Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer Redirects to Ad sites and 100% CPU


  • This topic is locked This topic is locked
9 replies to this topic

#1 Ben Amada

Ben Amada

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 27 July 2011 - 06:31 PM

Yesterday on my Windows XP computer, I got infected with XP Security 2012 Antivirus. I removed it (I think) by running FixNCR.reg, RKill and Malware Bytes as described here.

Today when I launch IE, about 20 seconds after the homepage comes up, pop-ups browser windows start appearing that are going to various shady looking sites with alert boxes, etc. Usually about this time, the computer becomes very very sluggish. Checking Task Manager, the CPU is up to 100% and the process that is getting it up that high is svchost. If I end the task, then the computer becomes responsive again (i.e. CPU goes down) and the popups I believe even stop appearing. It appears the popups do not show up when using Firefox.

Following instructions in this Bleeping Computer forum post, I ran OTL with the Custom Scan options. Following the instructions in this forum post, I ran DDS. Below I'm pasting the results of DDS -- maybe a rootkit infection? And I'm not sure if I can attach files here, so am posting links to my other results. Thank you in advance.

http://allben.net/misc/scan/attach.txt
http://allben.net/misc/scan/dds.txt
http://allben.net/misc/scan/Extras.txt
http://allben.net/misc/scan/OTL.txt



.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by jim at 16:01:43 on 2011-07-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.552 [GMT -7:00]
.
AV: ESET NOD32 Antivirus 3.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k termsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\Seiko\slpcap.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CrossLoop\CrossLoopConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\jim\My Documents\Downloads\OTL.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\CrossLoop\winvnc.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ww2.cox.com/myconnection/arizona/home.cox
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: TranslatorBar 5.2 Toolbar: {23256f20-0d9b-4323-b005-6e5de569c4b7} - c:\program files\translatorbar_5.2\prxtbTra0.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TranslatorBar 5.2 Toolbar: {23256f20-0d9b-4323-b005-6e5de569c4b7} - c:\program files\translatorbar_5.2\prxtbTra0.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: TranslatorBar 5.2 Toolbar: {23256f20-0d9b-4323-b005-6e5de569c4b7} - c:\program files\translatorbar_5.2\prxtbTra0.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PDF4 Registry Controller] "c:\program files\scansoft\pdf professional 4.0\\RegistryController.exe"
mRun: [<NO NAME>]
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\jim\startm~1\programs\startup\smartc~1.lnk - c:\windows\seiko\slpcap.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{537056b7-32a4-4408-9b54-0341963c7c9c}\IcoUltraMon.ico
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\scansoft\pdf professional 4.0\cnvres_eng.dll /100
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136547234796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137000056474
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://corp.pcslink.com/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://qb.webex.com/client/v_mywebex-qb20/ra/ieatgpc.cab
TCP: DhcpNameServer = 10.25.25.10
TCP: Interfaces\{55C3D402-34F6-4DA8-B911-8D67E8FCAB1E} : DhcpNameServer = 10.25.25.10
Notify: igfxcui - igfxsrvc.dll
Notify: meheoto - c:\documents and settings\networkservice\local settings\application data\meheoto.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: ter1mw32 - ter1mw32.dll
Notify: termsvces - ter1mw32.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jim\application data\mozilla\firefox\profiles\jtad4ydf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.excite.com
FF - component: c:\documents and settings\jim\application data\mozilla\firefox\profiles\jtad4ydf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\jim\application data\mozilla\firefox\profiles\jtad4ydf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\np32dsw.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npaudio.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npavi32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPBeatnk.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava11.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava12.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava13.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJava32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPJPI141_02.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\nppdf32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nppl3260.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprfxins.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprjplug.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npswf32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\real\realplayer\browserrecord\firefox\ext
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-6-10 35168]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-10-7 472280]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-13 2214504]
R2 TermServices;Remote Desktop Service;c:\windows\system32\svchost.exe -k termsvc [2004-8-4 14336]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2008-11-14 17184]
R3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\hpzs2k12.sys [2003-11-23 50360]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-10-24 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
.
=============== Created Last 30 ================
.
2011-07-27 16:24:41 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2011-07-27 16:24:41 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2011-07-27 16:24:40 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2011-07-27 16:24:40 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-07-26 22:26:19 35840 ----a-w- c:\windows\system32\ter1mw32.dll
2011-07-26 22:26:19 218624 ----a-w- c:\windows\system32\termlw32.dll
2011-07-26 16:28:03 0 ----a-w- c:\documents and settings\jim\local settings\application data\pcse.exe
2011-07-26 16:28:03 0 ----a-w- c:\documents and settings\jim\local settings\application data\nsee.exe
2011-07-26 16:28:03 0 ----a-w- c:\documents and settings\jim\local settings\application data\dsco.exe
2011-07-26 16:28:03 0 ----a-w- c:\documents and settings\jim\local settings\application data\cwqa.exe
2011-07-26 16:28:03 0 ----a-w- c:\documents and settings\all users\application data\yafu.exe
2011-07-26 16:28:03 0 ----a-w- c:\documents and settings\all users\application data\xdig.exe
2011-07-26 16:28:03 0 ----a-w- c:\documents and settings\all users\application data\hdvj.exe
2011-07-26 16:28:03 0 ----a-w- c:\documents and settings\all users\application data\etem.exe
2011-07-14 00:49:31 -------- d-----w- c:\documents and settings\jim\local settings\application data\Realtime Soft
2011-07-14 00:46:33 -------- d-----w- c:\documents and settings\jim\application data\Realtime Soft
2011-07-14 00:46:31 -------- d-----w- c:\program files\common files\Realtime Soft
2011-07-14 00:46:30 -------- d-----w- c:\program files\UltraMon
2011-07-14 00:46:30 -------- d-----w- c:\documents and settings\all users\application data\Realtime Soft
2011-07-13 23:51:28 -------- d-----w- c:\documents and settings\all users\application data\NVIDIA Corporation
.
==================== Find3M ====================
.
2011-07-13 23:50:49 273344 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-07-13 23:50:49 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-07-13 23:50:45 273344 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2004-08-04 12:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2011-02-08 13:33:55 978944 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll
2010-12-20 17:32:15 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-60LSA0 rev.07.01D07 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F3F4D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f457d0]; MOV EAX, [0x86f4584c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86F1BAB8]
3 CLASSPNP[0xF75EEFD7] -> nt!IofCallDriver[0x804E13B9] -> [0x86F5EDB8]
\Driver\atapi[0x86F83A08] -> IRP_MJ_CREATE -> 0x86F3F4D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F3F31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:04:33.58 ===============

