Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help With Google Redirect Virus


  • Please log in to reply
15 replies to this topic

#1 Thanks in advance

Thanks in advance

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 23 January 2012 - 07:33 PM

Apparently my Windows desktop got infected with the Google redirect virus.

This machine is running Windows XP SP3 with AVG (free) antivirus. It's on a home network behind a router with a built-in firewall and is the only machine on the network with this problem. Just a few days prior to the infection becoming known, I deleted my Comodo (free) firewall/malware software.

Another effect of this infection: my AVG 2012 will not perform scans. Once you try to start a scan, the software immediately declares the scan complete.

In response, I tried the following:

I have a second install of XP SP3 running on a separate drive in this machine. I rebooted from that drive and tried running AVG from that system. The scan was halted before being completed (I don't know how, as I was asleep while it scanned).

Then I created a rescue CD using the free download from AVG. The scan found and eliminated some infections, but Google searches were still being redirected.

I tried using a Backdoor.Tidserv removal program from Symantec, as well as TDSSKiller from Kaspersky. Both programs ran scans, but apparently found nothing.

Next, I downloaded Malwarebytes and ran it. It also found some infections (Trojans), and eliminated them.

Finally, I cleared the Hosts file using this utility.

At this point the Google searches are back to normal, and Malwarebytes is no longer blocking any outgoing IPs. But my AVG is still not able to run a scan.

Is it foolish to think that the problem is really solved? Would it be wise for me to take additional steps to clear the infection?

Too, if I transfer files from this machine using a USB drive, will the infection be spread?

Thanks for any and all help.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:13 PM

Posted 23 January 2012 - 08:33 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Thanks in advance

Thanks in advance
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 23 January 2012 - 09:00 PM

Thanks for the quick reply.

==============================================================================

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
AVG 2012
NETGEAR ProSafe Firewall Router
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
Java 3D 1.3.1 (OpenGL) Runtime
Java™ 6 Update 24
Out of date Java installed!
Adobe Flash Player 11.1.102.55
Mozilla Firefox (x86 en-US..)
Mozilla Thunderbird (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````


==============================================================================

Farbar Service Scanner Version: 18-01-2012 01
Ran by Mark Littrell (administrator) on 23-01-2012 at 17:52:58
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(11) Bridge(10) BridgeMP(9) Gpc(4) IPSec(6) irda(3) NetBT(7) PSched(8) Tcpip(5)
0x0B0000000600000001000000020000000300000004000000050000000B0000000700000008000000090000000A000000
IpSec Tag value is correct.

**** End of log ****

==============================================================================

MiniToolBox by Farbar Version: 18-01-2012
Ran by Mark Littrell (administrator) on 23-01-2012 at 17:54:16
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0
========================= Hosts content: =================================


::1 localhost

127.0.0.1 localhost
127.0.0.1 fr.a2dfp.net
127.0.0.1 m.fr.a2dfp.net
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 abcstats.com
127.0.0.1 a.abv.bg
127.0.0.1 adserver.abv.bg
127.0.0.1 adv.abv.bg
127.0.0.1 bimg.abv.bg
127.0.0.1 ca.abv.bg
127.0.0.1 www2.a-counter.kiev.ua
127.0.0.1 track.acclaimnetwork.com
127.0.0.1 accuserveadsystem.com
127.0.0.1 www.accuserveadsystem.com
127.0.0.1 achmedia.com
127.0.0.1 aconti.net
127.0.0.1 secure.aconti.net
127.0.0.1 www.aconti.net 127.0.0.1 am1.activemeter.com

There are 12819 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

1394 Net Adapter = 1394 Connection (Disconnected)
NETGEAR FA311 Fast Ethernet Adapter = Local Area Connection 4 (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection 4"

set address name="Local Area Connection 4" source=dhcp
set dns name="Local Area Connection 4" source=dhcp register=PRIMARY
set wins name="Local Area Connection 4" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : mklwintel

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 4:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : NETGEAR FA311 Fast Ethernet Adapter #2

Physical Address. . . . . . . . . : 00-09-5B-1C-87-37

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.121

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Monday, January 23, 2012 8:56:26 AM

Lease Expires . . . . . . . . . . : Tuesday, January 24, 2012 8:56:26 AM

Server: home-wireless-n
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.224.212, 74.125.224.208, 74.125.224.209, 74.125.224.210
74.125.224.211



Pinging google.com [74.125.224.211] with 32 bytes of data:



