-8-16 40552]
S2 gupdate1ca7097194595a6;Google Update Service (gupdate1ca7097194595a6);c:\program files\google\update\GoogleUpdate.exe [2009-11-28 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-12-13 30104]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2001-11-2 110651]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2007-12-21 18560]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-10-18 30192]
S3 palmmdm;Palm Modem;c:\windows\system32\drivers\palmmdm.sys [2007-9-20 9728]
S3 RIOUSB;RioPort.Com Rio500 USB Driver;c:\windows\system32\drivers\RioUSB.sys [2007-2-19 10020]
S3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itNT.sys [2008-9-1 494976]

=============== Created Last 30 ================

2009-12-23 08:48:27 0 d-----w- c:\docume~1\jennifer\applic~1\Uniblue
2009-12-22 11:25:25 0 d-----w- c:\docume~1\jennifer\applic~1\Malwarebytes
2009-12-22 11:25:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 11:25:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-22 11:25:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 11:25:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-13 15:07:22 0 d--h--w- C:\$AVG
2009-12-13 15:06:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-13 15:06:14 0 d-----w- c:\windows\system32\drivers\Avg
2009-12-13 15:06:08 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-12-13 15:05:43 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-12-13 15:05:42 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-12-13 15:05:41 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-13 15:05:40 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-13 15:05:09 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-12-13 15:05:08 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-12-13 15:05:08 0 d-----w- c:\program files\AVG
2009-12-13 15:04:15 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-12-09 11:00:22 54156 ---ha-w- c:\windows\QTFont.qfn
2009-12-09 11:00:22 1409 ----a-w- c:\windows\QTFont.for
2009-12-01 10:09:04 1076 ----a-w- c:\windows\wininit.ini
2009-12-01 02:22:11 0 d-----w- C:\770454d4ad788a6f73d00fca796a5500

==================== Find3M ====================

2009-12-27 13:44:54 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2009-12-02 07:37:37 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-02 07:37:37 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-01 03:54:48 5348836 ----a-w- c:\windows\system32\drivers\LightLogger.log
2009-10-29 19:08:22 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 05:38:22 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 05:38:22 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-06-18 04:55:04 88 --sh--r- c:\windows\system32\462294F1BE.sys
2009-06-18 04:55:05 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 21:30:46.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:58 AM

Posted 09 January 2010 - 07:51 AM

Hello and welcome to Bleeping Computer! :(

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 malwarewritersbegone

malwarewritersbegone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 10 January 2010 - 09:32 AM

Thank you very much for the reply. I have been anxiously awaiting it but I completely understand that you probably have a huge workload. Thank you again. The reply page would not allow me to upload my 7zip'd file so I have attached the Attach and DDS .txt files individually; please let me know if I need to do something different there.

As for problem description, it hasn't really changed, we just don't use the computer since this has happened, but I have re-posted below, for convenience:

In the initial post I did not really mention any actions we had performed to this point. They are:

McMcAfee was the active program at the time of the infection
Ran Gooredfix.exe (came across this in my initial post searches, thinking this was the Google redirect virus)
Run McAfee Scans
Run AVG Scans
Run Spybot Scans
Run Crapcleaner Scans

I think tat's it. ....

INITIAL STATEMENT OF PROBLEM:

Browser redirects (IE and FF) from search results, seemingly started with removal of 'Security Tool'. I think I got rid of Security Tool but not sure if done correctly.

I also had a weird thing when moving emails within Outlook Express where most of them disappeared, BUT they are still in online email and I have not started OE since for fear of loosing emails; not sure if related or not.

Pretty much what I explain in opening, I also sometimes see when I try to browse back from one of the redirected pages, thinking it will go to the search results page that it goes to some other page as well, maybe that as the last redirected-to page?
concerned
Anyway. There does not seem to be a common page that I get redirected to like I see in some posts, seems random and sometimes (very very rarely and seems more at the first selected pages) it will go to the page it is supposed to.

Please help, we have done regular financial transactions online (not since noticing this, or the 'Security Tool') and I am very concerned.

Thank you.

Attached Files



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:58 PM

Posted 11 January 2010 - 12:34 AM

Hello,

My name is Syler and I will be helping you to solve your Malware issues.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either McAfee or AVG.


  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Then please post back with the Gmer log.

Thanks

unite.jpg


#5 malwarewritersbegone

malwarewritersbegone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 12 January 2010 - 08:08 AM

Apologies Syler,

It's coming, scan took longer than I hoped this morning, assume it will be done when I get home.

