Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleaning Up After Desktop Security 2010 "Removal"


  • This topic is locked This topic is locked
19 replies to this topic

#1 mobathome

mobathome

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 15 May 2010 - 09:36 PM

On about 5/3/10 early morning, I was browsing around using Firefox 3.6.3 with Google toolbar on my IBM/Lenovo T43 with Windows XP Pro SP3 when I responded to a pop-up window with clicking "OK". Then I became aware that an application that called itself Desktop Security 2010 was installed and running. It quickly put windows up with messages about malware and viruses being present. So I hit the power button. After a few hours of reading on an apparently unaffected other computer what I could find understandable about such malware such as a page at http://www.2-spyware.com/remove-desktop-security-2010.html, I rebooted in safe mode without networking, and Symantec Antivirus program 10.1.5.5000, scan engine 101.1.0.75 with the most recent virus definition file I had, maybe downloaded the previous day, but it didn't complain about the Desktop Security 2010 that was clearly installed; it did quarantine taskmgr.dll as infected with Suspicious.Vundo 2 and a jar_cache809027123305560346.tmp. I spent more hours exploring the registry for run keys and found that startup entries had been put in HKCU/Software/Microsoft/Windows/run. I also found files like those mentioned in the above web page in C:\Documents and Settings\Ours\Local Settings\Temp and in C:\Documents and Settings\Ours\Application Data\Temp. I killed cftmon.exe because I had no reason to believe it would have been started. Even though the registry keys and files were in different locations that what was said in the web page, I transferred HiJackThis and Malwarebytes' Anti-Malware to my laptop using a USB drive. I ran HiJackThis and deleted the keys it pointed out, including the randomly-named key. Then I ran Anti-Malware and let it delete the infection files it found. Finally, I went back and removed run keys that shouldn't have been there according to the web page, moved the remaining parts of Desktop Security 2010 I could find by date to a single directory, and used Symantec to manually quarantine them. One was an AdobeARM log that dated from the infection and described installing unusual software; I later mistakenly deleted that file. When I restated my laptop in normal mode, everything seemed fine for a while, and then pop-ups started to happen. I turned off my computer again, and rebooted in safe mode. I removed HiJackThis and tried to install a newer version from Trend Micro that used a .msi and a .exe file, but I was told that the administrator had set policies to prevent this installation. I got the same message when I logged in as administrator. I followed MS instructions on overwriting permissions to their original state, but that didn't help. By then I had also downloaded Anti-Malware 1.46 ad installed it from a .exe but a deep scan did not reveal any infections. The HiJackThis .exe I had downloaded complained about two host file lines by SpyWeeper and nothing else. Not finding anything about them by googling, I left them alone. Just now, looking at the malware files I had set aside, Symantec Antivirus updated to definition file 5/14/2010 rev. 5 stepped with an Auto-Protect Results window announcing it had just deleted one of the files: kbmk.exe with Risk "Packed.Vuntid!gen1". At this time, matters seem quiet after having turned on the full windows firewall and backed up to USB what files I didn't have copies for elsewhere. Am I now OK? Here are the files I'm supposed to include:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 17:20:06.06 on Sat 05/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1249 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: LibXBar: {a458bc41-ce38-4cc9-8182-1739f99b4718} - mscoree.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [<NO NAME>]
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gammat~1.lnk - c:\program files\magictune premium\GammaTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\itunes.lnk - c:\windows\installer\{996a2faa-7514-4628-9d12-a8fc34a0016e}\iTunesIco.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\xwinse~1.lnk - c:\cygwin\bin\run.exe
uPolicies-system: SB_NoDispScrSavPage = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} - hxxp://www.blackberry.com/DST2007/patch/desktop/DSTUpdateLoaderUSB.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182533227762
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://avmonbur/sav10install/webinst.cab
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli pwdmon ACGina ACGina c:\program files\thinkvantage fingerprint software\psqlpwd.dll ACGina
Hosts: 1 UseCustom # Webroot SpySweeper entry
Hosts: 1 UseDefs # Webroot SpySweeper entry