Reply from 74.125.224.211: bytes=32 time=18ms TTL=53

Reply from 74.125.224.211: bytes=32 time=15ms TTL=53



Ping statistics for 74.125.224.211:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 15ms, Maximum = 18ms, Average = 16ms

Server: home-wireless-n
Address: 192.168.1.1

Name: yahoo.com
Addresses: 72.30.2.43, 98.137.149.56, 98.139.180.149, 209.191.122.70



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=64ms TTL=49

Reply from 209.191.122.70: bytes=32 time=81ms TTL=49



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 64ms, Maximum = 81ms, Average = 72ms

Server: home-wireless-n
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 09 5b 1c 87 37 ...... NETGEAR FA311 Fast Ethernet Adapter #2 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.121 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.121 192.168.1.121 20
192.168.1.0 255.255.255.0 192.168.1.121 192.168.1.121 20
192.168.1.121 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.121 192.168.1.121 20
224.0.0.0 240.0.0.0 192.168.1.121 192.168.1.121 20
255.255.255.255 255.255.255.255 192.168.1.121 192.168.1.121 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/21/2012 04:07:26 PM) (Source: Application Error) (User: )
Description: Fault bucket -1495810482.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (01/21/2012 04:07:19 PM) (Source: Application Error) (User: )
Description: Faulting application liss52.exe, version 5.0.2134.1, faulting module msvcrt.dll, version 7.0.2600.5512, fault address 0x00036fa3.
Processing media-specific event for [liss52.exe!ws!]


System errors:
=============
Error: (01/23/2012 11:41:51 AM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/23/2012 11:41:51 AM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/23/2012 11:41:51 AM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/23/2012 11:41:51 AM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/23/2012 11:41:51 AM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/23/2012 11:41:51 AM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/23/2012 11:41:50 AM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/23/2012 11:41:50 AM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/23/2012 11:41:50 AM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (01/23/2012 11:41:50 AM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126


Microsoft Office Sessions:
=========================
Error: (01/21/2012 04:07:26 PM) (Source: Application Error)(User: )
Description: -1495810482

Error: (01/21/2012 04:07:19 PM) (Source: Application Error)(User: )
Description: liss52.exe5.0.2134.1msvcrt.dll7.0.2600.551200036fa3


