Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Fake AV Redirect 10


  • This topic is locked This topic is locked
14 replies to this topic

#1 Perturbed

Perturbed

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 01 June 2011 - 03:50 PM

I'm using Norton Internet Security version 18.6.0.29.

Virtually every time I click on a link provided by Google, I get redirected to a site advertising poker or whatever. This has happened many, many times over the last few days. I tried Bing and it happened there as well. I have not had this problem with any other links.

Only once did Norton do anything about it; that being to block a redirect and state that it was "Fake App Attack: Fake AV Redirect 10". Norton did not do anything about removing the threat and stated that no further action was to be taken.

I ran a full system scan twice using Norton: once in regular mode and once in "Safe Mode with Networking". Neither scan turned up anything other than cookies which were removed.

I then ran Norten Power Eraser which did not find anything.

I then ran TDSSKiller.exe as per your article, How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller, which did not find anything.

As per your Prep Guide, I have pasted/attached the following to this post:
- dds.txt
- attach.txt
- ark.txt

I had to run gmer.exe 3 times. The first 2 each ended with a "gmer.exe has encountered a problem and needs to close" message.

Hopefully I didn't miss anything. I would greatly appreciate any assistance you can provide. Please let me know if there's anything else you need.
--------------------
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by Jim at 11:12:13 on 2011-06-01
Microsoft Windows XP Home Edition 5.1.2600.2.1252.2.1033.18.447.94 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\bgsmsnd.exe
C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.weatheroffice.gc.ca/forecast/textforecast_e.html?Bulletin=fpcn11.cwto
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: pdfMachine: {56cf4856-ecb4-4e46-a897-a378821f97b9} - c:\windows\system32\spool\drivers\w32x86\3\bgstb.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
TB: pdfMachine: {56cf4856-ecb4-4e46-a897-a378821f97b9} - c:\windows\system32\spool\drivers\w32x86\3\bgstb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [zzzHPSETUP] \\hp514n\e\Setup.exe
mRun: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [QBCMAgent] c:\program files\intuit\quickbooks client manager\QBCMAgent.exe
mRun: [HKSERV.EXE] c:\program files\sony\hotkey utility\HKserv.exe
mRun: [CARPService] carpserv.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [bgsmsnd.exe] c:\windows\system32\bgsmsnd.exe
mRun: [ConnectionManager] c:\program files\winsim\connectionmanager\Simply.SystemTrayIcon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\jim\startm~1\programs\startup\dospri~1.lnk - c:\doslpt.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\program files\quicken\billmind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~3.lnk - c:\quickbookspro2001\components\qbagent\qbdagent2001.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\quickbookspro2000\components\qbagent\QBDAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~2.lnk - c:\program files\quicken\bagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\QWDLLS.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_03-win.cab
DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_03-win.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://qb.webex.com/client/v_mywebex-qb20/ra/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ct - {774E529C-2458-48A2-8F57-3ED3105D8612} - c:\caseware 2001\cwproto.dll
Handler: cw - {774E529C-2458-48A2-8F57-3ED3105D8612} - c:\caseware 2001\cwproto.dll
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2006-2-12 17792]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-19 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-19 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110518.001\BHDrvx86.sys [2011-5-19 802936]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-19 136312]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-19 130008]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2011-1-31 196928]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-1-31 68928]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\connectionmanager\SimplyConnectionManager.exe [2008-12-4 18216]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-19 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110527.001\IDSXpx86.sys [2011-5-28 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110529.002\NAVENG.SYS [2011-5-29 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110529.002\NAVEX15.SYS [2011-5-29 1542392]
.
=============== Created Last 30 ================
.
2011-05-30 23:48:20 -------- d-----w- c:\documents and settings\jim\local settings\application data\NPE
2011-05-26 15:21:12 274432 --sha-r- c:\windows\system32\dsofile9.dll
2011-05-22 17:42:01 4792320 ----a-w- c:\windows\system32\cdintf450.dll
2011-05-19 14:15:00 331384 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symtdiv.sys
2011-05-19 14:14:59 369784 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symtdi.sys
2011-05-19 14:14:59 296568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symnets.sys
2011-05-19 14:14:58 744568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symefa.sys
2011-05-19 14:14:58 50168 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtspx.sys
2011-05-19 14:14:58 340088 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symds.sys
2011-05-19 14:14:57 516216 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtsp.sys
2011-05-19 14:14:57 136312 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys
2011-05-19 14:13:33 -------- d-----w- c:\windows\system32\drivers\nis\1206000.01D
2011-05-18 14:18:15 -------- d-----w- c:\documents and settings\jim\application data\Tific
2011-05-11 18:54:38 -------- d-----w- c:\windows\system32\FxsTmp
2011-05-11 18:52:29 31744 -c--a-w- c:\windows\system32\dllcache\fxsroute.dll
2011-05-11 18:52:29 31744 ----a-w- c:\windows\system32\fxsroute.dll
2011-05-11 18:52:29 11264 -c--a-w- c:\windows\system32\dllcache\fxssend.exe
2011-05-11 18:52:29 11264 ----a-w- c:\windows\system32\fxssend.exe
2011-05-11 18:52:20 132608 -c--a-w- c:\windows\system32\dllcache\fxsclntr.dll
2011-05-11 18:52:20 132608 ----a-w- c:\windows\system32\fxsclntR.dll
2011-05-11 18:52:07 111104 -c--a-w- c:\windows\system32\dllcache\fxscfgwz.dll
2011-05-11 18:52:07 111104 ----a-w- c:\windows\system32\fxscfgwz.dll
.
==================== Find3M ====================
.
2011-05-26 13:43:26 1409 ----a-w- c:\windows\QTFont.for
2011-05-19 14:15:07 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-19 14:15:07 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
.
============= FINISH: 11:15:09.44 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:47 PM