Edited by Orange Blossom, 27 July 2011 - 10:44 PM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:34 PM

Posted 28 July 2011 - 03:52 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#3 Ben Amada

Ben Amada
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 28 July 2011 - 05:49 PM

Thanks, I ran aswMBR, and the results are attached. You'll notice in the log that it took a long time to run. The reason is because I left the CPU at 100% while running this -- just in case that might help aswMBR see the running processes.

A couple of other symptoms to describe ... I can kill svchost when it's causing 100% CPU and everything speeds up, but about 15 minutes later, it's back up to 100% CPU. This process repeats.

Earlier today at one point, the a XP Antivirus 2012 screen appeared one time out of nowhere, even though I had not seen it since 2 days ago when doing the initial cleanup I described in my original post. It appeared while browsing the web in Firefox.

Ben

EDIT: Looks like I didn't attach the file properly. Attaching now.
EDIT 2: It's such a small TXT file, posting the results below.

aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software
Run date: 2011-07-28 15:07:07
-----------------------------
[/b]15:07:07.264 OS Version: Windows 5.1.2600 Service Pack 3
15:07:07.264 Number of processors: 2 586 0x403
15:07:07.264 ComputerName: GWW-JIM UserName: jim
15:07:10.420 Initialize success
15:10:53.032 AVAST engine defs: 11072801
15:11:04.032 The log file has been saved successfully to "C:\Documents and Settings\jim\Desktop\aswMBR.txt"
15:11:16.423 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
15:11:16.470 Disk 0 Vendor: WDC_WD800JD-60LSA0 07.01D07 Size: 76319MB BusType: 3
15:11:16.501 Device \Driver\atapi -> DriverStartIo 86f0531b
15:11:18.517 Disk 0 MBR read error 0
15:11:18.563 Disk 0 MBR scan
15:11:18.735 Disk 0 unknown MBR code
15:11:18.813 MBR BIOS signature not found 0
15:11:20.860 Disk 0 scanning sectors +156280320
15:11:21.032 Disk 0 scanning C:\WINDOWS\system32\drivers
15:12:40.955 Service scanning
15:12:44.798 Modules scanning
15:13:01.783 Disk 0 trace - called modules:
15:13:02.127 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86f054d0]<<
15:13:02.424 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f8aab8]
15:13:02.470 3 CLASSPNP.SYS[f75eefd7] -> nt!IofCallDriver -> [0x86f2c458]
15:13:02.658 \Driver\atapi[0x86f8b9c8] -> IRP_MJ_CREATE -> 0x86f054d0
15:13:04.220 AVAST engine scan C:\WINDOWS
15:13:22.502 AVAST engine scan C:\WINDOWS\system32
15:18:23.471 File: C:\WINDOWS\system32\ter1mw32.dll **INFECTED** Win32:Malware-gen
15:18:26.284 File: C:\WINDOWS\system32\termlw32.dll **INFECTED** Win32:Malware-gen
15:19:37.221 AVAST engine scan C:\WINDOWS\system32\drivers
15:21:18.175 AVAST engine scan C:\Documents and Settings\jim
15:35:28.660 AVAST engine scan C:\Documents and Settings\All Users
15:40:31.208 Scan finished successfully
15:41:18.648 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\jim\Desktop\MBR.dat"
15:41:18.663 The log file has been saved successfully to "C:\Documents and Settings\jim\Desktop\aswMBR.txt"

Attached Files


Edited by Ben Amada, 28 July 2011 - 05:52 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:34 PM

Posted 29 July 2011 - 02:16 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#5 Ben Amada

Ben Amada
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 29 July 2011 - 07:00 PM

Hello. I ran ComboFix with the Recovery Console option. It completed successfully. It appears the computer is still infected as I still get the 100% CPU and the pop-up ads are still there. And in system32, ter1mw32.dll and termlw32.dll are still there. Perhaps running ComboFix was just to create a log and not do any malware removal?

After running ComboFix, I ran a scan with aswMBR again. Interestingly, I noticed it reports ter1mw32.dll and termlw32.dll as being infected with Win32:Delf-QFH, whereas yesterday, aswMBR reported them as being infected with Win32:Malware-gen.

Below is 2 items -- (1) the ComboFix log and (2) the aswMBR scan results (which I ran again after running ComboFix as noted above). Thanks in advance for any further guidance.


