Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirection of Searchs and $1000 Walmart Popup


  • This topic is locked This topic is locked
23 replies to this topic

#1 ran72

ran72

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 10 December 2010 - 02:33 PM

My computer had the Microsoft Security Essentials Alert and HDD Plus malware and I followed your instructions on how to remove it but I still have problems with a redirection of my Google Searches, I cannot click on any external links within IE and follow them. I also get popups saying a won a $1000 Walmart card and other winning ads. Sometimes I can't even open up IE. I also keep getting a Generic host Process for Win32 Services has encounterd a problem and needs to closes pop-up as well. this usually happens after i try using IE and it locks up on me. Below is the results I have from DDS:


DDS (Ver_10-12-05.01) - NTFSx86
Run by Randy Russow at 12:19:26.20 on Fri 12/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2312 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\SolidWorks 2008\SolidWorks\swScheduler\swBOEngine.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe
C:\DOCUME~1\RANDYR~1\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\Program Files\Windows Desktop Search\windowssearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Randy Russow\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.devicetech.net/
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\457\g2mstart.exe" "/Trigger RunAtLogon"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SolidWorks_CheckForUpdates] "c:\program files\common files\solidworks installation manager\scheduler\sldIMScheduler.exe" /scheduler
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\randyr~1\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks 2008\solidworks\swscheduler\swBOEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ga311s~1.lnk - c:\program files\netgear ga311 adapter\GA311.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks 2006\swscheduler\swBOEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxp://components.metastream.com/MTSInstallers/MetaStream3.cab
DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} - hxxp://destaco.partcommunity.com/PARTcommunity/portal/all/cnsViewer3D/cnsweb3d.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206135433125
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://monstersales.webex.com/client/T26L/webex/ieatgpc.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\randyr~1\applic~1\mozilla\firefox\profiles\vl8d8emm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.devicetech.net/|http://www.foxnews.com/|http://www.cnn.com/
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\randy russow\application data\move networks\plugins\npqmp071706000001.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg9\toolbar\firefox\avg@igeared
FF - Extension: XULRunner: {CC9C78E0-5876-4DB9-834D-4F0E6908B256} - c:\documents and settings\randy russow\local settings\application data\{CC9C78E0-5876-4DB9-834D-4F0E6908B256}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\randyr~1\applic~1\mozilla\firefox\profiles\vl8d8emm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\docume~1\randyr~1\applic~1\mozilla\firefox\profiles\vl8d8emm.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\randy russow\application data\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-22 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-22 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-22 29584]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-22 243024]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-23 308136]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [2009-12-8 5241448]
S2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2003-12-25 8440]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2003-8-15 11237]
S3 GzOFBus;CASIO C721 USB Composite device driver;c:\windows\system32\drivers\GzOFBus.sys [2008-12-16 33408]
S3 GzOFMdm;CASIO C721 CDMA USB Modem;c:\windows\system32\drivers\GzOFMdm.sys [2008-12-16 54400]
S3 GzOFVsp;CASIO C721 USB Virtual Serial Port Driver;c:\windows\system32\drivers\GzOFVsp.sys [2008-12-16 54400]

=============== Created Last 30 ================

2010-12-10 17:47:27 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-10 17:47:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-10 16:24:08 -------- d-----w- c:\docume~1\randyr~1\locals~1\applic~1\AVG Security Toolbar
2010-12-10 13:52:34 -------- d-----w- c:\program files\common files\Java(2)
2010-12-08 20:33:37 0 ----a-w- c:\windows\Lxewubinago.bin
2010-12-08 20:33:36 -------- d-----w- c:\docume~1\randyr~1\locals~1\applic~1\{CC9C78E0-5876-4DB9-834D-4F0E6908B256}
2010-12-07 21:04:08 -------- d-----w- c:\docume~1\randyr~1\applic~1\CHMC
2010-12-07 20:59:25 -------- d-----w- c:\program files\CHMC
2010-12-01 17:43:32 -------- d-----w- c:\program files\viewsonic
2010-11-29 13:55:45 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2010-11-29 13:55:40 53248 ----a-r- c:\docume~1\randyr~1\applic~1\microsoft\installer\{a93762e6-8ea6-4e7f-9557-64e51aa3ab84}\ARPPRODUCTICON.exe
2010-11-29 13:55:34 -------- d-----w- c:\program files\CASIO
2010-11-12 13:19:32 -------- d-sh--w- C:\found.000

