Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Alureon.H


  • This topic is locked This topic is locked
16 replies to this topic

#1 PadRat

PadRat

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LC-39A
  • Local time:03:56 PM

Posted 10 June 2010 - 06:41 AM

Elise,

Here are the files you suggested I post.

Thank you so very much for your help,

PadRat


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jake at 20:40:34.35 on Wed 06/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.88 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Jake\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.6.0.32\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.vectorvest.com/install/vvonlineus/setup.exe
DPF: {5A9D4578-6649-4692-921B-ACA9ADAB007C} - hxxp://video.ufc.com/cabfiles/UFC_DLManager_3_6_0_19.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {A7A6EF43-0FA0-4911-BC67-3F4C55D34DB9} - hxxp://www.audiobookclub.com/software/DownloadManager.CAB
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1106000.020\symds.sys [2010-4-7 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1106000.020\symefa.sys [2010-4-7 172592]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1106000.020\cchpx86.sys [2010-4-7 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1106000.020\ironx86.sys [2010-4-7 116784]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.6.0.32\ccsvchst.exe [2010-4-7 126392]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-9 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-1 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100422.002\IDSXpx86.sys [2010-4-27 329592]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100324.001\BHDrvx86.sys [2010-3-24 536112]
S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100427.002\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100427.002\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100427.002\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100427.002\NAVEX15.SYS [?]

=============== Created Last 30 ================

2010-06-10 00:34:59 0 ----a-w- c:\documents and settings\jake\defogger_reenable
2010-06-04 01:33:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 01:33:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 01:03:20 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-04 01:02:51 0 d-----w- c:\program files\Bonjour
2010-06-04 01:02:15 0 d-----w- c:\program files\iTunes
2010-06-04 01:02:15 0 d-----w- c:\program files\iPod
2010-06-04 00:55:57 0 d-----w- c:\windows\system32\CatRoot_bak
2010-06-04 00:35:43 0 d-----w- c:\docume~1\jake\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-06-03 01:30:22 0 d-----w- c:\docume~1\jake\applic~1\SUPERAntiSpyware.com
2010-06-03 01:29:50 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-02 01:13:02 0 d-----w- c:\docume~1\jake\applic~1\Malwarebytes
2010-06-02 01:12:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-02 01:12:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 23:21:47 0 d-----w- c:\windows\system32\scripting
2010-06-01 23:21:45 0 d-----w- c:\windows\l2schemas
2010-06-01 23:10:59 0 d-----w- c:\windows\network diagnostic

==================== Find3M ====================

2010-06-04 00:55:41 0 ----a-w- c:\windows\system32\drivers\afd(3).sys
2010-06-04 00:48:00 0 ----a-w- c:\windows\system32\drivers\afd(2).sys
2010-04-27 15:44:37 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 20:42:36.03 ===============

Attached Files


“Research is what I'm doing when I don't know what I'm doing.” Werner von Braun

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:56 PM

Posted 10 June 2010 - 06:55 AM

Hi Joe,

I think you still know the "drill", but in case you forgot smile.gif

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.


I do not see any signs of Alureon, except for the errors in the Event Viewer (which does not mean it isn't there, if this infection is succesful, its virtually undetectable, even GMER often doesn't see it).


First of all, can you please uninstall My Way Search assistant using Add/Remove programs.


Now lets start with the malware at hand.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 PadRat

PadRat
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LC-39A
  • Local time:03:56 PM

Posted 10 June 2010 - 11:46 AM

Elise,

I will be happy to do this as soon as I get home from work. Unfortunately that will be about 5:00 EST so you probably won't see my logs until about midnight your time.

Not to worry, a reply tomorrow would be fine , if you have time.

Agian, thank you very much,

Joe
“Research is what I'm doing when I don't know what I'm doing.” Werner von Braun

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:56 PM

Posted 10 June 2010 - 12:04 PM

Thanks for letting me know Joe smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 PadRat

PadRat
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LC-39A
  • Local time:03:56 PM

Posted 10 June 2010 - 06:45 PM

Elise,

Here is the Combofix log. Sorry it took so long, I had to work late.

A couple of interesting things, once again Combofix told me to shudown Norton but I couldn't. There wasn't an icon in the tray and it would not activate from the Start-> Programs menu.

Also, it couldn't install the Recovery Console and then poped up a message that said I had a Rootkit and Combofix neede to reboot my machine, so I did.

Thank you for looking at this.

Joe

ComboFix 10-06-10.03 - Jake 06/10/2010 19:14:05.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.289 [GMT -4:00]
Running from: c:\documents and settings\Jake\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))
.