=================================================
COMBO FIX LOG
=================================================

ComboFix 11-07-29.03 - jim 07/29/2011 15:01:34.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.557 [GMT -7:00]
Running from: f:\bens updates\malware\ben_cb.exe
AV: ESET NOD32 Antivirus 3.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\jim\Application Data\PriceGong
c:\documents and settings\jim\Application Data\PriceGong\Data\1.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\a.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\b.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\c.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\d.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\e.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\f.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\g.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\h.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\i.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\J.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\k.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\l.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\m.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\n.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\o.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\p.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\q.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\r.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\s.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\t.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\u.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\v.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\w.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\x.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\y.xml
c:\documents and settings\jim\Application Data\PriceGong\Data\z.xml
c:\documents and settings\jim\My Documents\Readiris.DUS
c:\documents and settings\jim\WINDOWS
c:\documents and settings\NetworkService\Local Settings\Application Data\meheoto.dll
c:\windows\Google Pack Screensaver Uninstaller.exe
Pass LEGAL for license information. Built Sat Jun 25 23:20 2011c:\documents and settings\jim\My Documents\DPE.DUS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-29 )))))))))))))))))))))))))))))))
.
.
2011-07-27 23:04 . 2011-07-27 23:04 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-07-27 16:24 . 2011-07-27 16:24 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2011-07-27 16:24 . 2011-07-27 16:24 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2011-07-27 16:24 . 2011-07-27 16:24 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2011-07-27 16:24 . 2011-07-27 16:24 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-07-26 22:26 . 2011-07-26 22:26 35840 ----a-w- c:\windows\system32\ter1mw32.dll
2011-07-26 22:26 . 2011-07-26 22:26 218624 ----a-w- c:\windows\system32\termlw32.dll
2011-07-26 16:28 . 2011-07-26 16:28 0 ----a-w- c:\documents and settings\jim\Local Settings\Application Data\pcse.exe
2011-07-26 16:28 . 2011-07-26 16:28 0 ----a-w- c:\documents and settings\jim\Local Settings\Application Data\nsee.exe
2011-07-26 16:28 . 2011-07-26 16:28 0 ----a-w- c:\documents and settings\jim\Local Settings\Application Data\dsco.exe
2011-07-26 16:28 . 2011-07-26 16:28 0 ----a-w- c:\documents and settings\jim\Local Settings\Application Data\cwqa.exe
2011-07-26 16:28 . 2011-07-26 16:28 0 ----a-w- c:\documents and settings\All Users\Application Data\yafu.exe
2011-07-26 16:28 . 2011-07-26 16:28 0 ----a-w- c:\documents and settings\All Users\Application Data\xdig.exe
2011-07-26 16:28 . 2011-07-26 16:28 0 ----a-w- c:\documents and settings\All Users\Application Data\hdvj.exe
2011-07-26 16:28 . 2011-07-26 16:28 0 ----a-w- c:\documents and settings\All Users\Application Data\etem.exe
2011-07-14 00:49 . 2011-07-14 00:49 -------- d-----w- c:\documents and settings\jim\Local Settings\Application Data\Realtime Soft
2011-07-14 00:46 . 2011-07-14 00:46 -------- d-----w- c:\documents and settings\jim\Application Data\Realtime Soft
2011-07-14 00:46 . 2011-07-14 00:46 -------- d-----w- c:\program files\Common Files\Realtime Soft
2011-07-14 00:46 . 2011-07-14 00:46 -------- d-----w- c:\program files\UltraMon
2011-07-14 00:46 . 2011-07-14 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Realtime Soft
2011-07-13 23:51 . 2011-07-13 23:51 -------- d-----w- c:\documents and settings\UpdatusUser
2011-07-13 23:51 . 2011-07-13 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2011-07-13 23:51 . 2011-07-13 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 02:52 . 2010-06-24 05:10 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2010-06-24 05:09 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-25 06:09 . 2008-08-26 17:07 4198272 ----a-w- c:\windows\system32\nv4_disp.dll