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\b44ar0hv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-4-25 24304]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-10-9 20520]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2006-3-18 14848]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-4-25 132456]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-1-30 53248]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-4 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100514.005\naveng.sys [2010-5-15 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100514.005\navex15.sys [2010-5-15 1347504]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2006-3-18 6528]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
S2 AsUsbDrvXp;AsUsbDrvXp;c:\windows\system32\drivers\AsUsbDrvXP.sys [2006-4-13 12288]
S2 gupdate1c9b2b8301c483a;Google Update Service (gupdate1c9b2b8301c483a);c:\program files\google\update\GoogleUpdate.exe [2009-4-1 133104]
S3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1980-1-1 14336]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2010-05-15 21:05:14 0 d-----w- c:\docume~1\admini~1\applic~1\Avaya
2010-05-15 21:02:23 0 d-----w- c:\docume~1\admini~1\applic~1\Intel
2010-05-15 11:55:52 0 d-----w- c:\program files\msn gaming zone
2010-05-14 15:46:32 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-05-12 20:23:57 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-05-08 21:47:55 3153920 ----a-w- c:\documents and settings\administrator\secsetup.db
2010-05-08 21:26:24 3153920 ----a-w- c:\documents and settings\administrator\secsetup.sdb
2010-05-05 08:54:53 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-05-04 19:45:37 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-05-04 02:28:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-04 02:28:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-04 02:28:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-04 02:28:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-26 01:58:34 24304 ------w- c:\windows\system32\drivers\DOZEHDD.SYS
2010-04-26 01:46:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf
2010-04-26 01:45:53 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-04-26 01:45:39 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-04-26 01:44:56 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-03 05:20:00 196608 ------w- c:\windows\PWMBTHLP.EXE
2010-02-25 15:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-16 04:50:23 64000 ------w- c:\windows\system32\dllcache\iecompat.dll
2007-04-11 12:37:20 16 --sh--r- c:\windows\MSCIOTL.SYS
2008-05-13 14:16:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat
2009-12-21 12:20:52 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-21 12:20:52 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-21 12:20:52 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 17:22:30.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:58 PM

Posted 17 May 2010 - 05:33 AM

Hi mobathome,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

I'm surprised you have no complain about Google search redirection as there is still a rootkit on your computer that redirects the searches.
  1. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  2. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
    • Close all the open windows.
    • Double-click TDLfix.exe to run the tool.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      mbr

      A log file will open, please post the content of it to your reply.



#3 mobathome

mobathome
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 17 May 2010 - 09:38 AM

Hi farbar,

I appreciate and gratefully accept your offer of help. I will refrain from making changes to my infected computer. Should I disable Symantec Antivirus Auto-Protect for now? It deleted two infected files automatically so far. You may need to know I have run SuperAntispyware since posting, and it deleted tracking cookies and Synkronizer (but I don't use it).

I plan on transferring mbr and TDLfix on an uninfected computer and transfer to my laptop via usb. Is it worth the effort or am I being unnecessarily paranoid?

I do have Google search redirection sad.gif (workararound: copy the urls directly into the search bar). I didn't mention it because I didn't experience it until after I posted my message. I also can't get to the Windows Update page.

Below is the log.
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A9B8EE4]<<
kernel: MBR read successfully
user & kernel MBR OK

Cheers,
mobathome

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:58 PM

Posted 17 May 2010 - 09:53 AM

As long as Norton doesn't interfere with our tools it could be enabled. Just when running the tools it could be temporarily disabled.
  1. Double-click TDLFix.exe to run it and type the following in the command window and press Enter:

    disk

    The tool reboot the computer immediately and runs after reboot briefly. Please wait until it is done.

  2. After the tool finished run it again and this time type mbr and press Enter. Please post the log.


#5 mobathome

mobathome
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 17 May 2010 - 11:09 AM

Here's the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS tmpdisk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

BTW, on reboot, Symantec announced:

Scan type: Auto-Protect Scan
Event: Risk Found!
Risk: Backdoor.Tidserv!inf
File: C:\WINDOWS\system32\drivers\disk.sys
Location: C:\WINDOWS\system32\drivers
Computer: OURLAPTOP
User: OURLAPTOP\Owner
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Monday, May 17, 2010 11:59:58 AM

Does this count as interference enough for me to turn auto-protect on/off around what you ask me to do?

Cheers,
mobathome

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:58 PM

Posted 17 May 2010 - 11:59 AM

But to take Symantec serious we will take a look again.
  1. Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      CODE
      :filefind
      disk.sys*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

  2. Please reboot the computer once ( to make sure the rootkit is again active if it is not removed).
    Then run TDLfix again with mbr command and post the log.