=========================== Installed Programs ============================

ABBYY FineReader 5.0 Sprint Plus (Version: 5.0.0.3501)
Acronis True Image Home (Version: 10.0.4942)
Active Disk
Adobe Acrobat 5.0 (Version: 5.0)
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch (Version: 9.5.0)
Adobe Acrobat 9.5.0 - CPSID_83708
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Flash Player 11 Plugin (Version: 11.1.102.55)
Adobe Photoshop Album 2.0 Starter Edition (Version: 2.00.000)
Adobe Photoshop Elements 2.0 (Version: 2.0)
Adobe Presenter 7 (Version: 7.0)
Adobe Presenter 7 (Version: 7.0.5)
Adobe Reader 8.3.1 (Version: 8.3.1)
AFL-SE TWAIN
AnswerWorks 4.0 Runtime - English (Version: 4.0.101)
AnswerWorks 5.0 English Runtime (Version: 5.0.7)
APC PowerChute Personal Edition (Version: 2.0)
Apple Application Support (Version: 2.1.6)
Apple Mobile Device Support (Version: 4.0.0.97)
Apple Software Update (Version: 2.1.3.127)
ATI - Software Uninstall Utility (Version: 6.14.10.1014)
ATI Catalyst Control Center (Version: 1.2.2217.17271)
ATI Display Driver (Version: 8.221-060124a1-030152C-ATI)
Audacity 1.2.4
Autobahn
AutoUpdate (Version: 1.1)
AVG 2012 (Version: 12.0.1901)
AVG 2012 (Version: 12.0.2109)
AVG 2012 (Version: 2012.0.1901)
Bid-O-Matic v2.14.8 (Version: Bid-O-Matic v2.14.8)
BitPim 1.0.6 (Version: 1.0.6)
Bonjour (Version: 3.0.0.10)
Brownstone Equation Editor 5 (Version: 5.2)
Camtasia Studio 7 (Version: 7.1.1)
Canon Camera WIA Driver (Version: 5.6)
Canon EOS Kiss_N REBEL_XT 350D WIA Driver (Version: 5.6)
Cisco Connect (Version: 1.4.12005.2)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
Data Lifeguard Tools
Diploma 6
DivX (Version: 6.2.5)
DivX Content Uploader (Version: 1.2.1)
DivX Converter (Version: 6.2)
DivX Player (Version: 6.3)
DivX Web Player (Version: 1.3.1)
DVD Decrypter (Remove Only)
DVD Shrink 3.2
e-Sword (Version: 9.09.0000)
EPSON Copy Utility 3 (Version: 3.1.0.0)
EPSON Perf 4990 Guide
EPSON Scan
Eudora (Version: 7.0)
FlashMenu
Gizmo Project 2.0 (Version: 2.0.1.198)
Google Earth (Version: 6.1.0.5001)
Google Update Helper (Version: 1.3.21.79)
Graphing Calculator Viewer
Hardware Doctor
Highlight Viewer (Windows Live Toolbar) (Version: 03.01.0146)
HighMAT Extension to Microsoft Windows XP CD Writing Wizard (Version: 1.1.1905.1)
Intel® PROSet (Version: 6.05.2001)
InterVideo WinDVD 4
IomegaWare 4.0.2
IP-P2P
iTunes (Version: 10.5.3.3)
Java 3D 1.3.1 (OpenGL) Runtime
Java Auto Updater (Version: 2.0.3.1)
Java™ 6 Update 24 (Version: 6.0.240)
Junk Mail filter update (Version: 14.0.8089.726)
Korean Fonts Support For Adobe Reader 8 (Version: 8.0.0)
LiveMath Maker
LiveReg (Symantec Corporation) (Version: 3.1.0)
Macromedia Shockwave Player
Malwarebytes Anti-Malware version 1.60.0.1800 (Version: 1.60.0.1800)
Map Button (Windows Live Toolbar) (Version: 03.01.0146)
Mathematica Extras 8.0 (2063897) (Version: 8.0.1)
Mathematica Player (M-WIN-D 7.0.1 1223367) (Version: 7.0.1)
Mathematica Teacher's Edition
MathEQ
MathType 6 (Version: 6.7)
MaxBlast 3
Meeting Manager for Internet Explorer (Version: 1.00.0000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 4.1 (Version: 4.10.0851)
Microsoft IntelliType Pro 2.2 (Version: 2.20.447.0)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional (Version: 10.0.6626.0)
Microsoft Outlook Web Access S/MIME (Version: 6.5.7651.60)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
MobileMe Control Panel (Version: 3.1.8.0)
Mozilla Firefox 9.0.1 (x86 en-US) (Version: 9.0.1)
Mozilla Thunderbird 9.0.1 (x86 en-US) (Version: 9.0.1)
MSN Toolbar
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB925672) (Version: 4.20.9839.0)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
NETGEAR ProSafe Firewall Router
Nvu 1.0 (Version: 1.0)
OpenOffice.org Installer 1.0 (Version: 1.0.9221)
PGP 8.0.2
Photo Story 3 for Windows (Version: 3.0.1115.11)
Picasa 3 (Version: 3.8)
Quicken 2010 (Version: 19.1.2.22)
Quicken WillMaker Plus 2005
QuickTime (Version: 7.71.80.42)
Realtek AC'97 Audio (Version: 5.17)
Report Designer 4.0 OCX Viewer(MSI) (Version: 4.0.0.226)
Rhapsody Player Engine (Version: 1.0.636)
Road Runner Install
Safari (Version: 5.34.52.7)
Segoe UI (Version: 14.0.4327.805)
SilverFast AFL-SE
SilverFast Epson-SE TWAIN
SilverFast SE CD Documentation 6.2.0
SiSoftware Sandra 2002 Standard
Smart Menus (Windows Live Toolbar) (Version: 03.01.0146)
Sonic CinePlayer (Version: 2.0.0)
Sonic CinePlayer DVD Pack (Version: 2.3.1)
Sonic DLA (Version: 4.95)
Sonic DVD for Photo Story 3 for Windows
Sonic Express Labeler (Version: 1.0.0)
Sonic MyDVD Studio (Version: 6.1.0)
Sonic Update Manager (Version: 3.0.0)
SpeechRedist (Version: 1.0.0)
Spelling Dictionaries Support For Adobe Reader 8 (Version: 8.0.0)
Sun Download Manager 2.0 (web)
TestGen
TI-Black Link
TI-Graph Link 83 Plus
TI-Graph Link 85
TI-Graph Link 89
TI-SmartView™ for the TI-84 Plus Family (Version: 3.2.0.116)
TI Connect 1.6 (Version: 1.6)
TurboTax 2010
TurboTax 2010 wcaiper (Version: 010.000.1691)
TurboTax 2010 WinPerFedFormset (Version: 010.000.5108)
TurboTax 2010 WinPerReleaseEngine (Version: 010.000.0501)
TurboTax 2010 WinPerTaxSupport (Version: 010.000.0219)
TurboTax 2010 wrapper (Version: 010.000.0157)
TurboTax 2011
TurboTax 2011 wcaiper (Version: 011.000.1265)
TurboTax 2011 WinPerFedFormset (Version: 011.000.2443)
TurboTax 2011 WinPerReleaseEngine (Version: 011.000.0388)
TurboTax 2011 WinPerTaxSupport (Version: 011.000.0204)
TurboTax 2011 wrapper (Version: 011.000.0120)
Unreal Tournament 2004
USPS Shipping Assistant (Version: 2.2)
Virtual Earth 3D (Beta) (Version: 3.0.808.29001)
WebEQ Browser Controls (Version: 3.5)
WebEx
WebFldrs XP (Version: 9.50.6513)
WexTech AnswerWorks (Version: 1.00.000)
Wimba Diploma 6
Wimba Diploma 6 (Version: 6.70.0131)
Windows Driver Package - PIE Image 10/22/2002 1.1.1 (Version: 1.1.1)
Windows Genuine Advantage v1.3.0254.0 (Version: 1.3.0254.0)
Windows Imaging Component (Version: 3.0.0.0)
Windows Internet Explorer 7 (Version: 20061107.210142)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8064.0206)
Windows Live Communications Platform (Version: 14.0.8064.206)
Windows Live Essentials (Version: 14.0.8089.0726)
Windows Live Essentials (Version: 14.0.8089.726)
Windows Live Favorites for Windows Live Toolbar (Version: 03.01.0146)
Windows Live Mail (Version: 14.0.8089.0726)
Windows Live Messenger (Version: 14.0.8089.0726)
Windows Live Photo Gallery (Version: 14.0.8081.709)
Windows Live Sign-in Assistant (Version: 5.000.818.6)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live Toolbar Extension (Windows Live Toolbar) (Version: 03.01.0146)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8089.0726)
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)
Wolfram Mathematica 8 (M-WIN-L 8.0.1 2063990) (Version: 8.0.1)

