Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Difficulty with redirects, services


  • This topic is locked This topic is locked
8 replies to this topic

#1 nikolairiot

nikolairiot

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 03 June 2010 - 01:09 PM

To make a long story short: my work computer was infected some months back, and IT was able to remove 95% of the infection. There were still the occasional search redirect through googleads, but it was nothing major and so was considered acceptable. Unfortunately, it has recently gotten much worse, and several problems have appeared that normal virus scans do not appear to be handling correctly. Specifically:

1) The number of redirects has gone up dramatically, and are going through a number of other random sites instead of googleads.
2) There appears to be a problem with Windows services not starting automatically, despite being marked as such according to services.msc. Among others, I need to manually start "Themes" to restore the Windows XP theme and "DHCP Client" to connect to our network. Additionally, the service "WebClient" appears to be permanently stuck in "stopping" mode, as least according to services.msc. There is also a popup notice from msconfig concerning changes made to system startup - I assume this is related.
3) The CPU on occasion will lock up completely, forcing a manual restart of the computer. I have tried to shut it down normally when this happens, but even sitting through each End Program prompt one by one it still gets stuck at the "logging off" stage.

Symantec does not appear to be catching anything that would be causing this, and I'm not seeing anything in the hosts file that would explain the redirect. Attached find the scan results from DDS. Due to the issue with the CPU locking up, I've been unable to run a full gmer scan, so the attached is a partial result containing what I've visibly seen it produce by the point it can reach. Thank you again for your time and help, and I hope to hear back from you soon.


DDS (Ver_10-03-17.01) - NTFSx86
Run by BCILAB at 20:42:29.00 on Wed 06/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2664 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Dell\PanelMgr\SSMMgr.exe
C:\WINDOWS\twain_32\Dell\Dell2335\Scan2Pc.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Online News Screensaver\onsagent.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\BCILAB\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://mail.google.com/a/goldmail.etsu.edu...27cf47b41d78ed8
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Online News Screensaver] c:\program files\online news screensaver\onsagent.exe
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [WordQ carat flag] c:\program files\wordq2\WordQcrs.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Dell PanelMgr] c:\windows\dell\panelmgr\SSMMgr.exe /autorun
mRun: [2335dn Scan2PC] "c:\windows\twain_32\dell\dell2335\Scan2Pc.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wordqcrs.lnk - c:\program files\wordq2\WordQcrs.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: buy-internet-security10.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192205007500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} - hxxp://etsubdca.etsu.edu:9099/forms90/jinitiator/jinit.exe
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bcilab\applic~1\mozilla\firefox\profiles\ut5kgdmu.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2007-10-11 21504]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2010-5-27 911680]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 66632]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-5-27 2480048]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-9-18 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-9-18 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-9-18 2477304]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-5-27 160704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100602.002\NAVENG.SYS [2010-6-2 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100602.002\NAVEX15.SYS [2010-6-2 1347504]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-12-21 23888]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec antivirus\smclu\setup\smcinst.exe --> c:\program files\symantec antivirus\smclu\setup\smcinst.exe [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2001-8-23 14336]

============== File Associations ===============

txtfile="c:\program files\jgsoft\editpadpro6\EditPadPro.exe" "%1"

=============== Created Last 30 ================

2010-05-27 18:07:05 160704 ----a-w- c:\windows\system32\drivers\afcdp.sys
2010-05-27 18:07:02 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
2010-05-27 18:06:59 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-05-27 18:06:56 166272 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-05-26 21:24:48 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-21 19:54:13 8192 --sha-w- c:\windows\Thumbs.db

==================== Find3M ====================

2010-04-19 22:47:24 1032 ----a-w- C:\b.dat
2010-04-19 22:47:24 1032 ----a-w- C:\a.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 15:13:49 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-09 15:09:38 625032 ----a-w- c:\windows\system32\SymNeti.dll
2010-03-09 15:09:38 242056 ----a-w- c:\windows\system32\SymRedir.dll
2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-04-01 19:18:56 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2008-04-01 19:16:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 20:43:40.29 ===============

Attached File  ark.txt   6.41KB   5 downloadsAttached File  Attach.txt   27.76KB   7 downloads

Edited by nikolairiot, 03 June 2010 - 01:27 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 05 June 2010 - 09:42 PM

Hi and welcome. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 nikolairiot

nikolairiot
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 07 June 2010 - 05:17 PM

Hello. The problems remain the same - the computer still has issues with automatic services not starting, redirects while browsing, and repeated hanging/freezing of the CPU. Some additional information:

1) I have had one boot-up where nearly all services did start: the "WebClient" service was listed as "Started" instead of "Stopping" and most other automatics were started. The exception were "Themes", "Symantec Management Client", and "Security Center" (although I understand the later closes itself if not needed).
2) The CPU hanging/freezing appears to be due to Symantec - on one occasion I was able to temporarily resolve the issue by force closing the related .exes (I had Task Manager already up at the time). Unfortunately, this only worked once - during the next hang, the Task Manager hung/froze trying to close smc.exe, and I was forced to hard restart.
3) I have received memory reference errors from svchost.exe. I am not sure what this is relevant to.

