Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search redirect/background audio infection.


  • This topic is locked This topic is locked
2 replies to this topic

#1 DCSS

DCSS

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 28 September 2011 - 10:07 AM

Hello. I have a customers machine that refuses to get clean. I previously ran combofix on it and it claimed to be infected with rootkit.zeroaccess but subsequent scans have found nothing. I've not been able to get GMER to run, it causes an error about another instance of a driver already running.

Here's my DDS logs

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Mid-Nebraska Insuror at 9:51:19 on 2011-09-28
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3071.2000 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k ftpsvc
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AMS Services\TransactNOW\OALaunch.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\explorer.exe
C:\Windows\system32\wuauclt.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.lycos.com/iehome.php
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\transa~1.lnk - c:\program files\ams services\transactnow\OALaunch.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: ams-benefits.com
Trusted Zone: ams-services.com
Trusted Zone: ams-support.com
Trusted Zone: ams360.com
Trusted Zone: ams360.com\www
Trusted Zone: amsservices.com
Trusted Zone: prevailnetwork.com
Trusted Zone: transactnow.com\ams
Trusted Zone: travelers.com
Trusted Zone: travelerspc.com
Trusted Zone: vertafore.com
Trusted Zone: vertafore.com\www
Trusted Zone: webex.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://nationwidenh.webex.com/client/T26L10NSP49EP9/webex/ieatgpc1.cab
TCP: DhcpNameServer = 192.168.7.1
TCP: Interfaces\{03404F29-86A1-40AF-A6DF-327C3621DBDD} : DhcpNameServer = 192.168.7.1
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKslb6c8d0f2;MpKslb6c8d0f2;c:\programdata\microsoft\microsoft antimalware\definition updates\{f55258eb-7c43-4a57-b5ca-f9b542cd9206}\MpKslb6c8d0f2.sys [2011-9-28 28752]
R2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe -k ftpsvc [2009-7-13 20992]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2010-5-14 273960]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-5-14 66592]
RUnknown rootrepeal;rootrepeal; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 CSIScanner;CSIScanner;"c:\program files\prevx\prevx.exe" /service --> c:\program files\prevx\prevx.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-23 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-20 1343400]
S3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\WMSvc.exe [2009-7-13 9728]
S4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
S4 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2010-5-14 81920]
S4 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2010-6-8 116536]
S4 BPowMon;Broadcom Power monitoring service;c:\program files\broadcom\bpowmon\BPowMon.exe [2009-8-17 79168]
.
=============== Created Last 30 ================
.
2011-09-28 14:12:58 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f55258eb-7c43-4a57-b5ca-f9b542cd9206}\MpKslb6c8d0f2.sys
2011-09-28 14:12:57 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f55258eb-7c43-4a57-b5ca-f9b542cd9206}\offreg.dll
2011-09-28 14:12:56 7269712 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f55258eb-7c43-4a57-b5ca-f9b542cd9206}\mpengine.dll
2011-09-27 22:37:06 -------- d-sh--w- C:\$RECYCLE.BIN
2011-09-27 22:36:52 -------- d-----w- c:\users\mid-nebraska insuror\appdata\local\temp
2011-09-27 21:39:42 -------- d-----w- C:\ComboFix
2011-09-27 21:22:28 34816 ----a-w- c:\windows\system32\drivers\gresareha.sys
2011-09-27 20:48:17 -------- d-----w- c:\program files\Glary Utilities
2011-09-27 16:17:41 -------- d-----w- c:\users\mid-nebraska insuror\appdata\local\Norman Malware Cleaner
2011-09-27 15:26:16 71880 ----a-w- c:\windows\system32\PxSecure.dll-509312
2011-09-27 15:24:37 -------- d-----w- c:\program files\Citrix
2011-09-27 15:24:28 -------- d-----w- c:\users\mid-nebraska insuror\appdata\local\Citrix
2011-09-22 18:06:41 49152 ----a-r- c:\users\mid-nebraska insuror\appdata\roaming\microsoft\installer\{7b4174e8-fe92-4269-808a-3b8d116d9538}\NewShortcut8_7B4174E8FE924269808A3B8D116D9538.exe
2011-09-22 18:06:41 49152 ----a-r- c:\users\mid-nebraska insuror\appdata\roaming\microsoft\installer\{7b4174e8-fe92-4269-808a-3b8d116d9538}\NewShortcut7_7B4174E8FE924269808A3B8D116D9538.exe
2011-09-22 18:06:41 49152 ----a-r- c:\users\mid-nebraska insuror\appdata\roaming\microsoft\installer\{7b4174e8-fe92-4269-808a-3b8d116d9538}\NewShortcut5_7B4174E8FE924269808A3B8D116D9538_1.exe
2011-09-22 18:06:41 -------- d-----w- c:\program files\MAPILab Ltd
2011-09-22 18:06:22 -------- d-----w- c:\users\mid-nebraska insuror\appdata\local\Downloaded Installations
2011-09-22 15:09:53 7269712 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-09-20 18:37:22 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6d79477a-4b16-4074-9e9a-6e3f676d214f}\gapaengine.dll
2011-09-20 18:32:49 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-20 18:14:06 -------- d-----w- c:\program files\VS Revo Group
2011-09-20 16:18:16 -------- d-----w- c:\users\mid-nebraska insuror\DoctorWeb
2011-09-20 15:39:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-09-20 15:39:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-09-19 21:45:46 98816 ----a-w- c:\windows\sed.exe
2011-09-19 21:45:46 518144 ----a-w- c:\windows\SWREG.exe
2011-09-19 21:45:46 256000 ----a-w- c:\windows\PEV.exe
2011-09-19 21:45:46 208896 ----a-w- c:\windows\MBR.exe
2011-09-19 21:03:33 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-09-19 16:25:04 -------- d-----w- c:\users\mid-nebraska insuror\appdata\roaming\GlarySoft
2011-09-16 21:29:30 -------- d-----w- c:\users\mid-nebraska insuror\appdata\roaming\Malwarebytes
2011-09-16 21:29:22 -------- d-----w- c:\programdata\Malwarebytes
2011-09-15 15:37:03 -------- d-----w- c:\program files\Trend Micro
2011-09-13 14:34:47 14744 ----a-w- c:\users\mid-nebraska insuror\appdata\roaming\microsoft\identitycrl\production\ppcrlconfig.dll
2011-09-08 16:40:33 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-09-08 13:23:31 2048 ----a-w- c:\windows\system32\tzres.dll
2011-09-08 13:02:45 -------- d-----w- c:\users\mid-nebraska insuror\appdata\local\ElevatedDiagnostics
2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-09-27 20:52:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-05 13:13:26 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-07-22 02:49:01 1102848 ----a-w- c:\windows\system32\urlmon(1354).dll
2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet(1394).dll
2011-07-16 04:27:30 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 02:17:19 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-09 02:30:00 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
.
============= FINISH: 9:57:25.23 ===============

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:41 AM

Posted 03 October 2011 - 08:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Download the latest version of Kaspersky Virus Removal Tool
  • Close all other applications and double-click and run the installer.
  • When AVPTool starts, select all the scanable items except for CD-ROM drives.
  • Then please choose Security level: Recommended and perform the following actions.
    Posted Image
  • Click the Start scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
===

Please post the logs and let me know what problem persists.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:41 AM

Posted 08 October 2011 - 06:34 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users