========================= Memory info: ===================================

Percentage of memory in use: 44%
Total physical RAM: 2047.48 MB
Available physical RAM: 1132.86 MB
Total Pagefile: 2665.25 MB
Available Pagefile: 1764.35 MB
Total Virtual: 2047.88 MB
Available Virtual: 1965.16 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:111.78 GB) (Free:60.65 GB) NTFS
6 Drive g: () (Fixed) (Total:152.66 GB) (Free:21.6 GB) NTFS
8 Drive i: (WD 320 GB SATA) (Fixed) (Total:298.09 GB) (Free:33.15 GB) NTFS
9 Drive j: (MEMORETTE) (Removable) (Total:0.96 GB) (Free:0.24 GB) FAT

========================= Users: ========================================

User accounts for \\MKLWINTEL

Administrator ASPNET Guest
HelpAssistant Mark SUPPORT_388945a0


**** End of log ****


==============================================================================
I have a few logs from Malwarebytes. They're all here, sequentially:

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.23.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Mark Littrell :: MKLWINTEL [administrator]

Protection: Enabled

1/22/2012 7:53:42 PM
mbam-log-2012-01-22 (19-53-42).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 522972
Time elapsed: 3 hour(s), 12 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Documents and Settings\Mark Littrell\Application Data\dplayx.dll (Trojan.QHost.BG) -> Delete on reboot.

