Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect virus


  • This topic is locked This topic is locked
11 replies to this topic

#1 clarkie013

clarkie013

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Halifax, NS, Canada
  • Local time:08:27 PM

Posted 16 May 2010 - 12:41 PM

My computer is showing symptoms of the google redirect virus.
Also the "Antivirus Software Alert."

I ran

Defogger
DDs
GMER

Here are the log files.


DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 18/09/2008 2:24:37 AM
System Uptime: 16/05/2010 10:23:25 AM (1 hours ago)

Motherboard: TOSHIBA | | Portable PC
Processor: Intel Pentium III Xeon processor | uFC-PGA Socket | 1582/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 51 GiB total, 30.826 GiB free.
D: is FIXED (NTFS) - 98 GiB total, 95.739 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {53D29EF7-377C-4D14-864B-EB3A85769359}
Description: AuthenTec Inc. AES1610
Device ID: USB\VID_08FF&PID_1600\5&207CC5DF&0&2
Manufacturer: AuthenTec, Inc.
Name: AuthenTec Inc. AES1610
PNP Device ID: USB\VID_08FF&PID_1600\5&207CC5DF&0&2
Service: ATSWPDRV

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Premiere Elements 7.0
Adobe Premiere Elements 7.0 Templates
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Bonjour
Camera Assistant Software for Toshiba
CD/DVD Drive Acoustic Silencer
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.7
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Google Earth
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel® Graphics Media Accelerator Driver
Intel® Network Connections Drivers
Intel« Matrix Storage Manager
iTunes
Java™ 6 Update 17
Java™ 6 Update 6
Java™ 6 Update 7
Kids Imaging Studio
L&H TTS3000 Espa˝ol
L&H TTS3000 Franšais
LiveUpdate 2.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Expression Web
Microsoft Expression Web MUI (English)
Microsoft Expression Web Service Pack 1 (SP1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
Microsoft Software Update for Web Folders (English) 12
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
muvee autoProducer 3.5 magicMoments
Presto! BizCard Component for Windows CE
QuickTime
RealPlayer
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.05
Seagate Crystal Reports for ESRI
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SmartSound Quicktracks for Premiere Elements
Sonic Audio module
Sonic Copy Module
Sonic DLA
Sonic Express Labeler
Sonic RecordNow Data
Spelling Dictionaries Support For Adobe Reader 9
SUPERAntiSpyware Free Edition
Symantec AntiVirus
TOSHIBA Backup Utility V2.0.3
TOSHIBA Controls
TOSHIBA Cooling Performance Diagnostic Tool
TOSHIBA HDD Protection
TOSHIBA Mobile Extension3
TOSHIBA PC Diagnostic Tool
TOSHIBA PC Health Monitor
TOSHIBA SD Memory Boot Utility
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
Toshiba Tbiosdrv Driver
TOSHIBA Utilities
TOSHIBA Wireless Key Logon
TrueSuite Access Manager
Uninstall for TOSHIBA Mobile Extension3
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Script Editor Help (KB957253)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Driver Package - PASCO Scientific (PASCO) USB (01/17/2004 1.9.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Wireless Hotkey

==== Event Viewer Messages From Past Week ========

16/05/2010 10:19:41 AM, error: DCOM [10000] - Unable to start a DCOM Server: {D40DAF26-8F39-4430-97B9-D3E1A42426C8}. The error: "%2" Happened while starting this command: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\VS7JIT.EXE" -Embedding
11/05/2010 9:19:21 PM, error: Service Control Manager [7034] - The TOSHIBA Optical Disc Drive Service service terminated unexpectedly. It has done this 1 time(s).
10/05/2010 8:26:58 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
10/05/2010 11:49:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
10/05/2010 11:45:25 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/05/2010 11:45:22 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm SASDIFSV SASKUTIL SAVRT SAVRTPEL SYMTDI TMEI3E
10/05/2010 11:44:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================


DDS Log


DDS (Ver_10-03-17.01) - NTFSx86
Run by HrsbUser at 11:41:14.67 on 16/05/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1913.1155 [GMT -3:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\TAMSvr.exe
C:\WINDOWS\system32\FpLogonServ.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TrueSuite Access Manager\FpNotifier.exe
C:\Program Files\TrueSuite Access Manager\usbnotify.exe
C:\Program Files\TrueSuite Access Manager\PwdBank.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kids Imaging Studio\Photags AutoDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\download\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sympatico.msn.ca/
uInternet Connection Wizard,ShellNext = hxxp://www.irfanview.net/faq.htm
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)" -"http://www.miniclip.com/games/sewer-run/en/"
mRun: [FingerPrintNotifer] c:\program files\truesuite access manager\FpNotifier.exe
mRun: [UsbMonitor] c:\program files\truesuite access manager\usbnotify.exe
mRun: [PwdBank] c:\program files\truesuite access manager\PwdBank.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photag~1.lnk - c:\program files\kids imaging studio\Photags AutoDetect.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235141374234
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235141367062
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ATFUS - c:\windows\system32\FpWinLogonNp.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: TosBtNP - TosBtNP.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AlfaFF;AlfaFF;c:\windows\system32\drivers\AlfaFF.sys [2008-3-14 42608]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2008-1-12 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 6528]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-11-23 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 68168]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2008-9-18 5888]
R2 Authentec memory manager;Authentec memory manager service;system32\TAMSvr.exe --> system32\TAMSvr.exe [?]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2008-11-11 151552]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2008-9-18 126976]
R2 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2008-6-23 628072]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2008-5-1 4992]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-9-18 238736]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-5-30 41216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100515.004\naveng.sys [2010-5-16 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100515.004\navex15.sys [2010-5-16 1347504]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\drivers\cben5.sys [2008-5-30 46108]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 12872]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]