Posted 09 June 2011 - 05:37 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Perturbed

Perturbed
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 11 June 2011 - 10:36 AM

Acknowledging as requested.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:47 PM

Posted 11 June 2011 - 04:25 PM

Please run aswMBR so we can check for rootkit involvement

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 Perturbed

Perturbed
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 11 June 2011 - 06:37 PM

aswmbr log as requested:
---------------
aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-11 19:30:52
-----------------------------
19:30:52.088 OS Version: Windows 5.1.2600 Service Pack 2
19:30:52.088 Number of processors: 1 586 0x209
19:30:52.088 ComputerName: SONY UserName: Jim
19:30:55.453 Initialize success
19:32:02.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:32:02.109 Disk 0 Vendor: IC25N040ATMR04-0 MO2OAD1A Size: 38154MB BusType: 3
19:32:02.109 Disk 1 \Device\Harddisk1\DR4 -> \Device\0000007b
19:32:02.109 Disk 1 Vendor: Sony 0000 Size: 38154MB BusType: 0
19:32:02.169 Disk 0 MBR read successfully
19:32:02.169 Disk 0 MBR scan
19:32:02.169 Disk 0 Windows XP default MBR code
19:32:02.219 Disk 0 scanning sectors +78124095
19:32:02.259 Disk 0 scanning C:\WINDOWS\system32\drivers
19:32:20.105 Service scanning
19:32:23.269 Disk 0 trace - called modules:
19:32:23.299 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys aliide.sys PCIIDEX.SYS
19:32:23.299 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84f44030]
19:32:23.309 3 CLASSPNP.SYS[f776e05b] -> nt!IofCallDriver -> \Device\00000076[0x84f8d540]
19:32:23.630 5 ACPI.sys[f76c4620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x84f8d7f0]
19:32:23.640 Scan finished successfully
19:32:57.358 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jim\Desktop\MBR.dat"
19:32:57.358 The log file has been saved successfully to "C:\Documents and Settings\Jim\Desktop\aswMBR.txt"

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:47 PM

Posted 11 June 2011 - 07:00 PM

Okay, there appears to be no rootkit activity so please now run Combofix to remove the fake antivirus

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 Perturbed

Perturbed
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 11 June 2011 - 08:35 PM

