Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google keeps redirecting


  • This topic is locked This topic is locked
12 replies to this topic

#1 Jimē

Jimē

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 25 February 2011 - 01:26 PM

Feb 18 I copied a driver disc and Avira warned that a suspicious file was included. Since the driver disc came from a computer manufacturer I assumed it was a false positive and copied the disc. My mistake. I have since gotten several notifications from Avira removing files. Usually Avira gives notifications in the early afternoon. Maybe that is when Avira is updated and finds the files, I do not know.
Avira lists TR/Kazy.13260.psa, TR/Trash.Gen.Trojan, TR/Agent.205824.H, TR/Dldr.li.ma.2.A.2, TR/Downloader.Gen, TR/Keygen.AY, TR/Dropper.Gen. These were detected and quarantined starting Feb. 18.
Malware Bytes found one on Feb 21, 3 files infected, C:\Program Files\Mozilla Firefox\rasadhlp.dll (Spyware.Passowrds) -> Delete on reboot. Rebooted and the Google redirect went away. Malware Bytes has not found any since that date, running it daily.
After Malware Bytes removed it I did not have the problem for a while, now today it is back.
Configured Windows Firewall today (it was off). Avira is up to date, Malware Bytes was not. Updated Malware Bytes just now, will restart and rescan with MBytes. Also, CPU is at 100% now, with just a few applications open (Outlook, ACT, a database, and Firefox). svchost.exe is at 500,000 plus memory usage and up to 85% CPU to 40%, constantly changing.
If you need anything else please let me know, and thanks in advance.


DDS.txt

DDS (Ver_10-12-12.02) - NTFSx86
Run by jim at 12:24:44.52 on Fri 02/25/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.2251 [GMT -5:00]

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\MSACCESS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\jim\My Documents\downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:55677
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uWinlogon: Shell=explorer.exe,c:\documents and settings\jim\application data\dwm.exe
uWindows: load=c:\docume~1\jim\locals~1\temp\csrss.exe
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [conhost] c:\documents and settings\jim\application data\microsoft\conhost.exe
mRunOnce: [IERESETATTRIB] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes
mRunOnce: [Installing-ie8] c:\docume~1\jim\locals~1\temp\IE8-WindowsXP-x86-ENU[1].exe /passive
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://75.150.203.85/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jim\applic~1\mozilla\firefox\profiles\1t1wf2kn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\jim\application data\mozilla\firefox\profiles\1t1wf2kn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\jim\application data\mozilla\firefox\profiles\1t1wf2kn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-1 11608]
R1 Mtxparmx;Mtxparmx;c:\windows\system32\drivers\mtxparmx.sys [2008-3-19 5504]
R1 oxmep;OXPCI support driver;c:\windows\system32\drivers\oxmep.sys [2008-12-29 4224]
R1 oxmf;OXPCI Bus enumerator;c:\windows\system32\drivers\oxmf.sys [2008-12-29 16384]
R1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [2008-12-29 50944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-1 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-1 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-1 61960]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R3 MTXPAR;MTXPAR;c:\windows\system32\drivers\MTXPARM.sys [2008-3-19 1484416]
R3 Oxmfuf;Filter driver for OX16PCI95x ports;c:\windows\system32\drivers\oxmfuf.sys [2008-12-29 4992]
S1 nbsvsgoq;nbsvsgoq;\??\c:\windows\system32\drivers\nbsvsgoq.sys --> c:\windows\system32\drivers\nbsvsgoq.sys [?]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2010-1-20 81920]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-17 135664]
S4 Matrox Centering Service;Matrox Centering Service;c:\program files\matrox graphics inc\powerdesk\services\Matrox.PowerDesk.Services.exe [2007-9-11 500992]
S4 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\matrox graphics inc\powerdesk se\Matrox.Pdesk.ServicesHost.exe [2007-9-11 177408]
S4 MtxDrvService;MtxDrvService;c:\windows\system32\MtxDrvService.exe [2008-3-19 155648]