==================== Find3M ====================

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160815AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdePort4 P4T0L0-b

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B149555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b14f7b0]; MOV EAX, [0x8b14f82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B162AB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000066[0x8B1C19E8]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B1C1D98]
\Driver\atapi[0x8B1CC100] -> IRP_MJ_CREATE -> 0x8B149555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP4T0L0-b -> \??\IDE#DiskST3160815AS_____________________________3.AAD___#5&1327b7ae&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8B14939B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:21:31.96 ===============

I just looked within my computer management on the Windows XP and my main C: drive is not shown there. I can see it thru explorer but not under the Disk Management tab of the Computer Management. Wondering if it still has anything to do with the HDD Plus malware or the Microsoft Security Essentials alert.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 10 December 2010 - 08:56 PM.


BC AdBot (Login to Remove)

 


#2 ran72

ran72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 13 December 2010 - 11:19 AM

Some more problems I just found. My Media player cannot play because it does not see the audio card. i have run that seperate software and it plays sounds from that control panel but nowhere else can i see evidence that I have an audio card.

#3 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:46 PM

Posted 17 December 2010 - 05:30 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#4 ran72

ran72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 20 December 2010 - 09:40 AM

Good morning, Sorry for the delay was not on the computer for the whole weekend. Below is the new DDS logfile. I have attached the new DDS file but my system crashed when I was running the GMER program so I will not be able to post this file.

Sorry about posting twice, had issues with internet connection. Reposted full text below with comments.

Attached Files


Edited by ran72, 20 December 2010 - 09:55 AM.


#5 ran72

ran72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 20 December 2010 - 09:51 AM

Good morning, Sorry for the delay was not on the computer for the whole weekend. Below is the new DDS logfile. I have attached the new DDS file but my system crashed when I was running the GMER program so I will not be able to post this file.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Randy Russow at 7:48:05.28 on Mon 12/20/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2421 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SolidWorks 2008\SolidWorks\swScheduler\swBOEngine.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\DOCUME~1\RANDYR~1\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Randy Russow\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.devicetech.net/
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\457\g2mstart.exe" "/Trigger RunAtLogon"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SolidWorks_CheckForUpdates] "c:\program files\common files\solidworks installation manager\scheduler\sldIMScheduler.exe" /scheduler
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\randyr~1\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks 2008\solidworks\swscheduler\swBOEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ga311s~1.lnk - c:\program files\netgear ga311 adapter\GA311.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks 2006\swscheduler\swBOEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxp://components.metastream.com/MTSInstallers/MetaStream3.cab
DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} - hxxp://destaco.partcommunity.com/PARTcommunity/portal/all/cnsViewer3D/cnsweb3d.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206135433125
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www2.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://monstersales.webex.com/client/T26L/webex/ieatgpc.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\randyr~1\applic~1\mozilla\firefox\profiles\vl8d8emm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.devicetech.net/|http://www.foxnews.com/|http://www.cnn.com/
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\randy russow\application data\move networks\plugins\npqmp071706000001.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg9\toolbar\firefox\avg@igeared
FF - Ext: XULRunner: {CC9C78E0-5876-4DB9-834D-4F0E6908B256} - c:\documents and settings\randy russow\local settings\application data\{CC9C78E0-5876-4DB9-834D-4F0E6908B256}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\randy russow\application data\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-22 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-22 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-22 29584]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-22 243024]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-23 308136]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [2009-12-8 5241448]
S2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2003-12-25 8440]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2003-8-15 11237]
S3 GzOFBus;CASIO C721 USB Composite device driver;c:\windows\system32\drivers\GzOFBus.sys [2008-12-16 33408]
S3 GzOFMdm;CASIO C721 CDMA USB Modem;c:\windows\system32\drivers\GzOFMdm.sys [2008-12-16 54400]
S3 GzOFVsp;CASIO C721 USB Virtual Serial Port Driver;c:\windows\system32\drivers\GzOFVsp.sys [2008-12-16 54400]