ComboFix.txt included below as requested. I see it found something.
---------------
ComboFix 11-06-11.01 - Jim 2011/06/11 20:48:52.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.2.1033.18.447.215 [GMT -4:00]
Running from: c:\documents and settings\Jim\Desktop\comfix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jim\WINDOWS
.
Infected copy of c:\windows\system32\srsvc.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\srsvc.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-12 to 2011-06-12 )))))))))))))))))))))))))))))))
.
.
2011-06-12 01:01 . 2004-08-04 07:56 170496 ----a-w- c:\windows\system32\srsvc.dll
2011-05-30 23:48 . 2011-05-31 00:04 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\NPE
2011-05-30 23:31 . 2011-05-30 23:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2011-05-26 15:21 . 2011-05-26 15:21 274432 --sha-r- c:\windows\system32\dsofile9.dll
2011-05-22 17:42 . 2011-03-09 16:42 4792320 ----a-w- c:\windows\system32\cdintf450.dll
2011-05-19 14:13 . 2011-05-19 14:28 -------- d-----w- c:\windows\system32\drivers\NIS\1206000.01D
2011-05-18 14:18 . 2011-05-18 14:18 -------- d-----w- c:\documents and settings\Jim\Application Data\Tific
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-12 01:03 . 2007-11-28 23:25 1409 ----a-w- c:\windows\QTFont.for
2011-05-19 14:15 . 2010-12-15 23:04 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-19 14:15 . 2010-12-15 23:04 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-24 1409024]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-08-01 77824]
"QBCMAgent"="c:\program files\Intuit\QuickBooks Client Manager\QBCMAgent.exe" [2004-06-25 32768]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2003-04-01 81920]
"CARPService"="carpserv.exe" [2003-03-18 4608]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-22 323584]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-29 28672]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-06-13 114688]
"bgsmsnd.exe"="c:\windows\system32\bgsmsnd.exe" [2007-07-10 160136]
"ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2008-06-06 87336]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\Jim\Start Menu\Programs\Startup\
DOS Print.lnk - C:\doslpt.bat [2004-7-20 32]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - c:\program files\Quicken\billmind.exe [2002-9-20 36864]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
QuickBooks 2001 Delivery Agent.lnk - c:\quickbookspro2001\Components\QBAgent\qbdagent2001.exe [2004-7-16 204800]
QuickBooks Delivery Agent.lnk - c:\quickbookspro2000\Components\QBAgent\QBDAgent.exe [2005-10-14 118784]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-5-20 967960]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-9-20 53248]
Quicken Startup.lnk - c:\program files\Quicken\QWDLLS.EXE [2002-9-20 36864]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\QuickBooks 2009\\QBDBMgrN.exe"=
.
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2006/02/12 4:25 PM 17792]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [2011/05/19 10:14 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [2011/05/19 10:14 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110518.001\BHDrvx86.sys [2011/05/19 10:15 AM 802936]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [2011/05/19 10:14 AM 136312]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [2011/05/19 10:14 AM 130008]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [2011/01/31 1:01 PM 196928]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011/01/31 1:01 PM 68928]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [2008/12/04 11:59 AM 18216]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011/06/06 12:41 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110603.003\IDSXpx86.sys [2011/06/06 12:48 PM 341944]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-07 c:\windows\Tasks\Norton Internet Security - Jim - Full System Scan.job
- c:\program files\Norton Internet Security\Engine\18.6.0.29\navw32.exe [2011-05-19 00:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.weatheroffice.gc.ca/forecast/textforecast_e.html?Bulletin=fpcn11.cwto
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-zzzHPSETUP - \\hp514n\e\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-11 21:09
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3209084658-4074332704-2020099617-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2772)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\carpserv.exe
c:\program files\Sony\HotKey Utility\HKWnd.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-06-11 21:21:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-12 01:21
.
Pre-Run: 10,629,160,960 bytes free
Post-Run: 11,631,587,328 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 10BDBC619FC7B9789A6AD75B7B73D1E1

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:47 PM

Posted 12 June 2011 - 03:19 AM

An infected system file has been replaced with a clean backup.

Please visit ESET for an online scan

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#9 Perturbed

Perturbed
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 12 June 2011 - 01:46 PM

The ESET online scan has been run. Result: "No threats found."

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:47 PM

Posted 12 June 2011 - 06:59 PM

Signs are good. How's the machine been running?
Posted Image
m0le is a proud member of UNITE

#11 Perturbed

Perturbed
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 13 June 2011 - 09:02 AM

I have been avoiding clicking on any Google links since I first posted to this forum. I have just now tried a few searches and clicked on a number of Google-provided links and was not redirected.

The computer is running slowly when dealing with accessing or receiving from other computers, but I expect that's Norton's doing. Accessing and running local files happens quickly.

Is the virus that infected my machine the type that gathers information or is the just the nuisance type?

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:47 PM

Posted 13 June 2011 - 06:06 PM

The infection is TDSS. From the Bleeping Computer TDSS guide

TDSS, or TDL3, is the name of a family of rootkits for the Windows operating system that downloads and execute other malware, delivers advertisements to your computer, and block programs from running.


Definitely in the nuisance category. Although it does not steal info itself it can download and execute malware that does. You did not have this type of malware on the machine.


Now we can clear up...

You're clean. Good stuff! :thumbup2:

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Jdk 6 Update 25 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Let's do some clearing up

If you used DeFogger now is the time to enable your CD emulation software again.

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it Perturbed, happy surfing!

Cheers.

m0le

Edited by m0le, 13 June 2011 - 06:07 PM.

Posted Image
m0le is a proud member of UNITE

#13 Perturbed

Perturbed
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 16 June 2011 - 09:11 AM

I haven't done the clean-up yet, but I will over the weekend.

Thank-you for all of your help. You and your team provide an invaluable service.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:47 PM

Posted 16 June 2011 - 05:57 PM

You are welcome. We are very proud of this site and I am happy to have helped :)
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:47 PM

Posted 19 June 2011 - 05:24 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users