Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirects, windows errors, wu interference


  • This topic is locked This topic is locked
15 replies to this topic

#1 matt44

matt44

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 26 November 2010 - 12:00 AM

Hi All,

I have a persistent rootkit that can be temporarily cleaned with TSDSSKiller or Hitman, but it keeps coming back. Thank you in advance for any help. -Matt

Logs attached. Long story begins here:

System: Dell laptop running Windows XP Pro SP3
Problem: Browser redirect rootkit, interference with Windows updates

Getting random redirects and popups from Google. Problem appears in IE and in clean installations of Firefox. Also getting error popups from Windows, such as the following:

"Generic Host Process for Win32 Services has encountered a problem and needs to close... etc" Some technical details of error message are:

szAppName : svchost.exe
szAppVer : 5.1.2600.5512
szModName : ntdll.dll
szModVer : 5.1.2600.5755
offset : 00023845

The rootkit is undetected by AVG, Microsoft Security Essentials, and Malwarebytes. It is detected but not killed by Kaspersky TSDSSKiller and Hitman Pro.

It seems the problems started about two weeks ago when I used an untrusted USB flash drive. At the time I had AVG (free version) which complained about malware on the drive. Unplugged the drive, and saw no obvious problems right away. Shortly therafter the laptop got Thinkpoint. Ran AVG scan, and it seemed to clean up the Thinkpoint OK - have not had any more occurence of thinkpoint.

A day or so after this the redirects started. Ran AVG and it did not detect any problems. Unistalled AVG, installed Microsoft Security Essentials. MSE could not download the definitions - had to download and install manually. When finally able to run MSE it found a few things and cleaned them.

Recent runs of MSE with updated definitions do not turn up anything new. Malwarebytes does not detect problems either.

After reading about some experiences posted by others, I tried TDSSKiller from Kaspersky. It can detect and clean, but the rootkit comes back in short order.

A scan with TDSSKiller turns up: Rootkit.Win32.TDSS.tdl4

Next up tried Hitman (free version). A scan with Hitman Pro 3.5.7 - Build 117 returns results like this:

Possible variant of the TDL3 (alias Alureon) rootkit detected
Master Boot Record (Sector 0) Rootkit
C:$MBR
11.tmp Malware
C:\WINDOWS\Temp\
F.tmp Malware
C:\WINDOWS\Temp\

These above scans are in normal mode, not safe mode, by-the-way.

Both TDSSKiller and Hitman will clean the objects, and there is temporary success. However, the problems (browser redirects, update interference) return after a short while. Immediately after reboot things are good - browser works fine. But after a few minutes, the problem magically returns.

Maybe this can be fixed by repairing the Master Boot Record?? But unfortunately I think I lost the Windows Install disk...

Thanks again!

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:15 AM

Posted 03 December 2010 - 03:17 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Regards,
Georgi :hello:

cXfZ4wS.png


#3 matt44

matt44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 03 December 2010 - 11:32 PM

Hi Georgi,

Thanks for your help! I am still having problems.

The browser redirects stopped after I changed the admin password to my wireless router. Maybe just coincidence, I don't know. After changed password, a scan with Hitman picked up and cleaned a trojan. New scans with Hitman, TDSSKiller, and MSE do not detect any threats. However, I think there is still something really wrong. The machine is now quite slow, and the mouse cursor will frequently freeze for several seconds. This is a new problem that started after the browser redirects stopped.

I ran a new DDS scan which is pasted in here.

GMER crashed every time I tried to run it. This is also a new problem, since it ran fine back when I made original post. I ran Defogger first, then I tried: wireless on, wireless disabled, antivirus (MSE) on, antivirus off, normal mode, safe mode, etc. It hanged every time and the laptop had to be hard-rebooted. I was using the randomly-named gmer exe downloaded from gmer.net.

