Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Results Being Re-directed


  • This topic is locked This topic is locked
8 replies to this topic

#1 montana_jas

montana_jas

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 20 April 2011 - 12:42 AM

Hello,

I have a Sony Vaio desktop computer running Windows XP SP3 that has recently (3 days ago) started having trouble with search engines. We can successfully go to sites when we type in the actually web address and we can successfully search for things using Google, Yahoo, etc. However, when we try to follow a search result link we are redirected to any number of random ad sites. It's very annoying and definitely not healthy. AVG has popped up saying that it has detected problems with a couple of the sites we're redirected to. Malwarebytes found 2 infected files and took care of them. Spybot found one problem and successfully dealt with it. An AVG scan comes up clean. The problem remains. Requested logs are below. Thank you for your time.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Clark Canyon at 23:14:57.23 on Tue 04/19/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.106 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Clark Canyon\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.3rivers.net/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [HTpatch] c:\windows\htpatch.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [SetDefaultMidi] MIDIDEF.EXE
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246370214359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\clarkc~1\applic~1\mozilla\firefox\profiles\fg197aig.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1259218265&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fbl132w.blu132.mail.live.com%2Fmail%2FInboxLight.aspx%3FFolderID%3D00000000-0000-0000-0000-000000000001%26n%3D1024162087&lc=1033&id=64855&mkt=en-us
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\documents and settings\clark canyon\application data\mozilla\firefox\profiles\fg197aig.default\extensions\2020player@2020technologies.com\plugins\NP2020Player.dll
FF - plugin: c:\program files\common files\parallelgraphics\cortona\npCortona.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: 20-20 3D Viewer: 2020Player@2020Technologies.com - %profile%\extensions\2020Player@2020Technologies.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-25 135664]
.
=============== Created Last 30 ================
.
2011-04-14 23:38:26 602112 ----a-w- c:\windows\system32\SET277.tmp
2011-04-14 23:38:25 55296 ----a-w- c:\windows\system32\SET276.tmp
2011-04-14 23:38:23 916480 ----a-w- c:\windows\system32\SET270.tmp
2011-04-14 23:38:20 1991680 ----a-w- c:\windows\system32\SET27B.tmp
2011-04-14 23:38:20 1210880 ----a-w- c:\windows\system32\SET271.tmp
2011-04-14 23:38:19 5962240 ----a-w- c:\windows\system32\SET275.tmp
2011-04-14 23:38:17 11080704 ----a-w- c:\windows\system32\SET27D.tmp
2011-04-08 21:54:27 -------- d-----w- c:\program files\iPod
2011-04-08 21:53:57 -------- d-----w- c:\program files\iTunes
2011-04-08 21:39:12 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3120023A rev.3.31 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F27ECC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0xf0e78879; SUB DWORD [EBP-0x4], 0xf0e78135; PUSH EDI; CALL 0xffffffffffffdf2c; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x82F73AB8]
3 CLASSPNP[0xF8615FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000060[0x82FDBE98]
5 ACPI[0xF856C620] -> nt!IofCallDriver[0x804E13B9] -> [0x82F72D98]
[0x82F89BB8] -> IRP_MJ_CREATE -> 0x82F27ECC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3120023A______________________________3.31____#4b33314138313034202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F27AF1
user & kernel MBR OK
sectors 234441646 (+141): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 23:16:57.73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 20 April 2011 - 04:15 AM

:welcome: to BC!

Something I should point out, regarding CCleaner,Glary Utilities, TuneUp Utilities and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix. One of the Experts here at Geekstogo, miekiemoes has an excellent writeup here
Another excellent article by Bill Castner is located here.

-----

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 montana_jas

montana_jas
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 20 April 2011 - 09:03 PM

Thanks for the information about registry cleaners.

After finagling to remove AVG so ComboFix would run, it finally succeeded. The couple search result links that I tried worked out so maybe that did it. The log file is below. Let me know what you think. Thanks again for your help!