2010-06-10 23:11 . 2010-06-10 23:11 -------- d-----w- c:\windows\LastGood
2010-06-04 01:33 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 01:33 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 01:03 . 2010-06-04 01:03 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-04 01:02 . 2010-06-04 01:02 -------- d-----w- c:\program files\Bonjour
2010-06-04 01:02 . 2010-06-04 01:02 -------- d-----w- c:\program files\iTunes
2010-06-04 01:02 . 2010-06-04 01:02 -------- d-----w- c:\program files\iPod
2010-06-01 23:21 . 2010-06-01 23:21 -------- d-----w- c:\windows\system32\scripting
2010-06-01 23:21 . 2010-06-01 23:21 -------- d-----w- c:\windows\l2schemas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 01:33 . 2010-06-02 01:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 01:13 . 2009-12-26 05:24 -------- d-----w- c:\program files\Bully Dog Technologies
2010-06-04 01:02 . 2010-05-09 05:33 -------- d-----w- c:\program files\Bonjour(2)
2010-06-04 01:02 . 2010-05-09 05:42 -------- d-----w- c:\program files\iPod(2)
2010-06-04 01:02 . 2010-05-09 05:41 -------- d-----w- c:\program files\iTunes(2)
2010-06-04 01:02 . 2007-09-24 14:34 -------- d-----w- c:\program files\Common Files\Apple
2010-06-04 00:55 . 2004-08-10 18:50 0 ----a-w- c:\windows\system32\drivers\afd(3).sys
2010-06-04 00:54 . 2010-06-03 01:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-04 00:48 . 2004-08-10 18:50 0 ----a-w- c:\windows\system32\drivers\afd(2).sys
2010-06-04 00:42 . 2009-01-06 21:37 -------- d-----w- c:\documents and settings\Jake\Application Data\U3
2010-06-04 00:42 . 2008-12-13 16:25 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-04 00:38 . 2010-02-04 22:12 -------- d-----w- c:\program files\QuickTime
2010-06-04 00:37 . 2009-01-06 22:38 -------- d-----w- c:\program files\Safari
2010-06-04 00:35 . 2010-06-04 00:35 -------- d-----w- c:\documents and settings\Jake\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-06-03 01:30 . 2010-06-03 01:30 -------- d-----w- c:\documents and settings\Jake\Application Data\SUPERAntiSpyware.com
2010-06-02 01:13 . 2010-06-02 01:13 -------- d-----w- c:\documents and settings\Jake\Application Data\Malwarebytes
2010-06-02 01:12 . 2010-06-02 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-01 23:28 . 2004-08-10 19:03 77859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-27 15:44 . 2006-01-01 03:00 104 --sh--r- c:\windows\system32\B71B9B54EB.sys
2010-04-27 15:44 . 2006-01-01 03:00 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-17 21:46 . 2010-04-17 21:46 -------- d-----w- c:\documents and settings\Jake\Application Data\Tific
2010-04-03 05:35 . 2010-04-03 05:35 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-03 05:19 . 2010-04-03 05:19 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-08-01 610304]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-11-30 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-11-30 24576]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3 DEMO\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.6.0.32\ccsvchst.exe [4/7/2010 4:50 PM 126392]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/9/2008 4:58 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/1/2010 6:34 PM 102448]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1106000.020\SYMDS.SYS --> c:\windows\system32\drivers\NIS\1106000.020\SYMDS.SYS [?]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1106000.020\SYMEFA.SYS --> c:\windows\system32\drivers\NIS\1106000.020\SYMEFA.SYS [?]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [3/24/2010 4:38 PM 536112]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1106000.020\ccHPx86.sys --> c:\windows\system32\drivers\NIS\1106000.020\ccHPx86.sys [?]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1106000.020\Ironx86.SYS --> c:\windows\system32\drivers\NIS\1106000.020\Ironx86.SYS [?]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100422.002\IDSXpx86.sys [4/27/2010 11:46 AM 329592]
.
Contents of the 'Scheduled Tasks' folder

2010-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: turbotax.com
DPF: {5A9D4578-6649-4692-921B-ACA9ADAB007C} - hxxp://video.ufc.com/cabfiles/UFC_DLManager_3_6_0_19.cab
DPF: {A7A6EF43-0FA0-4911-BC67-3F4C55D34DB9} - hxxp://www.audiobookclub.com/software/DownloadManager.CAB
.
- - - - ORPHANS REMOVED - - - -

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-10 19:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-06-10 19:31:56
ComboFix-quarantined-files.txt 2010-06-10 23:31

Pre-Run: 12,742,197,248 bytes free
Post-Run: 12,953,157,632 bytes free

- - End Of File - - 1B75CBB766C60EEBD34D41824E5B368E

“Research is what I'm doing when I don't know what I'm doing.” Werner von Braun

#6 PadRat

PadRat
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LC-39A
  • Local time:03:56 PM

Posted 10 June 2010 - 06:51 PM

Elise,

Also, I must apologize, but I forgot to install "My Search Assistant" prior to running Combofix.