That's the story for now, thanks again for your help! -Matt

Contents of DDS.txt here:


DDS (Ver_10-11-27.01) - NTFSx86
Run by Matt at 19:00:26.96 on Fri 12/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.514 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\JHSecure\VPN Client\cvpnd.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Documents and Settings\Matt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {6442c3a3-1145-4534-ab11-ffe09b97f700} - c:\windows\system32\opnlMfDw.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {495DEA80-49C2-4891-94CD-C2016615D16F} - hxxp://www.catalogds.com/dtd/pvcadview.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5387/mcfscan.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
AppInit_DLLs: wxvault.dll yorbyx.dll ohdkhq.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\bjd6bce0.default\
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npSfAppM.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\bjd6bce0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-1 135664]
S2 IpripEapHost;RIP Listener IpripEapHost;c:\windows\system32\acordx50v.exe srv --> c:\windows\system32\ACORDX50v.exe srv [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-10-4 280344]

=============== Created Last 30 ================

2010-12-03 22:58:52 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{56434a0e-b62a-460c-8968-413a5146729e}\mpengine.dll
2010-11-26 04:10:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-11-25 00:03:32 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-11-25 00:03:28 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-11-24 23:59:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-11-19 07:15:53 -------- d-----w- C:\MembraneAlife
2010-11-18 18:21:42 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-11-18 04:57:42 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-18 03:54:49 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-06 16:37:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-11-06 16:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

============= FINISH: 19:02:23.37 ===============

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:15 PM

Posted 04 December 2010 - 07:45 AM

Hello matt44

Welcome to BleepingComputer :)
==========================

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 matt44

matt44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 04 December 2010 - 08:45 PM

Hi kahdah,

C:\ComboFix.txt is attached.

Thanks for your help! -Matt

Attached Files



#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:15 PM

Posted 04 December 2010 - 09:04 PM

You are welcome :)

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
==========
* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan inside archives.
  • Click Scan
  • Wait for the scan to finish
  • Click on the option that says Export to text file.
  • Save it to your desktop and post the contents here in your next reply.
  • Once the log is saved click the option to delete quarantined threats and Uninstall application on close.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 matt44

matt44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 04 December 2010 - 11:31 PM

Malwarebytes log is posted below (no infections found). I could not get ESET to run. IE kept hanging when trying to get the ActiveX to start. Tried several security settings (enable download signed activeX, and so on) but nothing worked.

Thanks again - Matt

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5246

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/4/2010 10:23:22 PM
mbam-log-2010-12-04 (22-23-22).txt

Scan type: Quick scan
Objects scanned: 169905
Time elapsed: 11 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:15 PM

Posted 05 December 2010 - 06:19 PM

Ok do the following instead:
Please click here to download Kaspersky Virus Removal Tool.

  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop.
  • After that leave what is selected and put a check next to My Computer.
  • Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
  • Then click on Start Scan.
  • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  • When the scan is done no log will be produced.
  • Click on the bottom where it says Report to open the report.
  • Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.


Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 matt44

matt44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 06 December 2010 - 09:39 AM

Autoscan: completed 4 hours ago (events: 4, objects: 1526905, time: 05:18:14)
12/6/2010 12:03:20 AM Task started
12/6/2010 5:14:24 AM Detected: HEUR:Exploit.Script.Generic C:\WINDOWS\system32\123.js
12/6/2010 5:14:24 AM Detected: HEUR:Exploit.Script.Generic C:\WINDOWS\system32\535.js
12/6/2010 5:21:35 AM Task completed

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:15 PM

Posted 06 December 2010 - 02:18 PM

Anymore redirects?

Please run dds once more and post the dds.txt that opens and let me know of any remaining issues.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 matt44

matt44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 06 December 2010 - 10:31 PM

The redirects have stopped. There are still occasional mouse-freezes, but the computer is working better after combofix. DDS below. Thanks again for your help!

PS - do you think the 2 items found by kaspersky scan are false alarms or real threats?