Thank you again.

#6 malwarewritersbegone

malwarewritersbegone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 12 January 2010 - 07:55 PM

Hello Syler,

Here is the log created by Gmer. I think it was done as there was no notifier box but the folder activity at the bottom had stopped flashing by. The computer really seemed to slow down after it was done; took a very long time to save due to taking what seemed like a couple minutes just for a few clicks to execute ... just info.

Also, is there an antivirus you prefer or that you know is popular in the computer society? As you know I use McAfee and dabbled in AVG. Wondering primarily between the following just due to familiarity:

McAfee
AVG
AVG Free Version

Thanks again, here's the log ...




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-12 19:20:51
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Jennifer\LOCALS~1\Temp\afqyyuow.sys


---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A9E2618

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAED7A78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAED7A738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAED7A74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAED7A7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAED7A710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAED7A724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAED7A79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAED7A776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAED7A762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAED7A7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAED7A7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAED7A7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{BA3BADF2-98D1-5396-1511-F1D768CA74BA}\InprocServer32@ C:\Program Files\Common Files\System\ado\msadox.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{BA3BADF2-98D1-5396-1511-F1D768CA74BA}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{BA3BADF2-98D1-5396-1511-F1D768CA74BA}\ProgID@ ADOX.Catalog.2.8
Reg HKLM\SOFTWARE\Classes\CLSID\{BA3BADF2-98D1-5396-1511-F1D768CA74BA}\VersionIndependentProgID@ ADOX.Catalog.2.8
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment

---- EOF - GMER 1.0.15 ----

#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:58 PM

Posted 12 January 2010 - 08:35 PM

Hello,

It's not good news your logs show you have a Rootkit infection, so you should be aware of the following information.


One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#8 malwarewritersbegone

malwarewritersbegone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 12 January 2010 - 08:59 PM

We do/have used the computer very regularly for banking, etc (sensitive info stuff). It has, but for a few momentary connections, been disconnected from the internet. We will take the precautions you mention.

I hear you on the 'no guarantee' of cleaning.

We have not been good at backing up files in 'Our Documents'. Can I still back all of them up prior to the format/reload and then get them back without bringing back this problem? Really concerned for photos, cannot lose them. If no guarantee with that, would running the ComboFix first improve those chances?

Also, our computer is a Lenovo and did not come with a reload disk, it has the built in partition? I guess, where you interrupt start up and reload from that. Will that wipe it out the same?

Thank you Syler.

#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:58 PM

Posted 13 January 2010 - 09:37 PM

If you are backing up your personal data then that will be fine. I found an article that explains the process of doing a format and
reload, using the recovery partition on a Lenovo, so it will fully wipe it.

Let me know if theirs anything else you need to know.

http://www-307.ibm.com/pc/support/site.wss...cid=MIGR-4UFUYK

unite.jpg


#10 malwarewritersbegone

malwarewritersbegone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 13 January 2010 - 11:08 PM

Thank you again Syler,

Since you offered, I had some questions that came up in my mind today:

(1) Could this have affected any flash drives that have been connected via USB?

(2) Could this have affected my pocket PC?

(3) We use a wireless router and have one laptop that uses it wirelessly, the router is normally connected via ethernet to the infected computer. Could the router and /or laptop have been infected? If so, what to do about router and could I possibly get you to look at scans of the laptop to ensure it is not infected also? If so, would I use the same sequence of postings as initially in terms of scan logs?

(4) With respect to the virus, would hacker require realtime information intercept to get account information that is not explicitly in any files we might have, i.e. we do not have any files that contain account info such as a Word or Excel file listing, so is account info kept in some system files as a result of using online account access that these hackers can get?

(5) Is there a typical means through which these viruses infect, i.e. to know what to stay away from in the future?

(6) I, maybe recklessly, had the following on the computer, and was nervous from the start but felt comfortable after a lot of reading .... LightLogger keylogger, Refog keylogger, and Activity Monitor .... could those have introduced this or been part of the problem?

(7) Was the 'Security Tool' that I mentioned in my initial post related to this and if so, would the time we first saw that coincide with the time when the Rootkit would have begun being active? Great if so, because we essentially unplugged when the Security Tool thing came up(except for as I mention some momentary connections).

(8) If I understand correctly, sounds like all of our Word files, Excel files, photos, music, etc, can be backed up at this time and recovered after the reload w/o bringing the Rootkit back?