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel|Homepage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Documents and Settings\Mark Littrell\Application Data\dplaysvr.exe (Trojan.QHost.Gen) -> Delete on reboot.
C:\Documents and Settings\Mark Littrell\Application Data\dplayx.dll (Trojan.QHost.BG) -> Delete on reboot.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.23.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Mark Littrell :: MKLWINTEL [administrator]

Protection: Enabled

1/22/2012 11:43:31 PM
mbam-log-2012-01-22 (23-43-31).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 190815
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Documents and Settings\Mark Littrell\Application Data\dplaysvr.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Documents and Settings\Mark Littrell\Application Data\dplaysvr.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.23.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Mark Littrell :: MKLWINTEL [administrator]

Protection: Enabled

1/22/2012 11:56:05 PM
mbam-log-2012-01-22 (23-56-05).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 526287
Time elapsed: 2 hour(s), 51 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


2012/01/22 19:53:20 -0800 MKLWINTEL Mark Littrell MESSAGE Starting protection
2012/01/22 19:53:27 -0800 MKLWINTEL Mark Littrell MESSAGE Protection started successfully
2012/01/22 19:53:30 -0800 MKLWINTEL Mark Littrell MESSAGE Starting IP protection
2012/01/22 19:53:35 -0800 MKLWINTEL Mark Littrell MESSAGE IP Protection started successfully
2012/01/22 21:55:23 -0800 MKLWINTEL Mark Littrell MESSAGE Executing scheduled update: Daily
2012/01/22 21:55:32 -0800 MKLWINTEL Mark Littrell MESSAGE Scheduled update executed successfully: database updated from version v2012.01.23.01 to version v2012.01.23.02
2012/01/22 21:55:32 -0800 MKLWINTEL Mark Littrell MESSAGE Starting database refresh
2012/01/22 21:55:32 -0800 MKLWINTEL Mark Littrell MESSAGE Stopping IP protection
2012/01/22 21:55:32 -0800 MKLWINTEL Mark Littrell MESSAGE IP Protection stopped
2012/01/22 21:55:39 -0800 MKLWINTEL Mark Littrell MESSAGE Database refreshed successfully
2012/01/22 21:55:39 -0800 MKLWINTEL Mark Littrell MESSAGE Starting IP protection
2012/01/22 21:55:44 -0800 MKLWINTEL Mark Littrell MESSAGE IP Protection started successfully
2012/01/22 23:22:02 -0800 MKLWINTEL Mark Littrell DETECTION C:\Documents and Settings\Mark Littrell\Application Data\dplayx.dll Trojan.QHost.BG QUARANTINE
2012/01/22 23:22:02 -0800 MKLWINTEL Mark Littrell DETECTION C:\Documents and Settings\Mark Littrell\Application Data\dplayx.dll Trojan.QHost.BG DENY
2012/01/22 23:22:02 -0800 MKLWINTEL Mark Littrell ERROR Quarantine failed: DeleteFile failed with error code 5
2012/01/22 23:22:10 -0800 MKLWINTEL Mark Littrell DETECTION C:\Documents and Settings\Mark Littrell\Application Data\dplayx.dll Trojan.QHost.BG DENY
2012/01/22 23:22:10 -0800 MKLWINTEL Mark Littrell DETECTION C:\Documents and Settings\Mark Littrell\Application Data\dplayx.dll Trojan.QHost.BG DENY
2012/01/22 23:25:11 -0800 MKLWINTEL Mark Littrell MESSAGE Starting protection
2012/01/22 23:25:22 -0800 MKLWINTEL Mark Littrell MESSAGE Protection started successfully
2012/01/22 23:25:26 -0800 MKLWINTEL Mark Littrell MESSAGE Starting IP protection
2012/01/22 23:25:32 -0800 MKLWINTEL Mark Littrell MESSAGE IP Protection started successfully
2012/01/22 23:28:36 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:28:36 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:28:39 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:28:39 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:28:45 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:28:45 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:06 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:06 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:09 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:09 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:15 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:15 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:15 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:15 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:17 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:18 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:23 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:24 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:27 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:27 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:30 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:30 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:35 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:36 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:36 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:39 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:29:45 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:32:52 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:32:52 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:32:55 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:32:55 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:33:01 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:33:01 -0800 MKLWINTEL Mark Littrell IP-BLOCK 94.63.240.165 (Type: outgoing)
2012/01/22 23:52:38 -0800 MKLWINTEL Mark Littrell MESSAGE Starting protection
2012/01/22 23:52:53 -0800 MKLWINTEL Mark Littrell MESSAGE Protection started successfully
2012/01/22 23:52:58 -0800 MKLWINTEL Mark Littrell MESSAGE Starting IP protection
2012/01/22 23:53:23 -0800 MKLWINTEL Mark Littrell MESSAGE IP Protection started successfully


