Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'Google redirect' virus


  • This topic is locked This topic is locked
38 replies to this topic

#1 allisono

allisono

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 16 September 2011 - 02:56 PM

The main problem appears to be the Google redirect issue; I have not noticed any other problems. Google search is extremely slow, and then when clicking on a Google search result, it redirects to another site (all of them get the "unsafe" red button from TrendMicro). I have run TrendMicro, McAfee, and Microsoft scanner and all have removed a handful of infected files but not resolved the problem.

I have a HijackThis log which I will post below the DDS log. I'm not sure the GMER thing ran correctly because many of the squares were grayed out and couldn't be selected; only Services, Registry, Files, and ADS were scanned. Thank you very much for any help you can offer!

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Allison Otto at 15:22:22 on 2011-09-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.445 [GMT -4:00]
.
AV: Trend Micro Internet Security Pro *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Allison Otto\My Documents\Downloads\HijackThis.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Allison Otto\My Documents\Downloads\Defogger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061226
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061226
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [TrendSecure Remote File Lock] c:\program files\trend micro\trendsecure\remotefilelock\FLMain.exe /lock
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s
mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 926\memcard.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237298206750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{6F30F92E-647B-4E30-A887-48AAFBD29361} : DhcpNameServer = 192.168.2.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\allison otto\application data\mozilla\firefox\profiles\9tzn4i9r.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=WCL2&o=100000082&locale=en_US&apn_uid=40166113-3533-4923-954F-D26DB974CFDB&apn_ptnrs=^AA2&apn_sauid=B4D4D63F-989D-4598-A3A5-6DBD79C88E21&apn_dtid=^YYYYYY^YY^US&&q=
FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFTMUFEHelper.dll
FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFTMUFEHelper6.dll
FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFToolbarComm.dll
FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFToolbarComm6.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2011-9-15 36624]
R3 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2011-9-15 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-9-16 51792]
R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2011-9-16 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2011-9-16 689416]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-26 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-26 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2011-09-16 19:03:03 388096 ----a-r- c:\documents and settings\allison otto\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-09-16 17:51:03 -------- d-----w- c:\documents and settings\all users\application data\McAfee Security Scan
2011-09-16 17:51:01 -------- d-----w- c:\program files\McAfee Security Scan
2011-09-16 16:19:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-16 16:18:00 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-09-16 16:18:00 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-09-16 16:18:00 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-09-16 16:18:00 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-09-16 16:17:59 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-09-16 16:17:59 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-09-16 16:17:59 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-09-16 16:17:59 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-09-16 12:27:07 59472 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-09-16 12:27:07 51792 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-09-16 12:27:07 163408 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-09-16 12:22:46 -------- d-----w- c:\documents and settings\allison otto\local settings\application data\Trend Micro
2011-09-16 03:09:27 661808 ----a-w- c:\windows\system32\UfWSC.cpl
2011-09-16 03:09:14 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-09-16 03:09:14 36624 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2011-09-16 03:09:14 339984 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2011-09-16 03:09:14 262416 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2011-09-16 03:09:14 1405720 ----a-w- c:\windows\system32\drivers\vsapint.sys
2011-09-16 02:34:04 -------- d-----w- c:\windows\system32\log
2011-09-05 17:04:56 183696 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2011-09-16 02:22:45 1033728 ----a-w- c:\windows\explorer.exe
2011-09-16 02:22:41 507904 ----a-w- c:\windows\system32\winlogon.exe
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-10 21:06:07 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-07-10 21:06:05 56 --sh--r- c:\windows\system32\48F3EA03C5.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 22:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 15:29:00.79 ===============








HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:51:08 PM, on 9/16/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Allison Otto\My Documents\Downloads\HijackThis.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Allison Otto\My Documents\Downloads\Defogger.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Allison Otto\Desktop\gmer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061226
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061226
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061226
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe /lock
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237298206750
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 13966 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:43 PM

Posted 17 September 2011 - 05:33 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 allisono

allisono
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 19 September 2011 - 08:59 AM

Thank you! I will be able to do this tomorrow (Tuesday) eve. if that's okay and will post the new log then. I so appreciate your help!