I know I asked a lot of stuff there, and if you can answer, great. If not, I understand and appreciate all you have done.

Mike

#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:58 PM

Posted 15 January 2010 - 12:11 AM

Hello Mike,

(1) Could this have affected any flash drives that have been connected via USB?
(2) Could this have affected my pocket PC?

No the rootkit won't have affected any of these.

(3) We use a wireless router and have one laptop that uses it wirelessly, the router is normally connected via ethernet to the infected computer. Could the router and /or laptop have been infected? If so, what to do about router and could I possibly get you to look at scans of the laptop to ensure it is not infected also? If so, would I use the same sequence of postings as initially in terms of scan logs?

I don't see any signs of that here and it's unlikely, if your not having any problems with your other machine then I think it would be fine. you can get it checked but you will need to start a new topic.

(4) With respect to the virus, would hacker require realtime information intercept to get account information that is not explicitly in any files we might have, i.e. we do not have any files that contain account info such as a Word or Excel file listing, so is account info kept in some system files as a result of using online account access that these hackers can get?

The hackers would be able to get realtime information so it doesn't matter if you store the information on your machine.

(5) Is there a typical means through which these viruses infect, i.e. to know what to stay away from in the future?

You can get infected a number of ways these days, I see that you have a P2P program installed this is a very comon way of getting infected, I would stay away from them. Just keep your machine updated do regular malware scans, you can find some other good tips here.

(6) I, maybe recklessly, had the following on the computer, and was nervous from the start but felt comfortable after a lot of reading .... LightLogger keylogger, Refog keylogger, and Activity Monitor .... could those have introduced this or been part of the problem?

No they are not a problem.

(7) Was the 'Security Tool' that I mentioned in my initial post related to this and if so, would the time we first saw that coincide with the time when the Rootkit would have begun being active? Great if so, because we essentially unplugged when the Security Tool thing came up(except for as I mention some momentary connections).

I can say exactly when the rootkit got on to your system, it was probably there before you saw Security Tool but for how long I can't say.

(8) If I understand correctly, sounds like all of our Word files, Excel files, photos, music, etc, can be backed up at this time and recovered after the reload w/o bringing the Rootkit back?

Yes

unite.jpg


#12 malwarewritersbegone

malwarewritersbegone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 15 January 2010 - 08:43 AM

Thank you again Syler,

(1) I had not thought the backup thing through entirely and I forgot about the entire 'Documents and Settings' as opposed to just the 'My Documents'. I am guessing I should stay away from an 'across the board' with 'Docs and Settings', maybe just manually grabbing things like Outlook database and similar as needed? Is that a fair statement? Or should all of those be safe, meaning I could just grab the entire 'C:\Documents and Settings\<user>' folder for each user?

(2) Is there a partitioning scheme or extra hard drive utilization that might help with this stuff in the future? In general and particularly for the P2P? It is pcAnywhere my wife uses for work. I am going to strongly suggest not doing it anymore, but she might really be pressured to. But it flat out will not happen if it cannot be done safely.

Sorry, I really think these are the last questions, I hope anyway. I plan to format and reload this weekend.

Thank you again,
Mike

Edited by malwarewritersbegone, 15 January 2010 - 09:06 AM.


#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:58 PM

Posted 16 January 2010 - 04:00 AM

Hi,

1. I wouldn't backup the entire <user> folders, just selectively take what you need as long as it you personal data like docs, photos, music, mail backups
etc then it should be ok.


2. BitTorrent is the P2P I was refering to, pcAnywhere is fine to use. Partitioning or getting a new HD will not make you any securer, it will just give
you some where to regularly back up your data so you wont have to do all this if you ever need to reinstall again.


Good luck with the reload :(

unite.jpg


#14 malwarewritersbegone

malwarewritersbegone
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 16 January 2010 - 07:30 AM

Forgot about BitTorrent. Her company did have something going on though and it took a couple months to take care of it for some reason. If she connects to them during some sort of infection, can it infect us or not likely?

I will let you know how it goes so you can close this topic, unless you have to now.

Thank you again,
Mike

#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:58 PM

Posted 17 January 2010 - 07:51 AM

Hi,

It you give access to your machine with an infected machine over PCAnywhere then yes their is a chance that you could get infected, so if you know
their is a chance that the machine you are giving access to is infected then it might be wiser not too.

Syler

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users