Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet redirect virus/malware after removal of AntivirusSuite


  • This topic is locked This topic is locked
11 replies to this topic

#1 sraghav1

sraghav1

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 10 June 2010 - 12:19 PM

On 06/04/10, I used Rkill and Malwarebytes to clear out AntivirusSuite infection. Since then, clicking on any google search results redirects me to other pages. Occasionally, a new tab will open up on its own directed to some other website (typically some advertisement or prize site). I re-ran Malwarebytes, and found one additional virus/malware file for AntispywareSoft, which I removed. However, I still have the google re-direct problem. In addition, I have noticed the computer freezing more often and not shutting down properly since this problem developed (I end up having to hold the power button to shut down because the computer freezes when I try to hibernate/shut down). I was directed here from the "Am I Infected" board (link: http://www.bleepingcomputer.com/forums/topic322378.html). I would appreciate any assistance with clearing out this virus. My system is an IBM T41 running windows XP service pack 3 and Symantec Antivirus. Thanks for your help.

link to "Am I Infected" thread: http://www.bleepingcomputer.com/forums/t/322378/internet-search-redirect-virusmalware/

I ran Defogger and dds, and re-ran gmer this morning as specified. DDS.txt file is below; Attach.txt and Ark.txt are attached.

DDS file:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Simil at 10:40:17.48 on Thu 06/10/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.373 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Simil\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gmail.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.bigzoo.net
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [tgcmd]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\simil\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [TpShocks] TpShocks.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [QCTray] c:\progra~1\thinkpad\connec~1\QCTray.exe
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [UC_Start] c:\ibmtools\updater\ucstartup.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\thinkpad\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: sharebuilder.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {C4B977A3-E8A2-37E9-ADCD-2597FAAC61F5} - hxxp://shop.lenovo.com/SEUILibrary/lenovo-portal/cab/autodetect/MachineInfo.cab
DPF: {CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://xerxes.nas.edu/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: QConGina - QConGina.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\simil\applic~1\mozilla\firefox\profiles\czga4ppf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com/
FF - plugin: c:\documents and settings\simil\application data\mozilla\firefox\profiles\czga4ppf.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\simil\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\simil\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 HSCA32;HSCA32;c:\windows\system32\drivers\HSCA32.sys [2006-3-20 30233]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2004-1-29 15360]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-3-15 11113]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100604.006\naveng.sys [2010-6-4 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100604.006\navex15.sys [2010-6-4 1347504]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-3-15 216459]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2006-1-9 12288]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2004-2-13 4064]

=============== Created Last 30 ================

2010-06-10 14:39:47 0 -c--a-w- c:\documents and settings\simil\defogger_reenable
2010-06-07 13:44:53 1264 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-07 05:36:49 16384 -c-ha-w- C:\SZKGFS.dat
2010-06-07 05:34:09 0 dc----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-06-07 05:32:39 0 dc----w- c:\program files\common files\iS3
2010-06-07 05:32:37 0 dc----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-06-04 15:20:01 0 dc----w- c:\docume~1\simil\applic~1\Malwarebytes
2010-06-04 14:06:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 14:06:34 0 dc----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-04 14:06:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 14:06:33 0 dc----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 20:00:45 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2010-05-24 20:00:45 6400 ----a-w- c:\windows\system32\dllcache\enum1394.sys
2010-05-24 20:00:45 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-05-24 20:00:45 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-05-24 20:00:45 53376 ----a-w- c:\windows\system32\drivers\1394bus.sys
2010-05-24 20:00:45 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys
2010-05-24 20:00:24 17152 ----a-w- c:\windows\system32\drivers\usbohci.sys
2010-05-24 20:00:24 17152 ----a-w- c:\windows\system32\dllcache\usbohci.sys

==================== Find3M ====================

2010-05-04 18:06:25 6656 ----a-w- c:\windows\system32\haspvdd.dll
2010-05-04 18:06:25 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2010-05-02 23:57:35 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-02 23:57:31 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2008-10-02 22:45:04 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 10:42:25.91 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:34 AM

Posted 14 June 2010 - 09:09 AM

Hi sraghav1,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

CODE
@echo off
if exist mbr.log del mbr.log
mbr.exe -t
ping 1.1.1.1 -n 1 -w 1000 >nul
start mbr.log

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: dirlook.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this:
  • Double-click to run it.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#3 sraghav1

sraghav1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 15 June 2010 - 08:40 AM

Hi farbar,

I agree with not making any further changes to my system from here on out while making these repairs. I ran the code you suggested, with mbr.log output below. Many thanks for your help with this.