2011-05-25 06:09 . 2008-08-26 17:07 12753664 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-05-02 15:31 . 2006-01-06 11:09 692736 ----a-w- c:\windows\system32\inetcomm.dll
2009-10-27 18:12 . 2006-11-10 17:18 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2004-08-04 12:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2011-02-08 13:33 978944 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343040 --sha-w- c:\windows\system32\msvcrt.dll
2010-12-20 17:32 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{23256f20-0d9b-4323-b005-6e5de569c4b7}"= "c:\program files\TranslatorBar_5.2\prxtbTra0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{23256f20-0d9b-4323-b005-6e5de569c4b7}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23256f20-0d9b-4323-b005-6e5de569c4b7}]
2011-01-17 14:54 175912 ----a-w- c:\program files\TranslatorBar_5.2\prxtbTra0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{23256f20-0d9b-4323-b005-6e5de569c4b7}"= "c:\program files\TranslatorBar_5.2\prxtbTra0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{23256f20-0d9b-4323-b005-6e5de569c4b7}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{23256F20-0D9B-4323-B005-6E5DE569C4B7}"= "c:\program files\TranslatorBar_5.2\prxtbTra0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{23256f20-0d9b-4323-b005-6e5de569c4b7}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-02 77824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-06 155648]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"AlcWzrd"="ALCWZRD.EXE" [2004-12-10 2749440]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"PDF4 Registry Controller"="c:\program files\ScanSoft\PDF Professional 4.0\\RegistryController.exe" [2006-08-23 40960]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-25 142120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\jim\Start Menu\Programs\Startup\
SmartCapture.lnk - c:\windows\Seiko\slpcap.exe [2006-7-11 123917]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-10-2 815104]
UltraMon.lnk - c:\windows\Installer\{537056B7-32A4-4408-9B54-0341963C7C9C}\IcoUltraMon.ico [2011-7-13 29310]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ter1mw32]
2011-07-26 22:26 35840 ----a-w- c:\windows\system32\ter1mw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsvces]
2011-07-26 22:26 35840 ----a-w- c:\windows\system32\ter1mw32.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6/10/2008 6:56 PM 35168]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [10/7/2009 9:16 AM 472280]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [7/13/2011 4:51 PM 2214504]
R2 TermServices;Remote Desktop Service;c:\windows\System32\svchost.exe -k termsvc [8/4/2004 5:00 AM 14336]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [11/14/2008 2:11 AM 17184]
R3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\hpzs2k12.sys [11/23/2003 4:07 PM 50360]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 1:20 PM 135664]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/24/2006 11:00 AM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 1:20 PM 135664]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
termsvc REG_MULTI_SZ TermServices
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
2011-07-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-29 20:48]
.
2011-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 20:20]
.
2011-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 20:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ww2.cox.com/myconnection/arizona/home.cox
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
TCP: DhcpNameServer = 10.25.25.10
FF - ProfilePath - c:\documents and settings\jim\Application Data\Mozilla\Firefox\Profiles\jtad4ydf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.cox.net/
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord\firefox\ext
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Google Pack Screensaver - c:\windows\Google Pack Screensaver Uninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-29 15:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-60LSA0 rev.07.01D07 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F3231B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\WININET.dll
c:\windows\system32\ter1mw32.dll
c:\windows\system32\NavLogon.dll
.
- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1512)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\windows\system32\RunDLL32.exe
c:\program files\UltraMon\UltraMon.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2011-07-29 16:10:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-29 23:10
.
Pre-Run: 37,930,131,456 bytes free
Post-Run: 39,753,052,160 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 233D8AF829B2BD8782042A5A9F5D232E