#7 mobathome

mobathome
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 17 May 2010 - 12:46 PM

1. SystemLook.log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 13:15 on 17/05/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "disk.sys*"
C:\backup\disk.sys --a--- 36352 bytes [15:54 17/05/2010] [18:40 13/04/2008]

044452051F3E02E7963599FC8F4F3E25
C:\WINDOWS\$NtServicePackUninstall$\disk.sys --a--c 36352 bytes [13:55 13/05/2008]

[12:00 04/08/2004] 00CA44E4534865F8A3B64F7C0984BFF0
C:\WINDOWS\ServicePackFiles\i386\disk.sys ------ 36352 bytes [18:40 13/04/2008]

[18:40 13/04/2008] 044452051F3E02E7963599FC8F4F3E25
C:\WINDOWS\system32\drivers\disk.sys --a--- 36352 bytes [05:59 04/08/2004]

[18:40 13/04/2008] (Unable to calculate MD5)

-=End Of File=-

2. mbr.log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A8B8EE4]<<
kernel: MBR read successfully
user & kernel MBR OK

3. Along with the ending of the SystemLook, Symantec complained again as before. Also, an Auto-Protect window informed me it had partially repaired twice in a row a "disk.sys" found in C:\Windows\System32\drivers.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:58 PM

Posted 17 May 2010 - 01:09 PM

The rootkit is back. I don't know if it is locked by Symantec or there something else going on preventing removing it.

Go to start > Run copy/paste the following line in the run box and click OK.

cmd /c cacls C:\WINDOWS\system32\drivers\disk.sys >log.txt&start log.txt

A text file (log.txt) will be open. Please post its content to your reply.

#9 mobathome

mobathome
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 17 May 2010 - 01:17 PM

The output:

C:\WINDOWS\system32\drivers\disk.sys BUILTIN\Users:R
BUILTIN\Power Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:58 PM

Posted 17 May 2010 - 01:25 PM

The permissions are what it should be. Yet the file is locked and I'm not sure of Symantec locking it or not.

Let's run a scan first.

Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#11 mobathome

mobathome
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 17 May 2010 - 01:59 PM

The MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4110

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/17/2010 2:46:33 PM
mbam-log-2010-05-17 (14-46-33).txt

Scan type: Quick scan
Objects scanned: 138027
Time elapsed: 15 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RB3FD0Q3\packupdate_build107_302[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:58 PM

Posted 17 May 2010 - 02:23 PM

Let's try this once more.
  1. Right-click TDLfix.exe and select delete to delete it. Then download the latest version from http://download.bleepingcomputer.com/farbar/TDLfix.exe.

  2. Disable Symantec auto-protect. Make sure it will not run after reboot.

  3. Run TDLfix.exe, type disk and press Enter. Let it do the job after reboot.

  4. Reboot once manually, we want to make sure rootkit is active if it is not removed.

  5. Run TDLfix again, type mbr and press Enter. Post the log please.



#13 mobathome

mobathome
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 17 May 2010 - 03:09 PM

TDLfix mbr log follows. I will begone for two hours. I'm sorry.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:58 PM

Posted 17 May 2010 - 03:42 PM

Please take your time and hanks for letting me know.

The rootkit is now gone for sure. thumbup2.gif
  1. Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c dir /a/s "c:\*. *exe" >log.txt&start log.txt

    A text file (log.txt) will be open. Please post its content to your reply.

  2. For my own curiosity please do the following:

    Run SystemLook. Copy the content of the following codebox into the main textfield and click Look:

    QUOTE
    :filefind
    disk.sys*


  3. Please also check the Windows update to see if it works now.


#15 mobathome

mobathome
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 17 May 2010 - 06:38 PM

Thank you so much ;),

1. The directory output is attached because it's 11126 lines.

2. The SystemLook log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:39 on 17/05/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "disk.sys*"
C:\backup\disk.sys --a--- 36352 bytes [15:54 17/05/2010] [18:40 13/04/2008] 044452051F3E02E7963599FC8F4F3E25
C:\vir\disk.sys.old --a--- 36352 bytes [05:59 04/08/2004] [18:40 13/04/2008] 1B3617D5D5FCC4EBF1857EB99E27D1EC
C:\WINDOWS\$NtServicePackUninstall$\disk.sys --a--c 36352 bytes [13:55 13/05/2008] [12:00 04/08/2004] 00CA44E4534865F8A3B64F7C0984BFF0
C:\WINDOWS\ServicePackFiles\i386\disk.sys ------ 36352 bytes [18:40 13/04/2008] [18:40 13/04/2008] 044452051F3E02E7963599FC8F4F3E25
C:\WINDOWS\system32\dllcache\disk.sys --a--- 36352 bytes [05:59 04/08/2004] [18:40 13/04/2008] 044452051F3E02E7963599FC8F4F3E25
C:\WINDOWS\system32\drivers\disk.sys --a--- 36352 bytes [05:59 04/08/2004] [18:40 13/04/2008] 044452051F3E02E7963599FC8F4F3E25

-=End Of File=-

3. The Microsoft Update:

It still takes me to a sign-up page, probably on the MS web site, although it's a system I've used for years. Should I worry or just sign-up again? I may lose (have already lost?) the history of updates I've received.

Cheers,
mobathome

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users