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86E79EC5]<<
kernel: MBR read successfully
user & kernel MBR OK



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:34 AM

Posted 15 June 2010 - 08:50 AM

Hi again sraghav1,

We need to take care of the rootkit.
  1. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
    • Disable real-time protection of you security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Close all the open windows.
    • Double-click TDLfix.exe to run the tool, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      disk
    • The application shall restart the computer immediately and runs after restart.
    • Tell me if the computer rebooted and ran to completion.

  2. Tell me also if the issue is resolved.


#5 sraghav1

sraghav1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 15 June 2010 - 10:35 AM


Hi farbar,

I ran TDLfix.exe as you specified below after disabling my security software, and it rebooted the computer without any problem.

1. Upon logging into Windows, the TDLfix window opened for a few seconds and appeared to run to completion. My symantec security and firewall were initially disabled, but then were automatically re-enabled. Was this supposed to happen?

2. Also, symantec found 1 new virus infection, with info as follows:

Virus name: Backdoor.Tidserv!inf
Filename: C:/Windows/system32/drivers/disk.sys
Action taken: Left alone (quarantine failed)

I'm not sure if this is related to the TDLfix, or something completely different - any thoughts? Do I need to re-scan with symantec?

3. The google search redirect problem does seem to be resolved now. I've tried several searches and am able to click on search results without any problems.

If you have any input on 1 and 2 above, I would appreciate it. Thanks so much for all your help.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:34 AM

Posted 15 June 2010 - 01:10 PM

The tool does nothing to disable or enable Symantec. I think it was not properly disabled in order not to run on reboot.
The second points worries me because if it prevented replacing the patched driver the rootkit will run on the next boot.

We need to check it:

Reboot the computer once manually then run TDLFix again, type mbr and press Enter. Copy and paste the log it creates.

#7 sraghav1

sraghav1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 15 June 2010 - 02:58 PM


Hi farbar,

I rebooted and re-ran TDLfix, this time typing mbr. Log is below. The google search still seems to be functioning properly, with no re-direction. Any thoughts on this virus my symantec is finding? Is this part of the repair? Thanks again for all your help.


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,

http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll

atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:34 AM

Posted 15 June 2010 - 03:52 PM

The log is clean and the rootkit is taken care of. Symantec has not interfered with cleaning. And it should not complain any more.
  1. Run TDLfix, type del and press Enter. This will delete the quarantined infected file and mbr.exe. Delete the tool from your desktop.

    Also remove any tool or log we used from your computer.

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  3. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  4. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  5. Tell me also how is your computer running.


#9 sraghav1

sraghav1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 16 June 2010 - 09:52 AM


Hi farbar,

I did all that you specified below (ran TDLfix and typed del, downloaded new version of java, downloaded and ran CCleaner, updated and scanned with Malwarebytes). The malwarebytes log is below. In general, the computer is running much better. However, my symantec is still finding this "Backdoor.Tidserv!inf" virus on the computer - is this related to the fix, or is this something else I need to clean out? It does not appear as though symantec is able to clear/quarantine it fully. Thanks for all your help - I really appreciate it.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4202

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

6/16/2010 12:35:02 AM
mbam-log-2010-06-16 (00-35-02).txt

Scan type: Quick scan
Objects scanned: 137947
Time elapsed: 10 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:34 AM

Posted 16 June 2010 - 12:56 PM

Symantec might find the infection in the System Volume Information folder where the restore points are kept. We always flush the folder at the end.
  1. You may delete any log or tool we used from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

  3. Now run a full scan with Symantec and let me if it found anything. If yes provide me the path to the file it find.


#11 sraghav1

sraghav1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 17 June 2010 - 08:14 AM


Hi farbar,

You were right - symantec was finding the infection in prior restore points. After setting a new restore point and deleting the old ones, a complete scan did not find any infections. If anything new comes up in the next few days, I will post, but I don't anticipate any new problems. Thanks so much for all your help - your service has been invaluable.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:34 AM

Posted 17 June 2010 - 08:23 AM

You are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users