I did perform the uninstall afterwards.

Joe
“Research is what I'm doing when I don't know what I'm doing.” Werner von Braun

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:56 PM

Posted 11 June 2010 - 01:21 AM

Hi Joe,
Not a problem, the MyWay uninstall is unrelated to Combofix, its just an undesired application smile.gif

Combofix did indeed catch Alureon, aka the TDL3 rootkit, so please read the following information first:

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Next a few questions:
  1. How are things running now (I need to doublecheck Combofix took indeed out the rootkit, sometimes it mysteriously re-appears, even if combofix says its gone)?
  2. Does the internet work normally (this because combofix could not download the recovery console)?
  3. Do you have more problems with Norton (if so, an uninstall/reinstall might fix the problem)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 PadRat

PadRat
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LC-39A
  • Local time:03:56 PM

Posted 11 June 2010 - 12:54 PM

Elise,

I will check when I get home. One thing that might help indicate if it is gone, is whether or not I can start his Norton application. It would not start or update prior to removing the Rootkit. I might have to uninstall/reinstall like you suggested. Also, I could run Microsoft One Care to see its results. I'm not sure what to think about OneCare. It seems to find the viruses, but many times can't remove them.

Also, is there a way to install Recovery Console without going through ComboFix? I thought I saw a post about that one time, but when I briefly looked last night, all I found was a message about loading it from CD. I'm not sure we ever got a copy of Windows when I got the computer from Dell several years ago, but I can try to look and see.

Thank you again for all of your wonderful help.

Take care,

Joe
“Research is what I'm doing when I don't know what I'm doing.” Werner von Braun

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:56 PM

Posted 11 June 2010 - 01:04 PM

QUOTE
Also, I could run Microsoft One Care to see its results. I'm not sure what to think about OneCare. It seems to find the viruses, but many times can't remove them.
OneCare is not very reliable because its no longer supported since Microsoft brought out Security Essentials.

We can easily install the Recovery console, however its not necessary it this point. If you want to have it installed, just let me know and I'll post the instructions smile.gif

Even if you don't have the XP CD, you can still create a bootable CD to access the recovery console.

Please take your time to see how things are running and post back here with the details smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 PadRat

PadRat
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LC-39A
  • Local time:03:56 PM

Posted 12 June 2010 - 10:43 AM

Elise,

I appears as though the Rootkit is gone. I still couldn't start Norton, but I uninstall/reinstalled like you suggested and it worked fine.

There doesn't appear to be any web site hijacking and I ran OneCare which said I was clean. If you remember, it said I was infected earlier.

MBAM didn't find any issues and it's hard for me to judge the CPU speed since its my sons computer, but if seems like it its preety good. Certainly boot up time is fine. :-)

Is there anything else I can do to check to assure it's clean?

Thank you again,

Joe
“Research is what I'm doing when I don't know what I'm doing.” Werner von Braun

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:56 PM

Posted 12 June 2010 - 10:54 AM

Hi, Joe, its good to hear that smile.gif

A few last steps we need to do here...

UPDATE JAVA
------------------
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

UPDATE XP
--------------
Your Microsoft Windows installation is out of date. Using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.[/color]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 PadRat

PadRat
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LC-39A
  • Local time:03:56 PM

Posted 12 June 2010 - 12:54 PM

Ok, thank you. I will work on this later this evening. Getting ready to smoke some ribs for the family. smile.gif

Joe
“Research is what I'm doing when I don't know what I'm doing.” Werner von Braun

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:56 PM

Posted 12 June 2010 - 01:08 PM

Enjoy laugh.gif

Take your time and post back when ready!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 PadRat

PadRat
  • Topic Starter

  • Members
  • 421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:LC-39A
  • Local time:03:56 PM

Posted 13 June 2010 - 12:00 AM

Elise,

ESET finished and said "No Threats Found". As you said if no threats were found, there was not an option to push for "List of Found Threats".

One thing though, when ESET was at about 93% complete, Norton popped up and said "Backdoor.Tideser!inf requires manual removal" Risk High.

But when I go to Symantac website, it says risk is very low. Should I have shutdown Norton before running ESET?

Just curios,

Joe



“Research is what I'm doing when I don't know what I'm doing.” Werner von Braun

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:56 PM

Posted 13 June 2010 - 01:19 AM

Hi Joe,
Most likely ESET was scanning files in system restore or combofix quarantine when Norton popped up that warning. It detected a file infected with alureon/TDSS was accessed and reacted.

Which means your daughter has a clean computer once again laugh.gif

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean smile.gif

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS and GMER (this is a random named file).
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users