Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect on search, infomash, search-milk, shoppinghornet, travelbuoy...


  • This topic is locked This topic is locked
37 replies to this topic

#1 Bshaf

Bshaf

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 12 March 2012 - 02:35 PM

Hello and thanks for providing this service. When I search from Google, the browser (Firefox) redirects to one of a random set of websearch sites. Some are infomash.com, search-milk.net, shoppinghornet.com, and travelbuoy.com. I have run hijackthis, spybot, ad-aware, and malwarebytes and the problem persists. My assistant was on the phone for 8 hours total with a support person who couldn't successfully fix it either. I know you can help and can't wait to dig in! I have uninstalled all 3 spyware programs after using them, since I know most of them will clash with one another and I await your instructions.

Thanks

BC AdBot (Login to Remove)

 


#2 Bshaf

Bshaf
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 12 March 2012 - 05:17 PM

Okay, hold that help. I ran a full AVG scan on my computer and it seems to have finally caught it. Emphasis on seems. It says it was running under WIN/system32/ping.exe. I have done several searches using Google both on the site itself and through the browser searchbar and so far there are no redirects occurring.

I will post back and let you know for sure whether I will need to proceed with posting logs.
Thanks

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 14 March 2012 - 10:00 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

If you still need help please post the result of this scan.

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

Please just paste the contents of the DDS.txt log in your next post.
===

We should also check the following.

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#4 Bshaf

Bshaf
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 14 March 2012 - 08:27 PM

Hello nasdaq,

Thanks for your reply. Things have been okay for a few days, but I'm not sure if I got all the gremlins out, so here are the logs you requested. I had to work all day or they would have been posted earlier.