============================================================
aswMBR RESULTS - after running ComboFix
============================================================

aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software
Run date: 2011-07-29 16:34:25
-----------------------------
16:34:25.040 OS Version: Windows 5.1.2600 Service Pack 3
16:34:25.040 Number of processors: 2 586 0x403
16:34:25.040 ComputerName: GWW-JIM UserName: jim
16:34:25.292 Initialize success
16:35:09.139 AVAST engine defs: 11072901
16:35:12.471 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
16:35:12.471 Disk 0 Vendor: WDC_WD800JD-60LSA0 07.01D07 Size: 76319MB BusType: 3
16:35:12.482 Device \Driver\atapi -> DriverStartIo 86f5931b
16:35:13.885 Disk 0 MBR read error 0
16:35:13.896 Disk 0 MBR scan
16:35:13.940 Disk 0 unknown MBR code
16:35:13.940 MBR BIOS signature not found 0
16:35:15.353 Disk 0 scanning sectors +156280320
16:35:15.375 Disk 0 scanning C:\WINDOWS\system32\drivers
16:35:30.082 Service scanning
16:35:30.883 Modules scanning
16:35:33.809 Disk 0 trace - called modules:
16:35:33.820 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86f594d0]<<
16:35:34.094 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f47ab8]
16:35:34.105 3 CLASSPNP.SYS[f75eefd7] -> nt!IofCallDriver -> [0x86ee7420]
16:35:34.115 \Driver\atapi[0x86f81030] -> IRP_MJ_CREATE -> 0x86f594d0
16:35:34.455 AVAST engine scan C:\WINDOWS
16:35:47.158 AVAST engine scan C:\WINDOWS\system32
16:37:20.815 File: C:\WINDOWS\system32\ter1mw32.dll **INFECTED** Win32:Delf-QFH [Trj]
16:37:21.024 File: C:\WINDOWS\system32\termlw32.dll **INFECTED** Win32:Delf-QFH [Trj]
16:37:41.259 AVAST engine scan C:\WINDOWS\system32\drivers
16:37:57.407 AVAST engine scan C:\Documents and Settings\jim
16:44:38.181 AVAST engine scan C:\Documents and Settings\All Users
16:47:37.537 Scan finished successfully
16:48:40.016 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\jim\Desktop\MBR.dat"
16:48:40.016 The log file has been saved successfully to "C:\Documents and Settings\jim\Desktop\aswMBR2.txt"

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:34 PM

Posted 30 July 2011 - 02:31 PM

Good evening. :)

You have a couple of entries in your log that point to files on your PC that I would like to have checked - if they are still present.