DDS (Ver_10-11-27.01) - NTFSx86
Run by Matt at 22:21:18.15 on Mon 12/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.527 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\JHSecure\VPN Client\cvpnd.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Matt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {495DEA80-49C2-4891-94CD-C2016615D16F} - hxxp://www.catalogds.com/dtd/pvcadview.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5387/mcfscan.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
AppInit_DLLs: c:\windows\system32\wxvault.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\bjd6bce0.default\
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npSfAppM.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\bjd6bce0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-1 135664]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-10-4 280344]

=============== Created Last 30 ================

2010-12-06 14:13:14 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{f325f739-139a-48a4-a7d1-d4138c1da6dc}\mpengine.dll
2010-12-05 00:29:10 -------- d-sha-r- C:\cmdcons
2010-12-05 00:23:39 98816 ----a-w- c:\windows\sed.exe
2010-12-05 00:23:39 89088 ----a-w- c:\windows\MBR.exe
2010-12-05 00:23:39 256512 ----a-w- c:\windows\PEV.exe
2010-12-05 00:23:39 161792 ----a-w- c:\windows\SWREG.exe
2010-12-05 00:23:16 -------- d-----w- C:\ComboFix
2010-12-04 23:14:11 -------- d-----w- c:\windows\setup.pss
2010-12-04 23:13:39 -------- d-----w- c:\windows\setupupd
2010-11-26 04:10:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-11-25 00:03:32 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-11-25 00:03:28 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-11-24 23:59:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-11-19 07:15:53 -------- d-----w- C:\MembraneAlife
2010-11-18 18:21:42 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-11-18 04:57:42 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-18 03:54:49 -------- d-----w- c:\program files\Microsoft Security Essentials

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

============= FINISH: 22:21:39.95 ===============

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:15 PM

Posted 07 December 2010 - 07:12 AM

No they were real.
They are gone now though.

There are still occasional mouse-freezes

Try doing this.
Go to Start >Run type in cmd then hit ok.
THen type in this chkdsk /r /f then hit enter.
Type in Y at the prompt and then restart the computer.
Let it run through this check and then let me know how it goes.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 matt44

matt44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 08 December 2010 - 01:48 PM

Results from chkdsk /r /f below. Intermittent mouse-freezes persist, but maybe it is just MSE slowing things down... Had similar hiccups with AVG.

Cleaning up minor inconsistencies on the drive.
Cleaning up 1755 unused index entries from index $SII of file 0x9.
Cleaning up 1755 unused index entries from index $SDH of file 0x9.
Cleaning up 1755 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Windows has made corrections to the file system.

78091964 KB total disk space.
56903884 KB in 269096 files.
100532 KB in 22376 indexes.
0 KB in bad sectors.
470792 KB in use by the system.
65536 KB occupied by the log file.
20616756 KB available on disk.

4096 bytes in each allocation unit.
19522991 total allocation units on disk.
5154189 allocation units available on disk.

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:15 PM

Posted 08 December 2010 - 02:01 PM

Could be, your logs are clean of any malware.
Please do the following to remove what we have used and to update your system.
==============

=======Cleanup=======
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.
======Next======
  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.
===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.

Delete\uninstall anything else that we have used that is leftover.

=============
After that your all set.


===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

How did I get infected in the first place? Also this one by Tony Klein.

If your computer is slow Things you can do if your computer is slow.

PC Safety and Security - What Do I Need? Security suggestions and general hints and tips for PC security.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...



===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

Malwarebytes Antimalware
superantispyware

===Free antivirus links===

This is antivirus and antispyware.
Microsoft Security Essentials
This is free antispyware protection and Antivirus protection.
AVG free
This is just antivirus protection.
Antivir
This is antivirus and antispyware protection.
Avast
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 matt44

matt44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 10 December 2010 - 09:53 PM

OK, I cleaned up and updated Java. As for the cursor freezes, on a hunch from Task Manager I disabled Java Quick Start, which seemed to be pulling heavy resources during freezes. For the moment, this "fix" has worked but I don't know why, or whether it is a good idea to disable Java Quick Start.

Thank you for all your help! The computer is working much better now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users