ComboFix 11-04-20.01 - Clark Canyon 04/20/2011 19:32:33.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.308 [GMT -6:00]
Running from: c:\documents and settings\Clark Canyon\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Clark Canyon\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
H:\Autorun.inf
.
Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-21 01:02 . 2011-04-21 01:19 -------- d-----w- c:\windows\system32\drivers\AVG
2011-04-14 23:38 . 2011-02-22 23:06 602112 ----a-w- c:\windows\system32\SET277.tmp
2011-04-14 23:38 . 2011-02-22 23:06 55296 ----a-w- c:\windows\system32\SET276.tmp
2011-04-14 23:38 . 2011-02-22 23:06 916480 ----a-w- c:\windows\system32\SET270.tmp
2011-04-14 23:38 . 2011-02-22 23:06 1210880 ----a-w- c:\windows\system32\SET271.tmp
2011-04-14 23:38 . 2011-02-22 23:06 1991680 ----a-w- c:\windows\system32\SET27B.tmp
2011-04-14 23:38 . 2011-02-22 23:06 5962240 ----a-w- c:\windows\system32\SET275.tmp
2011-04-14 23:38 . 2011-02-22 23:06 11080704 ----a-w- c:\windows\system32\SET27D.tmp
2011-04-08 21:54 . 2011-04-08 21:54 -------- d-----w- c:\program files\iPod
2011-04-08 21:53 . 2011-04-08 21:56 -------- d-----w- c:\program files\iTunes
2011-04-08 21:39 . 2011-04-08 21:39 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2002-12-05 02:22 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2002-12-05 01:15 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2002-12-05 01:15 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2002-12-05 01:15 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2002-12-05 01:15 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2002-12-05 01:15 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2002-12-05 01:15 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-06-30 22:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2002-12-05 01:14 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2002-12-05 01:15 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2002-12-05 01:15 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2002-12-05 01:15 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2002-12-05 01:15 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2002-12-05 02:21 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2002-12-05 02:21 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2002-12-05 01:15 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-06-25 1578736]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-26 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="c:\windows\htpatch.exe" [2002-10-31 28672]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2002-11-07 4243456]
"AGRSMMSG"="AGRSMMSG.exe" [2002-10-18 87751]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2002-03-01 61440]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-08-09 86016]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/25/2010 8:04 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 02:04]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 02:04]
.
2009-07-05 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-12-05 00:12]
.
2009-07-10 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-12-05 00:12]
.
2009-07-20 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-12-05 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.3rivers.net/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Clark Canyon\Application Data\Mozilla\Firefox\Profiles\fg197aig.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1259218265&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fbl132w.blu132.mail.live.com%2Fmail%2FInboxLight.aspx%3FFolderID%3D00000000-0000-0000-0000-000000000001%26n%3D1024162087&lc=1033&id=64855&mkt=en-us
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: 20-20 3D Viewer: 2020Player@2020Technologies.com - %profile%\extensions\2020Player@2020Technologies.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-20 19:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run???\??????Z????`??Z???Z`??Z???????????????Z???Z???Z???Z$??????Z???????????????Z???????????Z???w????(????3?w???w?????3?w ??w???Z:???????d???r??Z1??Z???Zd??????Z?-?Z????z??w8h?Z\2?Z?1?Zhtinst.INI?Z?u?Z????d???????0G?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-20 19:43:33
ComboFix-quarantined-files.txt 2011-04-21 01:43
.
Pre-Run: 13,102,002,176 bytes free
Post-Run: 13,243,879,424 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 65269AE5B10AFB8CD19DFF5C953AC2B1

#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 21 April 2011 - 04:04 AM

Lets' move on then

It looks as you've CCleaner installed

Something I should point out, regarding CCleaner,Glary Utilities, TuneUp Utilities and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix. One of the Experts here at Geekstogo, miekiemoes has an excellent writeup here
Another excellent article by Bill Castner is located here.

Step 1.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\SET277.tmp
c:\windows\system32\SET276.tmp
c:\windows\system32\SET270.tmp
c:\windows\system32\SET271.tmp
c:\windows\system32\SET27B.tmp
c:\windows\system32\SET275.tmp
c:\windows\system32\SET27D.tmp

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step 2.
Security Check:

Download Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step 3.
CKScanner:

Download CKScanner from here

Important : Save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Step 4.
Things I would like to see in your reply:

  • The content of C:\ComboFix.txt from step 1.
  • The content of checkup.txt from step 2.
  • The content of CKFiles.txt from step 3.
  • How is your computer running after those steps?