Please go to Jotti's and click on the Browse... button at the top and navigate to the following files in turn, and then click on Submit:

c:\documents and settings\jim\Local Settings\Application Data\nsee.exe
c:\documents and settings\jim\Local Settings\Application Data\dsco.exe
c:\documents and settings\jim\Local Settings\Application Data\cwqa.exe


When all the scans have been completed, for each file in turn, please copy and paste the "Permalink" that you'll find in the "Jotti's malware scan" box in the upper left hand part of the page into your next reply.

If this site is busy, try VirusTotal: Click the Browse ... button, navigate to the file and double click it and then click the Send button.

You may need to set Windows to show All Hidden Files and Folders - Instructions can be found here.
* These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after you have done.
*

So long, and thanks for all the fish.

 

 


#7 Ben Amada

Ben Amada
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 30 July 2011 - 06:06 PM

I found that those 3 EXE files under (jim\Local Settings\Application Data) and 4 other similar EXE files under (all users\Application Data) all are zero (0) byte files. I attached 3 screenshots showing this. As a test, I tried uploading one of them to Jotti, and it came back saying "File is empty (0 bytes)!" as shown in the 3rd attached screenshot.

If you'd like me to do any further scans, please just let me know. Hopefully we have collected enough information now to take action to remove this malware. Thanks--

Attached Files



#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:34 PM

Posted 31 July 2011 - 02:57 PM

Good evening. :)

Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

File::
c:\windows\system32\ter1mw32.dll
c:\windows\system32\termlw32.dll
c:\documents and settings\jim\local settings\application data\pcse.exe
c:\documents and settings\jim\local settings\application data\nsee.exe
c:\documents and settings\jim\local settings\application data\dsco.exe
c:\documents and settings\jim\local settings\application data\cwqa.exe
c:\documents and settings\all users\application data\yafu.exe
c:\documents and settings\all users\application data\xdig.exe
c:\documents and settings\all users\application data\hdvj.exe
c:\documents and settings\all users\application data\etem.exe


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before, and a description of how the PC is behaving.

So long, and thanks for all the fish.

 

 


#9 Ben Amada

Ben Amada
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 01 August 2011 - 07:07 PM

Hi & thanks. I ran ComboFix twice with the same CFScript.txt file. The first time, it ran without reporting anything special, but the 2nd time, it reported finding a problem and even did a reboot, and then continued on with the final steps after the reboot. The log it produced shows a file it found infected that I don't think turned up in previous scan results (system32\imm32.dll). The two DLLs in the system32 folder were still there after running ComboFix.

After this, I'm still getting high CPU on svchost, and the other major symptom is clicking on Google search results in either IE or FF ends up redirecting to other sites. I installed Avast Free and it found some items and removed them, including removing the 2 DLLs in system32. It also did a boot-time scan and found some more items and removed them. After all this, I logged into Windows and Avast kept coming up with messages saying that attempts to go to bad URLs were being made and it was blocking these attempts. The redirect problems continued as well. It also blocked an attempt for a "setup" program in c:\windows\temp\jovdmv\setup.exe from running. This was a new folder/file based on the timestamp. I went into safemode, and deleted these files and all deleted all the files out of the c:\windows\prefetch folder, based on some recommendations I read. Problems still continued though.

I'm going to take the PC into a repair shop I know that has fixed some malware problems in the past. I'll see if they can get this fixed. So for now, I don't think I'll be needing further assistance. I feel like we did make progress, but there's something in there that keeps these problems continuing. Thank you again ... if it's still a problem after the repair shop looks at it, I'll post back here (if this thread is still open) or start a new thread.

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:34 PM

Posted 02 August 2011 - 02:28 PM

Good evening. :)

OK, thanks for letting me know.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users