=============== Created Last 30 ================

2011-02-21 15:56:08 -------- d-----w- c:\docume~1\jim\applic~1\Windows Search
2011-02-21 15:01:55 -------- d-----w- c:\docume~1\jim\locals~1\applic~1\Opera
2011-02-21 14:34:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-21 14:34:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-21 14:34:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-21 14:34:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-18 21:49:43 -------- d-----w- c:\docume~1\jim\applic~1\Avira
2011-02-18 20:57:14 63488 ----a-w- c:\program files\outlook express\rasadhlp.dll
2011-02-11 22:06:20 -------- d-----w- c:\windows\system32\FxsTmp
2011-02-11 22:06:13 31744 ----a-w- c:\windows\system32\fxsroute.dll
2011-02-11 22:06:13 31744 ----a-w- c:\windows\system32\dllcache\fxsroute.dll
2011-02-11 22:06:13 132608 ----a-w- c:\windows\system32\fxsclntR.dll
2011-02-11 22:06:13 132608 ----a-w- c:\windows\system32\dllcache\fxsclntr.dll
2011-02-11 22:06:13 11264 ----a-w- c:\windows\system32\fxssend.exe
2011-02-11 22:06:13 11264 ----a-w- c:\windows\system32\dllcache\fxssend.exe
2011-02-11 22:06:13 111104 ----a-w- c:\windows\system32\fxscfgwz.dll
2011-02-11 22:06:13 111104 ----a-w- c:\windows\system32\dllcache\fxscfgwz.dll
2011-01-27 18:54:09 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-27 18:52:04 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-01-27 18:48:52 -------- d-----w- c:\docume~1\jim\applic~1\Windows Desktop Search

==================== Find3M ====================

2011-02-25 17:04:49 848 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ------w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ------w- c:\windows\system32\html.iec
2010-12-10 23:29:30 64864 ----a-w- c:\windows\system32\sqlctr90.dll
2010-12-10 23:29:30 2248032 ----a-w- c:\windows\system32\sqlncli.dll
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3250310AS rev.3.AHA -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-5

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AF09439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8af0f7b8]; MOV EAX, [0x8af0f834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B026AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000065[0x8B081F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B07DD98]
\Driver\atapi[0x8B020AE8] -> IRP_MJ_CREATE -> 0x8AF09439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-5 -> \??\IDE#DiskST3250310AS_____________________________3.AHA___#5239305937523650202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AF0927F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:26:25.17 ===============

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:49 PM

Posted 25 February 2011 - 03:55 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 Jimē

Jimē
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 25 February 2011 - 04:58 PM

Hi Noviciate,

The combo file is below. I realized i forgot to change the name of the Combo program before I saved it to my desktop. Not sure if that causes any problems or not.
Yaaay! No redirects on Firefox. I can now access Windows updates.
Let me know if there is anything else you recommend. Looks good so far.
Thanks,
Jim

ComboFix 11-02-24.05 - jim 02/25/2011 16:29:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.3144 [GMT -5:00]
Running from: c:\documents and settings\jim\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jim\g2mdlhlpx.exe
c:\documents and settings\jim\GoToAssistDownloadHelper.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\inf\pok.pnf
c:\windows\system32\wdg.dll

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-01-25 to 2011-02-25 )))))))))))))))))))))))))))))))
.