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:43 PM

Posted 19 September 2011 - 05:01 PM

:thumbup2:

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 allisono

allisono
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 21 September 2011 - 05:53 AM

I followed the steps - I was not given a choice of where to save ComboFix, so I don't know if that caused a problem. It did run and I was able to follow the steps to download the recovery console, and then the scan began, but when it ended there was nothing on the screen and I wasn't able to find a log file. Also my internet had disconnected. Re-enabling Trend Micro (I hope that's okay once the scan has run) and restarting the computer got the internet working again, but I'm still not sure if the scan finished successfully.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:43 PM

Posted 21 September 2011 - 04:24 PM

Hi

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


You should be asked where to save the file to now,

Please delete the copy of ComboFix from your desktop,

download a fresh copy, but save it directly to your C:\ Drive, rename it to svchost.exe before saving it,

now make sure all your security programs are disabled, close all other windows as well.

If it wont run in normal mode, try it in safe mode >

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 allisono

allisono
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 22 September 2011 - 02:34 PM

Thank you for the Firefox tip. Here is the ComboFix log:

ComboFix 11-09-22.01 - Allison Otto 09/22/2011 14:36:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.396 [GMT -4:00]
Running from: C:\ComboFix.exe
AV: Trend Micro Internet Security Pro *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\ALLISO~1\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\All Users\Documents\Server\admin.txt
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Allison Otto\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\windows\kb913800.exe
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-22 to 2011-09-22 )))))))))))))))))))))))))))))))
.
.
2011-09-16 19:03 . 2011-09-16 19:03 388096 ----a-r- c:\documents and settings\Allison Otto\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-16 17:59 . 2011-09-16 17:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-09-16 17:53 . 2011-09-16 17:53 -------- d-----w- c:\program files\Common Files\Adobe
2011-09-16 17:51 . 2011-09-16 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-09-16 17:51 . 2011-09-16 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2011-09-16 17:51 . 2011-09-16 17:59 -------- d-----w- c:\program files\McAfee Security Scan
2011-09-16 16:24 . 2011-09-16 16:24 -------- d-----w- c:\program files\Apple Software Update
2011-09-16 16:19 . 2011-09-16 16:19 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-16 16:18 . 2011-09-03 06:01 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-09-16 16:18 . 2011-09-03 06:01 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-09-16 16:18 . 2011-09-03 06:01 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-09-16 16:18 . 2011-09-03 06:01 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-09-16 16:17 . 2011-09-03 06:01 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-09-16 16:17 . 2011-09-03 06:01 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-09-16 16:17 . 2011-09-02 23:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-09-16 16:17 . 2011-09-02 23:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-09-16 12:28 . 2011-09-16 12:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2011-09-16 12:27 . 2010-07-19 18:03 59472 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-09-16 12:27 . 2010-07-19 18:03 51792 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-09-16 12:27 . 2010-07-19 18:02 163408 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-09-16 12:22 . 2011-09-16 12:46 -------- d-----w- c:\documents and settings\Allison Otto\Local Settings\Application Data\Trend Micro
2011-09-16 03:09 . 2011-09-16 03:09 661808 ----a-w- c:\windows\system32\UfWSC.cpl
2011-09-16 03:09 . 2011-09-16 03:09 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-09-16 03:09 . 2011-09-16 03:09 339984 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2011-09-16 03:09 . 2011-07-12 10:44 262416 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2011-09-16 03:09 . 2011-07-12 10:43 36624 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2011-09-16 03:09 . 2011-07-12 10:09 1405720 ----a-w- c:\windows\system32\drivers\vsapint.sys
2011-09-16 02:34 . 2011-09-16 02:34 -------- d-----w- c:\windows\system32\log
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-09-03 10:17 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2005-08-16 09:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2005-08-16 09:18 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2005-08-16 09:18 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-09-03 06:01 . 2011-09-16 16:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-24 01:20 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-26 39408]
"TrendSecure Remote File Lock"="c:\program files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe" [2009-07-25 329040]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-12-26 236544]
"FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-06-15 307200]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2006-06-14 286720]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-06-27 299008]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-06-07 106496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-08-24 887976]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-26 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/15/2011 11:09 PM 36624]
R3 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/15/2011 11:09 PM 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [9/16/2011 8:27 AM 51792]
R3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [9/16/2011 8:27 AM 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [9/16/2011 8:27 AM 689416]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2010 7:59 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2010 7:59 AM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 11:58]
.
2011-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 11:58]
.
2011-09-22 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-08-24 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061226
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Allison Otto\Application Data\Mozilla\Firefox\Profiles\9tzn4i9r.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=WCL2&o=100000082&locale=en_US&apn_uid=40166113-3533-4923-954F-D26DB974CFDB&apn_ptnrs=^AA2&apn_sauid=B4D4D63F-989D-4598-A3A5-6DBD79C88E21&apn_dtid=^YYYYYY^YY^US&&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-22 15:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2900)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Trend Micro\TrendSecure\RemoteFileLock\FileLock.dll
c:\program files\Trend Micro\TrendSecure\RemoteFileLock\FileLockUI.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
c:\program files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\ALLISO~1\LOCALS~1\Temp\clclean.0001
c:\windows\system32\dlcxcoms.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
.
**************************************************************************
.
Completion time: 2011-09-22 15:29:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-22 19:29
.
Pre-Run: 122,430,091,264 bytes free
Post-Run: 122,542,915,584 bytes free
.
- - End Of File - - 13437C2F65DA12F3873BF70C46BE50ED