DDS
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Florist at 20:54:26 on 2012-03-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.451 [GMT -4:00]
.
AV: McAfee® Security-as-a-Service Anti-virus *Disabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Intuit\QuickBooks 2011\QBW32.EXE
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Iomega\REV System Software\RevUDF.exe
C:\Program Files\Iomega\REV System Software\ImIconXp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Teleflora\DovePOS\Server\CMCHost.exe
C:\Program Files\TeamViewer\Version7\TeamViewer.exe
C:\Program Files\TeamViewer\Version7\tv_w32.exe
C:\Program Files\Teleflora\DovePOS\Server\Teleflora.TFO.POS.Server.App.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Teleflora\DovePOS\Server\Teleflora.TFO.POS.Scheduler.App.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Teleflora\DovePOS\Terminal\DovePOS.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
C:\Program Files\AVG Secure Search\vprot.exe
c:\program files\teamviewer\version7\TeamViewer_Desktop.exe
C:\WINDOWS\system32\notepad.exe
D:\Teleflora\My Documents\Downloads\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/?rlz=1V1IPYX
uInternet Connection Wizard,ShellNext = hxxp://help.myteleflora.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110216210521.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
dRun: [Bomgar_Cleanup_ZD10082827033] cmd.exe /C rd /S /Q "c:\documents and settings\all users\application data\bomgar-scc-4f2c585c" & reg delete hkcu\software\microsoft\windows\currentversion\Run /v Bomgar_Cleanup_ZD10082827033 /f
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2011\QBW32.EXE
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} - hxxps://altiris.teleflora.com/Altiris/NS/NSCap/Bin/Win32/x86/AeXClientBootstrap.cab
DPF: {6F0C8A8F-8B0D-11D2-801B-00105AA78F4A} - hxxp://help.myteleflora.com/support/ecare4/components/CobAgent_4.2.1.319.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{4EC9D712-C5B3-4117-8FD6-3D4DE6E720E2} : NameServer = 4.2.2.2,4.2.2.1
TCP: Interfaces\{4EC9D712-C5B3-4117-8FD6-3D4DE6E720E2} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{FD1BFDBE-B778-41C7-90DA-8870B09D4819} : NameServer = 192.168.1.1
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} -
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.2.0\ViProtocol.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\florist\application data\mozilla\firefox\profiles\yizay8dn.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B8a97bd47-6a60-4fd8-83c2-24271537b99d%7D&mid=8d9c41bea27547d08f0fd16b5fc7aa13-c52cc2eaf39a669a3130a39f99d1dcb0b664d20d&ds=AVG&v=10.0.0.7&lang=en&pr=fr&d=2012-03-12%2014%3A08%3A29&sap=ku&q=
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [2007-1-5 30968]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-12 88544]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2012-1-4 47640]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2010-9-17 1248256]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-3-12 2886528]
R2 Teleflora.TFO.Client.COMMS.CMCHost;Teleflora Dove POS Communications Client;c:\program files\teleflora\dovepos\server\CMCHost.exe [2010-11-5 20480]
R2 Teleflora.TFO.POS.Scheduler.App.SchedulerService;Teleflora Dove POS Scheduler;c:\program files\teleflora\dovepos\server\Teleflora.TFO.POS.Scheduler.App.exe [2010-11-5 36864]
R2 Teleflora.TFO.POS.Server.App.POSWinService;Teleflora Dove POS Server;c:\program files\teleflora\dovepos\server\Teleflora.TFO.POS.Server.App.exe [2010-11-5 32768]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\10.2.0\ToolbarUpdater.exe [2012-3-14 918880]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-5 159320]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-5 145936]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;"c:\program files\mcafee\managed virusscan\agent\myagtsvc.exe" /servicestart --> c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [?]
S2 RumorServer;McAfee Peer Distribution Service;"c:\program files\mcafee\managed virusscan\agent\myagtsvc.exe" /rundll=rumorserver.dll;servicehost --> c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-12 85152]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-11-25 34248]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-3-7 27064]
S3 RTL8192cu;Surf Wireless Micro USB Adapter;c:\windows\system32\drivers\rtl8192cu.sys --> c:\windows\system32\drivers\RTL8192cu.sys [?]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [2011-3-15 10112]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 WOIPoller;Teleflora Dove POS Wire Order Interface;c:\program files\teleflora\dovepos\terminal\WOIPoller.exe [2010-11-5 45056]
.
=============== Created Last 30 ================
.
2012-03-14 18:59:31 -------- d-----w- c:\windows\system32\cache
2012-03-12 22:00:03 -------- d-sh--w- C:\found.000
2012-03-12 20:36:24 -------- d--h--w- C:\$AVG
2012-03-12 20:28:41 -------- d-----w- c:\documents and settings\florist\application data\AVG2012
2012-03-12 18:08:30 -------- d-----w- c:\documents and settings\florist\application data\AVG Secure Search
2012-03-12 18:08:28 -------- d-----w- c:\documents and settings\all users\application data\AVG Secure Search
2012-03-12 18:08:21 -------- d-----w- c:\program files\common files\AVG Secure Search
2012-03-12 18:08:19 -------- d-----w- c:\program files\AVG Secure Search
2012-03-12 18:07:45 -------- d-----w- c:\windows\system32\drivers\AVG
2012-03-12 18:07:45 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-03-12 18:07:32 -------- d-----w- c:\program files\AVG
2012-03-12 18:00:28 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-03-12 16:49:45 -------- d-----w- c:\documents and settings\florist\application data\TeamViewer
2012-03-12 16:49:42 -------- d-----w- c:\program files\TeamViewer
2012-03-12 15:57:26 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-03-12 13:32:54 -------- d-----w- c:\program files\Toolbar Cleaner
2012-03-09 02:06:41 -------- d-----w- c:\documents and settings\florist\application data\Radialpoint
2012-03-09 02:06:01 -------- d-----w- c:\documents and settings\florist\application data\HiWired
2012-03-09 02:06:01 -------- d-----w- c:\documents and settings\all users\application data\Radialpoint
2012-03-09 02:05:56 -------- d-----w- c:\documents and settings\all users\application data\HiWired
2012-03-08 21:35:46 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-03-08 21:31:22 -------- d-----w- c:\documents and settings\florist\application data\GetRightToGo
2012-03-08 20:38:03 -------- d-----w- c:\documents and settings\all users\application data\Log
2012-03-08 19:31:48 105578752 ----a-w- C:\iyogi.reg
2012-03-08 17:30:17 -------- d-----w- c:\documents and settings\florist\local settings\application data\Intuit
2012-03-08 17:23:49 -------- d-----w- c:\program files\Intuit
2012-03-08 17:23:49 -------- d-----w- c:\documents and settings\all users\application data\Nuance
2012-03-08 17:23:49 -------- d-----w- c:\documents and settings\all users\application data\Intuit
2012-03-08 16:28:16 -------- d-----w- c:\documents and settings\florist\application data\ntr
2012-03-08 03:04:43 -------- d-----w- c:\documents and settings\florist\local settings\application data\VS Revo Group
2012-03-08 03:04:31 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-03-08 03:04:29 -------- d-----w- c:\program files\VS Revo Group
2012-03-07 22:38:49 -------- d-----w- c:\program files\Nmap
2012-03-07 22:38:25 -------- d-----w- c:\program files\iYogi
2012-03-07 19:35:50 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2012-03-07 19:35:14 -------- d-----w- C:\Netgear
2012-02-23 19:59:17 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2012-02-23 18:46:23 -------- d-----w- c:\documents and settings\florist\local settings\application data\FileMaker
2012-02-23 18:46:23 -------- d-----w- c:\documents and settings\florist\application data\net.dacons.menucontrol
2012-02-23 18:46:23 -------- d-----w- c:\documents and settings\florist\application data\net.dacons.mail.it
2012-02-23 18:43:20 90112 ----a-w- c:\windows\unvise32.exe
.
==================== Find3M ====================
.
2012-03-12 20:22:22 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-05 03:23:16 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-19 17:19:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 21:00:36.45 ===============