2011-02-25 18:46 . 2011-02-25 18:48 -------- dc-h--w- c:\windows\ie8
2011-02-21 15:56 . 2011-02-21 15:56 -------- d-----w- c:\documents and settings\jim\Application Data\Windows Search
2011-02-21 15:01 . 2011-02-21 15:01 -------- d-----w- c:\documents and settings\jim\Local Settings\Application Data\Opera
2011-02-21 15:01 . 2011-02-25 19:27 -------- d-----w- c:\program files\Opera
2011-02-21 14:34 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-21 14:34 . 2011-02-21 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-21 14:34 . 2011-02-25 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-21 14:34 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-18 21:49 . 2011-02-18 21:49 -------- d-----w- c:\documents and settings\jim\Application Data\Avira
2011-02-11 22:06 . 2011-02-11 22:06 -------- d-----w- c:\windows\system32\FxsTmp
2011-02-11 22:06 . 2008-04-14 12:00 31744 ----a-w- c:\windows\system32\fxsroute.dll
2011-02-11 22:06 . 2008-04-14 12:00 31744 ----a-w- c:\windows\system32\dllcache\fxsroute.dll
2011-02-11 22:06 . 2008-04-14 12:00 132608 ----a-w- c:\windows\system32\fxsclntR.dll
2011-02-11 22:06 . 2008-04-14 12:00 132608 ----a-w- c:\windows\system32\dllcache\fxsclntr.dll
2011-02-11 22:06 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\fxssend.exe
2011-02-11 22:06 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\dllcache\fxssend.exe
2011-02-11 22:06 . 2008-04-14 12:00 111104 ----a-w- c:\windows\system32\fxscfgwz.dll
2011-02-11 22:06 . 2008-04-14 12:00 111104 ----a-w- c:\windows\system32\dllcache\fxscfgwz.dll
2011-01-27 21:11 . 2011-01-27 21:11 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-27 18:54 . 2010-12-20 23:59 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-27 18:52 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-01-27 18:48 . 2011-01-27 18:48 -------- d-----w- c:\documents and settings\jim\Application Data\Windows Desktop Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-25 21:13 . 2010-03-17 11:58 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 17:26 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-13 13:40 . 2009-04-01 21:06 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-13 13:40 . 2009-04-01 21:06 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-10 23:29 . 2010-12-10 23:29 64864 ----a-w- c:\windows\system32\sqlctr90.dll
2010-12-10 23:29 . 2010-12-10 23:29 2248032 ----a-w- c:\windows\system32\sqlncli.dll
2010-12-09 15:15 . 2004-08-04 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-10 15:04 . 2009-12-10 15:04 44360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-12-10 15:04 . 2009-12-10 15:04 107936 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2008-3-20 49254]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck xmnt2002 /bat=c:\windows\TEMP\PQ_BATCH.PQB /win=c:\windows /dbg=c:\WINDOWS\TEMP\PQ_DEBUG.TXT /ver=262144 /prd=PartitionMagic\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"PSI_SVC_2"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LightScribeService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 Mtxparmx;Mtxparmx;c:\windows\system32\drivers\mtxparmx.sys [3/19/2008 3:21 PM 5504]
R1 oxmep;OXPCI support driver;c:\windows\system32\drivers\oxmep.sys [12/29/2008 2:49 PM 4224]
R1 oxmf;OXPCI Bus enumerator;c:\windows\system32\drivers\oxmf.sys [12/29/2008 2:49 PM 16384]
R1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [12/29/2008 2:49 PM 50944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/1/2009 4:06 PM 135336]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 6:29 PM 29293408]
R3 MTXPAR;MTXPAR;c:\windows\system32\drivers\MTXPARM.sys [3/19/2008 3:06 PM 1484416]
R3 Oxmfuf;Filter driver for OX16PCI95x ports;c:\windows\system32\drivers\oxmfuf.sys [12/29/2008 2:49 PM 4992]
S1 nbsvsgoq;nbsvsgoq;\??\c:\windows\system32\drivers\nbsvsgoq.sys --> c:\windows\system32\drivers\nbsvsgoq.sys [?]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [1/20/2010 8:23 PM 81920]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/17/2010 2:20 PM 135664]
S4 Matrox Centering Service;Matrox Centering Service;c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [9/11/2007 1:17 PM 500992]
S4 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [9/11/2007 1:16 PM 177408]
S4 MtxDrvService;MtxDrvService;c:\windows\system32\MtxDrvService.exe [3/19/2008 3:06 PM 155648]
.
Contents of the 'Scheduled Tasks' folder