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:43 PM

Posted 22 September 2011 - 03:56 PM

Hi,

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT


Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 allisono

allisono
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 22 September 2011 - 09:51 PM

Thanks.

I downloaded and extracted the TDSSKiller, but when I double-clicked on it, nothing happened (I waited several hours). By right-clicking I got the option to "scan for security threats" and did that, and it said no files were infected.

The Malwarebytes log is below. There was nothing to remove because it found no infected files.

I also ran the ESET scanner. The scan completed and it said there were no threats, so there was no list of threats to look at or export.



Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7777

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/22/2011 9:42:35 PM
mbam-log-2011-09-22 (21-42-34).txt

Scan type: Quick scan
Objects scanned: 187121
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thank you again for all your help!

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:43 PM

Posted 22 September 2011 - 10:01 PM

I'm a little concerned why TDSSKiller wouldn't run

please try the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Edited by CatByte, 22 September 2011 - 10:01 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 allisono

allisono
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 25 September 2011 - 05:54 AM

For whatever reason something about these programs isn't working for me. I saved aswMBR to my Desktop, and again when I double-click on it, I get a question about whether I want to run this file. I click "run", and then that window disappears and nothing happens. The tool doesn't actually launch, just like with TDSSKiller. Am I doing something wrong?

Thank you.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:43 PM

Posted 25 September 2011 - 08:02 AM

Hi

you are doing nothing wrong, we have cleared some of the infection, but the part remaining is protecting itself by shutting down the tools we need to run to clear it.

Please run the following:

  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 allisono

allisono
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 27 September 2011 - 04:07 PM

I'm a little worried about what this log looks like, but here it is:


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...


Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f: Access is denied.


...

...

...
Failed to open \\?\c:\\Documents and Settings\Allison Otto\Local Settings\Temp\~DF10C4.tmp: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Allison Otto\Local Settings\Temp\~DF1A76.tmp: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Allison Otto\Local Settings\Temp\~DF2AB1.tmp: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...No reparse points found.


thank you for your continued help!

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:43 PM

Posted 27 September 2011 - 04:36 PM

Hi

Please run the following:
  • please download GrantPerms.zip and save it to your desktop.
  • Unzip the file and run GrantPerms.exe
  • Copy and paste the following in the edit box:


c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f
c:\\Documents and Settings\Allison Otto\Local Settings\Temp\~DF2AB1.tmp
c:\\Documents and Settings\Allison Otto\Local Settings\Temp\~DF1A76.tmp
c:\\Documents and Settings\Allison Otto\Local Settings\Temp\~DF10C4.tmp



  • Now Click Unlock.
  • When it is done click "OK".
  • Now click List Permissions and post the result (Perms.txt) that pops up.
  • A copy of Perms.txt will be saved in the same directory the tool is run.


Once you have done that, please delete the copy of TDSSKiller and aswMBR that you have on your desktop and download fresh copies

then give those programs another try

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 allisono

allisono
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 28 September 2011 - 04:45 AM

Here is the list of permissions. I am trying the other programs again now.

GrantPerms by Farbar
Ran by Allison Otto at 2011-09-28 05:39:27

===============================================
\\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


ERROR: Parsing the SD of <\\?\c:\\Documents and Settings\Allison Otto\Local Settings\Temp\~DF2AB1.tmp> failed with: Access is denied.


Operating system error message: Access is denied.
ERROR: Parsing the SD of <\\?\c:\\Documents and Settings\Allison Otto\Local Settings\Temp\~DF1A76.tmp> failed with: Access is denied.


Operating system error message: Access is denied.
ERROR: Parsing the SD of <\\?\c:\\Documents and Settings\Allison Otto\Local Settings\Temp\~DF10C4.tmp> failed with: Access is denied.


Operating system error message: Access is denied.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users