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 montana_jas

montana_jas
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 21 April 2011 - 10:40 AM

1.
ComboFix 11-04-20.04 - Clark Canyon 04/21/2011 8:41.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.285 [GMT -6:00]
Running from: c:\documents and settings\Clark Canyon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Clark Canyon\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\SET270.tmp"
"c:\windows\system32\SET271.tmp"
"c:\windows\system32\SET275.tmp"
"c:\windows\system32\SET276.tmp"
"c:\windows\system32\SET277.tmp"
"c:\windows\system32\SET27B.tmp"
"c:\windows\system32\SET27D.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\SET270.tmp
c:\windows\system32\SET271.tmp
c:\windows\system32\SET275.tmp
c:\windows\system32\SET276.tmp
c:\windows\system32\SET277.tmp
c:\windows\system32\SET27B.tmp
c:\windows\system32\SET27D.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-21 02:55 . 2011-04-18 17:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-21 02:55 . 2011-04-18 17:17 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-21 02:55 . 2011-04-18 17:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-21 02:55 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-21 02:55 . 2011-04-18 17:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-21 02:55 . 2011-04-18 17:16 102488 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-04-21 02:55 . 2011-04-18 17:16 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-04-21 02:55 . 2011-04-18 17:13 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-04-21 02:54 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-04-21 02:54 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-21 02:54 . 2011-04-21 02:54 -------- d-----w- c:\program files\AVAST Software
2011-04-21 02:54 . 2011-04-21 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-21 01:02 . 2011-04-21 01:19 -------- d-----w- c:\windows\system32\drivers\AVG
2011-04-08 21:54 . 2011-04-08 21:54 -------- d-----w- c:\program files\iPod
2011-04-08 21:53 . 2011-04-08 21:56 -------- d-----w- c:\program files\iTunes
2011-04-08 21:39 . 2011-04-08 21:39 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2002-12-05 02:22 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2002-12-05 01:15 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2002-12-05 01:15 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2002-12-05 01:15 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2002-12-05 01:15 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2002-12-05 01:15 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2002-12-05 01:15 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-06-30 22:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2002-12-05 01:14 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2002-12-05 01:15 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2002-12-05 01:15 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2002-12-05 01:15 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2002-12-05 01:15 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2002-12-05 02:21 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2002-12-05 02:21 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-06-25 1578736]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-26 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="c:\windows\htpatch.exe" [2002-10-31 28672]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2002-11-07 4243456]
"AGRSMMSG"="AGRSMMSG.exe" [2002-10-18 87751]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2002-03-01 61440]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-08-09 86016]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/20/2011 8:55 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/20/2011 8:55 PM 307288]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/20/2011 8:55 PM 19544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/25/2010 8:04 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 02:04]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 02:04]
.
2009-07-05 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-12-05 00:12]
.
2009-07-10 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-12-05 00:12]
.
2009-07-20 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-12-05 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.3rivers.net/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Clark Canyon\Application Data\Mozilla\Firefox\Profiles\fg197aig.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1259218265&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fbl132w.blu132.mail.live.com%2Fmail%2FInboxLight.aspx%3FFolderID%3D00000000-0000-0000-0000-000000000001%26n%3D1024162087&lc=1033&id=64855&mkt=en-us
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: 20-20 3D Viewer: 2020Player@2020Technologies.com - %profile%\extensions\2020Player@2020Technologies.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-21 08:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run???\??????Z????`??Z???Z`??Z???????????????Z???Z???Z???Z$??????Z???????????????Z???????????Z???w????(????3?w???w?????3?w ??w???Z:???????d???r??Z1??Z???Zd??????Z?-?Z????z??w8h?Z\2?Z?1?Zhtinst.INI?Z?u?Z????d???????0G?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2656)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-04-21 09:01:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-21 15:01
ComboFix2.txt 2011-04-21 01:43
.
Pre-Run: 13,432,684,544 bytes free
Post-Run: 13,471,322,112 bytes free
.
- - End Of File - - A843E8937858847814F628DE0ADFAD4B