2012/01/23 07:53:59 -0800 MKLWINTEL Mark Littrell MESSAGE Starting protection
2012/01/23 07:54:15 -0800 MKLWINTEL Mark Littrell MESSAGE Protection started successfully
2012/01/23 07:54:18 -0800 MKLWINTEL Mark Littrell MESSAGE Starting IP protection
2012/01/23 07:54:35 -0800 MKLWINTEL Mark Littrell MESSAGE IP Protection started successfully
2012/01/23 08:57:11 -0800 MKLWINTEL Mark Littrell MESSAGE Starting protection
2012/01/23 08:57:30 -0800 MKLWINTEL Mark Littrell MESSAGE Protection started successfully
2012/01/23 08:57:33 -0800 MKLWINTEL Mark Littrell MESSAGE Starting IP protection
2012/01/23 08:57:36 -0800 MKLWINTEL Mark Littrell MESSAGE IP Protection started successfully


==============================================================================

aswMBR version 0.9.9.1509 Copyright© 2011 AVAST Software
Run date: 2012-01-23 18:40:22
-----------------------------
18:40:22.859 OS Version: Windows 5.1.2600 Service Pack 3
18:40:22.859 Number of processors: 2 586 0x209
18:40:22.859 ComputerName: MKLWINTEL UserName:
18:40:26.312 Initialize success
18:40:37.593 AVAST engine defs: 12012301
18:40:53.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
18:40:53.390 Disk 0 Vendor: WDC_WD1200JB-00DUA3 75.13B75 Size: 114473MB BusType: 3
18:40:53.406 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
18:40:53.406 Disk 1 Vendor: Maxtor_6Y160P0 YAR41BW0 Size: 156334MB BusType: 3
18:40:53.406 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP2T0L0-17
18:40:53.406 Disk 2 Vendor: WDC_WD3200JD-00KLB0 08.05J08 Size: 305245MB BusType: 3
18:40:53.421 Disk 3 \Device\Harddisk3\DR3 -> \Device\Ide\IdeDeviceP1T1L0-2d
18:40:53.421 Disk 3 Vendor: IOMEGA_ZIP_750 78.a Size: 305245MB BusType: 2
18:40:53.453 Disk 0 MBR read successfully
18:40:53.453 Disk 0 MBR scan
18:40:53.531 Disk 0 Windows XP default MBR code
18:40:53.531 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114463 MB offset 63
18:40:53.546 Disk 0 scanning sectors +234420480
18:40:53.593 Disk 0 scanning C:\WINDOWS\system32\drivers
18:41:08.390 Service scanning
18:41:09.984 Modules scanning
18:41:16.078 Module: C:\WINDOWS\system32\dla\tfsndres.sys **SUSPICIOUS**
18:41:17.406 Disk 0 trace - called modules:
18:41:17.421 ntoskrnl.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll ACPI.sys atapi.sys pciide.sys PCIIDEX.SYS
18:41:17.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae1bab8]
18:41:17.437 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> [0x8adb2d78]
18:41:17.437 5 iomdisk.sys[f771fbc3] -> nt!IofCallDriver -> \Device\00000071[0x8ae3ef18]
18:41:17.453 7 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8ae36d98]
18:41:18.421 AVAST engine scan C:\WINDOWS
18:41:33.062 AVAST engine scan C:\WINDOWS\system32
18:44:04.000 AVAST engine scan C:\WINDOWS\system32\drivers
18:44:23.187 AVAST engine scan C:\Documents and Settings\Mark Littrell
19:43:09.109 File: C:\Documents and Settings\Mark Littrell\Local Settings\Temp\liss52.exe **INFECTED** Win32:Downloader-MLR [Trj]
19:58:57.765 AVAST engine scan C:\Documents and Settings\All Users
20:09:25.296 Scan finished successfully
==============================================================================

Edited by Thanks in advance, 24 January 2012 - 12:29 AM.


#4 Thanks in advance

Thanks in advance
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 24 January 2012 - 05:41 PM

Bump...

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:13 PM

Posted 24 January 2012 - 06:26 PM

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\WINDOWS\system32\dla\tfsndres.sys
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

Go Start>Run, paste this in:
services.msc
Click OK.