2011-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-17 19:20]

2011-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-17 19:20]

2011-02-24 c:\windows\Tasks\SyncToy.job
- c:\documents and settings\jim\Start Menu\Programs\Utilities\SyncToy.lnk [2008-03-13 05:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
FF - ProfilePath - c:\documents and settings\jim\Application Data\Mozilla\Firefox\Profiles\1t1wf2kn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.type - 0
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-25 16:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2011-02-25 16:42:12
ComboFix-quarantined-files.txt 2011-02-25 21:41

Pre-Run: 194,173,616,128 bytes free
Post-Run: 194,769,575,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

- - End Of File - - D23CFCACE37B6CB3AA2894154FEAB7FB

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:49 PM

Posted 25 February 2011 - 05:50 PM

I realized i forgot to change the name of the Combo program before I saved it to my desktop. Not sure if that causes any problems or not.

Yaaay! No redirects on Firefox. I can now access Windows updates.

Doesn't look like it caused any problems to me.


Time for a second opinion on the system, just to seek out any leftovers and then a quick clean-up and you're done.

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you UNCHECK the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.
I'd like an update on how your system is behaving and a fresh DDS log as well.

So long, and thanks for all the fish.

 

 


#5 Jimē

Jimē
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 26 February 2011 - 04:34 PM

Hi,

EDES results:
C:\System Volume Information\_restore{ED4A9D9D-13B4-4706-80D3-8821A659CBA6}\RP1067\A0099768.exe Win32/Adware.ADON application

Avira just notified of 6 more threats found and removed 4:39 PM EST

Jim

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:49 PM

Posted 26 February 2011 - 05:24 PM

Avira just notified of 6 more threats found and removed 4:39 PM EST

Jim

Any idea what they were?

So long, and thanks for all the fish.

 

 


#7 Jimē

Jimē
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 26 February 2011 - 09:18 PM

Hi,

tr trash gen
tr kazy 13020 psa
tr crypt xpack gen3
tr kazy 13020 34

thanks

Jim

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:49 PM

Posted 27 February 2011 - 02:31 PM

Good evening. :)

Could you tell me what the file names were that were detected.

So long, and thanks for all the fish.

 

 


#9 Jimē

Jimē
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 27 February 2011 - 02:59 PM

Hi Noviciate,
tr trash gen
tr kazy 13020 psa
tr crypt xpack gen3
tr kazy 13020 34

then in today's scan it listed mailcious pattern of the HTML/Malicious.ActiveX.Gen HTML script virus

how do i run the DDS.txt/ I was doing a lot of different things Friday and i can not remember how to do that particular scan.

i am not currently being redirected when i click on a Google link, and svchost.exe looks normal at 15,648K

thanks again

Jim

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:49 PM

Posted 27 February 2011 - 03:35 PM

tr trash gen
tr kazy 13020 psa
tr crypt xpack gen3
tr kazy 13020 34

What you have listed is the names of the infections that the anti-virus program detected, not the filenames. If we take the ESET result:

C:\System Volume Information\_restore{ED4A9D9D-13B4-4706-80D3-8821A659CBA6}\RP1067\A0099768.exe Win32/Adware.ADON application

The blue part is the file name and the green is the infection name. What I would like from you is the file names that your AV detects as being malicious.

So long, and thanks for all the fish.

 

 


#11 Jimē

Jimē
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 27 February 2011 - 04:19 PM

When i get to Administration >
quarantine in Avira, i can see part of the file name, and when i right click on it my only option is to send it to Avira, i can not copy it with right click.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:49 PM

Posted 27 February 2011 - 05:37 PM

Then can you write it down and then post it in a reply?

So long, and thanks for all the fish.

 

 


#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:49 PM

Posted 05 March 2011 - 06:59 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users