=============== Created Last 30 ================

2010-12-10 17:47:27 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-10 17:47:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-10 16:24:08 -------- d-----w- c:\docume~1\randyr~1\locals~1\applic~1\AVG Security Toolbar
2010-12-10 13:52:34 -------- d-----w- c:\program files\common files\Java(2)
2010-12-08 20:33:37 0 ----a-w- c:\windows\Lxewubinago.bin
2010-12-08 20:33:36 -------- d-----w- c:\docume~1\randyr~1\locals~1\applic~1\{CC9C78E0-5876-4DB9-834D-4F0E6908B256}
2010-12-07 21:04:08 -------- d-----w- c:\docume~1\randyr~1\applic~1\CHMC
2010-12-07 20:59:25 -------- d-----w- c:\program files\CHMC
2010-12-01 17:43:32 -------- d-----w- c:\program files\viewsonic
2010-11-29 13:55:45 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2010-11-29 13:55:40 53248 ----a-r- c:\docume~1\randyr~1\applic~1\microsoft\installer\{a93762e6-8ea6-4e7f-9557-64e51aa3ab84}\ARPPRODUCTICON.exe
2010-11-29 13:55:34 -------- d-----w- c:\program files\CASIO

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160815AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdePort4 P4T0L0-b

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B1A4555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b1aa7b0]; MOV EAX, [0x8b1aa82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B1EBAB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000066[0x8B1EF338]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B1DAB00]
\Driver\atapi[0x8B18F6E8] -> IRP_MJ_CREATE -> 0x8B1A4555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP4T0L0-b -> \??\IDE#DiskST3160815AS_____________________________3.AAD___#5&1327b7ae&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8B1A439B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 7:50:05.33 ===============

Just some other notes on what i have been seeing over the days that I have been using the computer after my initial post:
Generic Host Process for Win 32 Services keeps shutting down or being closed by windows.
My windows bezels keep being changed from my default color to old windows gray and the settings have not changed. If I restart it disappears.
My audio card will not work and is not listed under the computer management but I can run the software that controls it and hear sounds there.
My C drive is not listed under computer management but I can still see and access it from windows explorer.
I tried to start in safe mode and computer would crash doing this.

Thanks for your help and will await instructions on the next step.

Randy

#6 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:46 PM

Posted 20 December 2010 - 02:27 PM

Hi,

My name is Casey and I will be helping you with your malware problems.

As you may have noticed, I am currently in training which means that all of my responses will first be verified by a malware removal coach. As such, there may be a little delay in my responses to you. On the plus side, there will be two sets of eyes looking over your logs.

Whilst I research the problems in your logs, it is very important that you do not make any changes to this PC. Specifically, do not run any further malware removal tools or try to remove anything yourself.

You may wish to "track this topic" so that you are immediately informed of any replies I make. I also ask that you reply to my posts within 5 days else your topic will be closed as stale.

Throughout the removal process, if you have any questions then you should ask them. If you are unsure of my instructions or something does not go as planned - then please tell me. Conversely, it is also important that you answer any questions I have and that you keep me updated on the state of the PC.

Regards,

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#7 ran72

ran72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 20 December 2010 - 03:17 PM

Thanks Casey, glad to hear your on the case. I will await your instructions on what to do next to get rid of the pesky problem.

Randy

#8 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:46 PM

Posted 22 December 2010 - 03:10 PM

Hi,

Backdoor Trojan (TDL3) warning


I hate to give you bad news but one or more of the identified infections is a backdoor trojan.

Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. In addition to the backdoor Trojan that has been identified, your computer is afflicted with multiple other infections. Although we can make an attempt to clean this machine, we cannot guarantee that it will be secure afterwards. Your best and safest course of action is a reformat and reinstallation of the Windows operating system.

If you do decide to attempt cleaning rather than a reformat, do understand that although we may be able to remove all known visible malware, we cannot guarantee that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, equally we cannnot repair the damages it may possibly have caused to vital system files.