2.
Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner (remove only)
Java™ 6 Update 22
Out of date Java installed!
Adobe Flash Player 10.1.85.3
Adobe Reader 9.4.3
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.18) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
``````````End of Log````````````


3.
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----


4. Out of 4 or 5 searches that I ran using Google & Yahoo in IE and Mozilla, none of the results that I clicked directed me to a strange place. They all went to the site they were supposed to go to. So it appears that things are working correctly.

I do have one question, should we be concerned that info on our system was accessed or that passwords we entered in the infected browsers have been stolen?

Also, Avast found something during a scan last night but I did not fix it because I wasn't sure if that would change something you were already working on.

Thanks for you help!

Edited by montana_jas, 21 April 2011 - 10:41 AM.


#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 23 April 2011 - 09:32 AM

I do have one question, should we be concerned that info on our system was accessed or that passwords we entered in the infected browsers have been stolen?

If this is a concern for you, I'll recommend you to change passwords and information as needed to keep the information safe.

Also, Avast found something during a scan last night but I did not fix it because I wasn't sure if that would change something you were already working on.

Let avast remove what if finds. It would be helpful if you posted the log though.

Let's run a couple of final scans for leftovers before we do some housekeeping.

Step 1.
Clean temp locations:

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2.
Scan with MBAM:

Please download Malwarebytes' Anti-Malware from Here

  • Launch Malwarebytes' Anti-Malware.
  • Update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 3.
Scan with ESET Online Scanner:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


  • The content of the report from MBAM from Step 2.
  • The content of the report from ESET Online Scanner from Step 3.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 montana_jas

montana_jas
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 23 April 2011 - 12:31 PM

Hello,

Thanks for the reply. Here are the logs for everything.

The Avast scan gives me this info on the threat it found:
File Name: C:\System Volume Information\_restore{39B55467-8C7E-46C6-B32A-C58455643C25}\RP700\A0134475.sys
Severity: High
Status: Threat:Win32:Alureon-FZ
The file was successfully moved to the chest.

MBAM log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6425

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/23/2011 9:41:41 AM
mbam-log-2011-04-23 (09-41-41).txt

Scan type: Quick scan
Objects scanned: 168782
Time elapsed: 11 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET Scanner log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=83133442b68a524ca34d2ccc2b72ba4d
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-23 05:23:50
# local_time=2011-04-23 11:23:50 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 15145487 15145487 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=84310
# found=4
# cleaned=4
# scan_time=2880
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\disk.sys.vir Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{39B55467-8C7E-46C6-B32A-C58455643C25}\RP693\A0133694.dll a variant of Win32/Kryptik.MKB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Drivers\Audio2\COMMON\CtSpkHlp.dll probably a variant of Win32/Spy.Agent.CVQMXMH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\ctspkhlp.dll probably a variant of Win32/Spy.Agent.CVQMXMH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#8 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 23 April 2011 - 02:01 PM

What the tools found were already quarantined objects or objects in system restore. We'll clean those out here.


Hey there, montana_jas !

OK! Well done, your log is clean again! :thumbsup:

Time for some housekeeping.

Step 1.
Clean up:

We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

First:
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    Posted Image

Second:
  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Now delete any tools/logs that is left over after you ran OTC.



Step 2.
Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:
Your Adobe Acrobat Reader is out of date. Older versions are vunerable to attack.

Please go to the link below to download an update.

http://www.adobe.com/products/acrobat/readstep2.html

Remove the older versions and install the latest,

----

Upgrading Java:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 25 .
  • Click the JDK 6 Update 25 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u25-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u25-windows-i586.exe and select "Run as an Administrator.")


Second:
One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.


Third:
Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.


Fourth:
Next lets look at Firewalls. These help to prevent unauthorized access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls
Fifth:
Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers
Lastly:
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.


I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#9 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 26 April 2011 - 04:16 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users