Logs follow - they largely have not changed. I am still unable to run a complete gmer scan due to the issue with CPU hanging/freezing. It theoretically could complete, but a) by the time it reached C:\Program Files (about 5.5 hours in) it was scanning at one file a second, and I am not capable of monitoring it for the time it requires; and cool.gif attempts to run it overnight have failed, as the computer will inevitably be frozen/shut down by morning (not sure why the shut down occurs, just that it does). The attached shows the entries in GMER at the time I had stopped it (was scanning C:\Program Files\EndNote, for reference.

Thank you for your time, and I hope to hear back from you soon.




DDS (Ver_10-03-17.01) - NTFSx86
Run by BCILAB at 13:38:41.01 on Mon 06/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2694 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\Dell\PanelMgr\SSMMgr.exe
C:\WINDOWS\twain_32\Dell\Dell2335\Scan2Pc.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Online News Screensaver\onsagent.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Documents and Settings\BCILAB\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://mail.google.com/a/goldmail.etsu.edu...27cf47b41d78ed8
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Online News Screensaver] c:\program files\online news screensaver\onsagent.exe
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [WordQ carat flag] c:\program files\wordq2\WordQcrs.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Dell PanelMgr] c:\windows\dell\panelmgr\SSMMgr.exe /autorun
mRun: [2335dn Scan2PC] "c:\windows\twain_32\dell\dell2335\Scan2Pc.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wordqcrs.lnk - c:\program files\wordq2\WordQcrs.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: buy-internet-security10.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192205007500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} - hxxp://etsubdca.etsu.edu:9099/forms90/jinitiator/jinit.exe
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bcilab\applic~1\mozilla\firefox\profiles\ut5kgdmu.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2007-10-11 21504]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2010-5-27 911680]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 66632]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-5-27 2480048]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-9-18 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-9-18 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-9-18 2477304]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-5-27 160704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-2 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100604.006\NAVENG.SYS [2010-6-4 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100604.006\NAVEX15.SYS [2010-6-4 1347504]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-12-21 23888]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec antivirus\smclu\setup\smcinst.exe --> c:\program files\symantec antivirus\smclu\setup\smcinst.exe [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2001-8-23 14336]

============== File Associations ===============

txtfile="c:\program files\jgsoft\editpadpro6\EditPadPro.exe" "%1"

=============== Created Last 30 ================

2010-05-27 18:07:05 160704 ----a-w- c:\windows\system32\drivers\afcdp.sys
2010-05-27 18:07:02 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
2010-05-27 18:06:59 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-05-27 18:06:56 166272 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-05-26 21:24:48 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-21 19:54:13 8192 --sha-w- c:\windows\Thumbs.db

==================== Find3M ====================

2010-04-19 22:47:24 1032 ----a-w- C:\b.dat
2010-04-19 22:47:24 1032 ----a-w- C:\a.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2008-04-01 19:18:56 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2008-04-01 19:16:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 13:39:53.57 ===============

Attached File  Attach.txt   12.27KB   3 downloads
Attached File  ark.txt   6.29KB   4 downloads

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 08 June 2010 - 10:06 PM

Thanks for the description and update.

Let's begin with Combofix here.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 nikolairiot

nikolairiot
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 09 June 2010 - 12:01 PM

I'm having some small difficulty. I tried running ComboFix, following your instructions, and it did require I restart my computer due to rootkit activity. I did so, and it ran fine, but two issues occurred:

1) Symantec had understandably reactivated itself when the computer restarted, and it popped up several messages of things it found while ComboFix was scanning. I do not know if this is a problem.
2) When ComboFix went to save the log file, the computer restarted a second time. ComboFix did not start again upon logging in, and no logfile appears to have been saved on the C: drive.

What would you recommend? Should I attempt to run ComboFix again? Is there a better way to keep Symantec from restarting?

P.S. I should also mention that ComboFix did run an update script when I ran it - I do not believe this would be problem, but if it is I can redownload the older version and tell it to not update.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 10 June 2010 - 06:00 PM

Hello.

Delete the copy of Combofix you have. Re-download it again then run it again please.

Then, disable Symantec, when Combofix restarts, please disable Symantec again.

If there's any problems again, let me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 nikolairiot

nikolairiot
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 15 June 2010 - 02:11 PM

Hello. Sorry for the delay in response, things have been somewhat busy here at work. For better or worse, Combofix has appeared to fix at least some of the problems - I can no longer disable Symantec Antivirus, as real-time protection has been automatically locked on by the network administrator. I do not believe I will be able to convince them to turn it off. Should I run ComboFix regardless?

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 17 June 2010 - 07:36 PM

Do this then...

Make sure Combofix is on your desktop then...
  • Click on your Start Menu, then Run, In the run box type:
    CODE
    "%userprofile%\desktop\combofix.exe" /killall
  • Combofix will now run
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 AM

Posted 27 June 2010 - 03:01 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users