Please note that even if we should be successful in removing these infections from your system, it is quite possible that the changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you should decide to carry on then please follow the instructions below:



:step1:Uninstall Viewpoint

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

From Add/Remove programs please uninstall the following (if they are present): Viewpoint, Viewpoint Manager, Viewpoint Media Player. Help on uninstalling programs can be found here


:step2:Uninstall AVG

We need to uninstall AVG due to the way it interferes with the running of ComboFix. Anti-virus products are notorious for leaving left overs when uninstalled and even these will cause ComboFix to fail. I therefore recommend that you uninstall AVG using AppRemover, or if you use the Add/Remove programs feature in Windows then run AppRemover afterwards to clean up any remnants.

Download and run AppRemover.
http://www.appremover.com/

I understand that this may feel uncomfortable to you, however, we will install AVG (or another anti-virus product) again after we have finished the clean-up.


:step3:Disable TeaTimer

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy


:step4:Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are prompted to install the Recovery Console, then please do so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you have trouble running ComboFix, then please rename ComboFix.exe to Caseyboy.exe and re-run.


Once you have followed the steps, please let me know how your PC is running. Are you still experiencing redirects?


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#9 ran72

ran72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 22 December 2010 - 05:55 PM

i followed your steps and attached the report from the Combofix program.

So far I have not witnessed any redirects and my audio is working from my windows media player. I still do not see my c drive listed under computer management.

Let me know the next step.

Attached Files



#10 ran72

ran72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 23 December 2010 - 07:39 AM

I restarted my system this morning and the computer booted up with the problems again.
First my bezel had changed back to windows classic and gray color.
Also it was stating that it couldnt connect to network connections but if I searched thru networks places I could connect to them
I did a google search and I was redirected after I clicked on a link from the results

I then shut the machine off and restarted again and bezel was back to its normal set color. THe Generic Host Process for Win32 Servies crashed and the alert popped up. My google searches are still redirected.

Let me know what my next step should be from here.

Thanks
Randy

#11 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:46 PM

Posted 24 December 2010 - 06:53 AM

Hi,

Unfortunately, ComboFix was not able to automatically remove the main infection on your PC. So we'll try another tool.

  • Download TDSSKiller.exe and save it to your desktop.
  • Double-click TDSSKiller.exe to run it.
  • Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
    • If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
    • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents of the logfile in your next reply

Please let me know how your PC is running after running TDSSKiller.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#12 ran72

ran72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 27 December 2010 - 09:28 AM

I have run the TDSKiller and it found a file and I cured it. Reboot was successful and no redirects are happening right now. Also, my C drive is now listed under the computer management window. Let me know what the next step is.

Merry Christmas to you and your family as well.


Randy

Attached Files



#13 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:46 PM

Posted 28 December 2010 - 06:13 AM

Hi ran72,

Please download MBRCheck to your desktop.
Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
It will open a black window, please do not fix anything (if it gives you an option).
Exit that window and it will produce a log (MBRCheck_date_time).
Please post that log when you reply.

Could you also now re-run ComboFix for me (as instructed earlier) and post the resultant log.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#14 ran72

ran72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 28 December 2010 - 10:19 AM

I was able to run the two programs with no faults. I attached both log files.

Thanks for all your help and will be waiting for your next instruction

Randy

Attached Files



#15 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:46 PM

Posted 28 December 2010 - 07:29 PM

Hi,

Good :thumbup2: The logs show that your main infection has been removed. We now have some leftovers that need cleaning though.

1. Close any open browsers.

2. Close/disable all anti-virus and anti-malware programs so that they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text below into it:
http://www.bleepingcomputer.com/forums/topic366208.html

Collect::
c:\windows\Lxewubinago.bin
c:\documents and settings\Randy Russow\Local Settings\Application Data\{CC9C78E0-5876-4DB9-834D-4F0E6908B256}

Suspect::
c:\windows\Tasks\User_Feed_Synchronization-{B74ECBCA-AD5D-4952-AB6E-58179B2A0728}.job

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Note: Combofix might upload a few suspicious files. Please allow this!!

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Please also let me know how your PC is running.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users