Services window will open.
Find Security Center service.
Right click on it, click "Properties".
Under "Startup type" select "Automatic" from drop-down menu.
Restart computer.
Post new FSS log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 Thanks in advance

Thanks in advance
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 24 January 2012 - 07:03 PM

The scan for that file from Virustotal:

SHA256: ca8902a716e6e31bd0c669267eebdee02ff8c1e801bd1c7423ad1bd550861270
Detection ratio: 0 / 43
Analysis date: 2012-01-25 00:00:19 UTC ( 1 minute ago )
0
0
Antivirus Result Update
AhnLab-V3 - 20120122
AntiVir - 20120123
Antiy-AVL - 20120123
Avast - 20120123
AVG - 20120123
BitDefender - 20120124
ByteHero - 20120123
CAT-QuickHeal - 20120123
ClamAV - 20120123
Commtouch - 20120123
Comodo - 20120123
DrWeb - 20120124
Emsisoft - 20120123
eSafe - 20120123
eTrust-Vet - 20120123
F-Prot - 20120123
F-Secure - 20120123
Fortinet - 20120124
GData - 20120123
Ikarus - 20120123
Jiangmin - 20120123
K7AntiVirus - 20120123
Kaspersky - 20120124
McAfee - 20120123
McAfee-GW-Edition - 20120123
Microsoft - 20120123
NOD32 - 20120123
Norman - 20120123
nProtect - 20120123
Panda - 20120123
PCTools - 20120124
Prevx - 20120125
Rising - 20120118
Sophos - 20120123
SUPERAntiSpyware - 20120123
Symantec - 20120123
TheHacker - 20120123
TrendMicro - 20120123
TrendMicro-HouseCall - 20120124
VBA32 - 20120123
VIPRE - 20120123
ViRobot - 20120123
VirusBuster - 20120123

#7 Thanks in advance

Thanks in advance
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 24 January 2012 - 07:12 PM

FSS Log:

Farbar Service Scanner Version: 18-01-2012 01
Ran by Mark Littrell (administrator) on 24-01-2012 at 16:11:55
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(11) Bridge(10) BridgeMP(9) Gpc(4) IPSec(6) irda(3) NetBT(7) PSched(8) Tcpip(5)
0x0B0000000600000001000000020000000300000004000000050000000B0000000700000008000000090000000A000000
IpSec Tag value is correct.

**** End of log ****

#8 Thanks in advance

Thanks in advance
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 24 January 2012 - 07:19 PM

I'm very appreciative of your help so far. Is it likely, do you think, that this infection can be spread by using a thumb drive with the infected machine and others?

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:13 PM

Posted 24 January 2012 - 08:15 PM

Yes, some infection can spread through USB flash drives.
What is your concern at this moment?

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#10 Thanks in advance

Thanks in advance
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 24 January 2012 - 08:32 PM

Yes, some infection can spread through USB flash drives.
What is your concern at this moment?


I have three additional machines which have had contact with this machine via a thumb drive. All of them have the same combination of AVG free and Comodo free firewall running but have showed no signs of infection.

I don't want to overreact, but at the same time I am wondering what a wise response would entail.

Scan results coming up...

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:13 PM

Posted 24 January 2012 - 09:01 PM

I'd start new topics for each computer and we'll check them out.

For the future....
Install Panda USB Vaccine, or BitDefender’s USB Immunizer on your computer to protect it from any infected USB device.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 Thanks in advance

Thanks in advance
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 24 January 2012 - 09:47 PM

I tried TFC but it appears to hang. The first time it looked to have been halted by Malwarebytes. There was no HDD activity for ten minutes, give or take, so I reset and tried again with Malwarebytes off. It appeared to hang again, about 5 minutes with no HDD activity. I reset, tried again with no AVG, no Malwarebytes, and again there was no HDD activity for about 5 minutes.

I'm starting the ESET scan after deleting AVG.

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:13 PM

Posted 24 January 2012 - 09:50 PM

Run TFC from safe mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 Thanks in advance

Thanks in advance
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 25 January 2012 - 01:41 AM

ESET found:

C:\Documents and Settings\Mark Littrell\Local Settings\Application Data\Mozilla\Firefox\Profiles\vwz3xf1s.default\Cache\A\42\F586Bd01 HTML/Iframe.B.Gen virus deleted - quarantined
C:\Documents and Settings\Mark Littrell\Local Settings\Temp\liss52.exe a variant of Win32/Kryptik.ZHN trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\llnmp.bak2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\llnmp.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\pqstv.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\wjojvwap.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

#15 Thanks in advance

Thanks in advance
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 25 January 2012 - 02:17 AM

I ran TFC as instructed.

Please recall, this machine has two separate installations of XP. Is it necessary to repeat all or part of the above on the second install?

Edited by Thanks in advance, 25 January 2012 - 02:20 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users