=============== Created Last 30 ================

2010-05-16 14:39:21 0 ----a-w- c:\documents and settings\hrsbuser\defogger_reenable
2010-05-16 14:37:34 0 d-----w- C:\download
2010-05-12 02:21:30 0 d-----w- c:\docume~1\hrsbuser\applic~1\Malwarebytes
2010-05-12 00:51:25 0 d-----w- c:\program files\Enigma Software Group
2010-05-12 00:51:04 0 d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-05-12 00:03:50 173 ----a-w- c:\windows\system32\MRT.INI
2010-05-11 02:28:30 17 ----a-w- C:\stinger1010854.opt
2010-05-10 22:51:48 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-10 22:51:40 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-07 01:00:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 01:00:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-07 01:00:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 01:00:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-06 22:24:58 0 d--h--w- c:\windows\PIF
2010-05-06 22:22:59 92208 ----a-w- c:\windows\system\WING.DLL
2010-05-06 22:22:59 345600 ----a-r- c:\windows\system\QTIM32.DLL
2010-05-06 22:22:59 12800 ----a-w- c:\windows\system\WING32.DLL
2010-05-06 22:03:26 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-30 01:48:45 0 d-----w- c:\program files\iPod
2010-04-30 01:48:36 0 d-----w- c:\program files\iTunes
2010-04-30 01:45:52 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-04-08 16:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 16:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 11:42:17.70 ===============



GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-16 13:56:01
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\HrsbUser\LOCALS~1\Temp\fgtdapob.sys


---- System - GMER 1.0.15 ----

SSDT 8582B630 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\drivers\tos_sps32.sys section is writeable [0xB9CD6480, 0x3C939, 0xE8000020]
.dsrt C:\WINDOWS\system32\drivers\tos_sps32.sys unknown last section [0xB9D17900, 0x3CA, 0x48000040]
.rsrc C:\WINDOWS\system32\DRIVERS\cdrom.sys entry point in ".rsrc" section [0xBA326394]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[392] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[724] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[724] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[724] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A
.text C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1532] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C
.text C:\WINDOWS\System32\svchost.exe[1532] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02B8000A
.text C:\WINDOWS\System32\svchost.exe[1532] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 02B7000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\iaStor \Device\Harddisk0\DR0 895F0EE4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\cdrom.sys suspicious modification
File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----




BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:27 AM

Posted 18 May 2010 - 03:28 AM

Hi clarkie013,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  3. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

    Double-click to run TDLfix.exe, type the following in the command window and press Enter:

    mbr

    A log file opens up. please post the content to your reply.


#3 clarkie013

clarkie013
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Halifax, NS, Canada
  • Local time:08:27 PM

Posted 18 May 2010 - 06:52 PM

Thanks for the help.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4113

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

18/05/2010 8:38:43 PM
mbam-log-2010-05-18 (20-38-43).txt

Scan type: Quick scan
Objects scanned: 129334
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x895EBEE4]<<
kernel: MBR read successfully
user & kernel MBR OK




#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:27 AM

Posted 19 May 2010 - 12:57 AM

  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    proxycfg -d

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A window flashes, it is normal.

  2. Important: Disable Symantec auto-protect and make sure to configure it to be disabled after reboot otherwise it will interfere with the next fix.

  3. Close all the open windows.
    • Double-click TDLfix.exe to run the tool, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      cdrom
    • The application shall restart the computer immediately and runs after restart.
    • Tell me if the computer rebooted and ran to completion. You may enable Symantec now.

  4. Reboot once manually run TDLfix.exe, type the following in the open window and press enter:

    mbr

    A log file opens up. please post the content to your reply.


#5 clarkie013

clarkie013
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Halifax, NS, Canada
  • Local time:08:27 PM

Posted 19 May 2010 - 05:29 PM

Hello, did as requested and computer booted ok, no probles,

Here is the log file.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x898A9EE4]<<
kernel: MBR read successfully
user & kernel MBR OK

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:27 AM

Posted 19 May 2010 - 05:57 PM

We have to do this again, but you should make sure Symantec auto-protection is turned off and it will not run at start up when TDLfix reboots otherwise symantec locks up the rootkit file and the tool is not able to replace it.

Please right-click TDLfix and delete it. Then download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

Disable and make sure Symantec is not running at startup after reboot.

Do step 3 and 4 again and post the result.

Edited by farbar, 19 May 2010 - 06:04 PM.


#7 clarkie013

clarkie013
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Halifax, NS, Canada
  • Local time:08:27 PM

Posted 19 May 2010 - 09:08 PM

Is this better?

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys iaStor.sys
kernel: MBR read successfully
user & kernel MBR OK



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:27 AM

Posted 20 May 2010 - 01:15 AM

It looks good, the rootkit is taken care of. thumbup2.gif
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  2. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  3. Please run TDLfix once more, type mbr and press Enter. Post the log for a final review.

  4. Tel me also how is your computer running.




#9 clarkie013

clarkie013
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Halifax, NS, Canada
  • Local time:08:27 PM

Posted 20 May 2010 - 06:22 PM

Hello

Here is the latest log file

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys iaStor.sys
kernel: MBR read successfully
user & kernel MBR OK

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:27 AM

Posted 20 May 2010 - 06:34 PM

It looks good. thumbup2.gif
  1. Run TDLfix, type del and press Enter.

    Also remove any tool or log we used from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.


Happy Surfing. smile.gif

#11 clarkie013

clarkie013
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Halifax, NS, Canada
  • Local time:08:27 PM

Posted 20 May 2010 - 07:13 PM

Thank You! thumbup.gif

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:27 AM

Posted 21 May 2010 - 02:55 AM

You are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users