and Security Check
Results of screen317's Security Check version 0.99.31
Windows XP Service Pack 3 x86 (UAC is disabled!)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
AVG 2012
Antivirus out of date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (10.0.2)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````

My antivirus is up to date, the Security Check says it isn't, and Windows Security Center is running, I even opened it from Control Panel while I ran the test. I also noticed the Mcafee SaaS in the DDS report, I had to manually remove that because it wasn't in Add/Remove for me to get rid of it.

Thanks for your help,
Beth

Edited by Bshaf, 14 March 2012 - 08:31 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 15 March 2012 - 08:14 AM

I ran a full AVG scan on my computer and it seems to have finally caught it. Emphasis on seems. It says it was running under WIN/system32/ping.exe.

This is associated with a ZeroAccess infection.
I still see some remant item on your log DDS log.

I want to make sure that the Rootkit infection has been remove before proceeding with some remedial tool.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===

We will deal with the Security log later.

Please post the logs for my review.

#6 Bshaf

Bshaf
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 15 March 2012 - 03:50 PM

I will unfortunately be out of town until Monday and unable to get to this until then. Just so you know I didn't quit or anything.

Thanks

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 16 March 2012 - 07:44 AM

I'll be here.

#8 Bshaf

Bshaf
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 19 March 2012 - 11:18 AM

I have downloaded TDSSKiller.exe and have repeatedly tried extracting and running it, but nothing happens. It gives me the "Do you want to run this file" dialogue, and I click Run and then nothing.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 19 March 2012 - 01:20 PM

Try to run this tool.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

#10 Bshaf

Bshaf
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 19 March 2012 - 03:58 PM

Ok, here is the Combofix log:

ComboFix 12-03-18.04 - Florist 03/19/2012 15:45:10.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1447 [GMT -4:00]
Running from: c:\documents and settings\Florist\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfeeŽ Security-as-a-Service Anti-virus *Disabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Florist\GoToAssistDownloadHelper.exe
c:\documents and settings\Florist\Start Menu\Programs\System Check
c:\documents and settings\Florist\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Florist\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\windows\$NtUninstallKB40$
c:\windows\$NtUninstallKB40$\1882944549
c:\windows\$NtUninstallKB40$\2956505104\@
c:\windows\$NtUninstallKB40$\2956505104\bckfg.tmp
c:\windows\$NtUninstallKB40$\2956505104\cfg.ini
c:\windows\$NtUninstallKB40$\2956505104\Desktop.ini
c:\windows\$NtUninstallKB40$\2956505104\keywords
c:\windows\$NtUninstallKB40$\2956505104\kwrd.dll
c:\windows\$NtUninstallKB40$\2956505104\L\pnmqzanh
c:\windows\$NtUninstallKB40$\2956505104\lsflt7.ver
c:\windows\$NtUninstallKB40$\2956505104\oemid
c:\windows\$NtUninstallKB40$\2956505104\U\00000001.@
c:\windows\$NtUninstallKB40$\2956505104\U\00000002.@
c:\windows\$NtUninstallKB40$\2956505104\U\00000004.@
c:\windows\$NtUninstallKB40$\2956505104\U\80000000.@
c:\windows\$NtUninstallKB40$\2956505104\U\80000004.@
c:\windows\$NtUninstallKB40$\2956505104\U\80000032.@
c:\windows\$NtUninstallKB40$\2956505104\version
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\96b9737fdeb51952.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\SET37.tmp
c:\windows\system32\SET3B.tmp
c:\windows\system32\SET3C.tmp
c:\windows\system32\SET43.tmp
E:\AUTORUN.INF
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-02-19 to 2012-03-19 )))))))))))))))))))))))))))))))
.
.
2012-03-12 23:20 . 2012-03-12 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-03-12 22:00 . 2012-03-12 22:00 -------- d-----w- C:\found.000
2012-03-12 20:36 . 2012-03-12 20:36 -------- d-----w- C:\$AVG
2012-03-12 20:28 . 2012-03-12 20:28 -------- d-----w- c:\documents and settings\Florist\Application Data\AVG2012
2012-03-12 18:08 . 2012-03-12 18:08 -------- d-----w- c:\documents and settings\Florist\Application Data\AVG Secure Search
2012-03-12 18:08 . 2012-03-12 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Secure Search
2012-03-12 18:08 . 2012-03-12 18:08 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2012-03-12 18:08 . 2012-03-14 18:59 -------- d-----w- c:\program files\AVG Secure Search
2012-03-12 18:07 . 2012-03-19 12:40 -------- d-----w- c:\windows\system32\drivers\AVG
2012-03-12 18:07 . 2012-03-12 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-03-12 18:07 . 2012-03-12 18:07 -------- d-----w- c:\program files\AVG
2012-03-12 18:00 . 2012-03-12 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-03-12 16:49 . 2012-03-12 16:49 -------- d-----w- c:\documents and settings\Florist\Application Data\TeamViewer
2012-03-12 16:49 . 2012-03-12 16:49 -------- d-----w- c:\program files\TeamViewer
2012-03-12 15:57 . 2012-03-12 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-03-12 13:32 . 2012-03-12 13:32 -------- d-----w- c:\program files\Toolbar Cleaner
2012-03-09 02:06 . 2012-03-09 02:06 -------- d-----w- c:\documents and settings\Florist\Application Data\Radialpoint
2012-03-09 02:06 . 2012-03-09 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Radialpoint
2012-03-09 02:06 . 2012-03-09 02:06 -------- d-----w- c:\documents and settings\Florist\Application Data\HiWired
2012-03-09 02:05 . 2012-03-09 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\HiWired
2012-03-08 21:35 . 2012-03-09 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-03-08 21:31 . 2012-03-08 21:35 -------- d-----w- c:\documents and settings\Florist\Application Data\GetRightToGo
2012-03-08 20:38 . 2012-03-08 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Log
2012-03-08 19:31 . 2012-03-08 19:31 105578752 ----a-w- C:\iyogi.reg
2012-03-08 17:30 . 2012-03-08 18:57 -------- d-----w- c:\documents and settings\Florist\Local Settings\Application Data\Intuit
2012-03-08 17:23 . 2012-03-08 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2012-03-08 17:23 . 2012-03-08 17:23 -------- d-----w- c:\program files\Intuit
2012-03-08 17:23 . 2012-03-08 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2012-03-08 16:28 . 2012-03-08 18:01 -------- d-----w- c:\documents and settings\Florist\Application Data\ntr
2012-03-08 03:04 . 2012-03-08 03:04 -------- d-----w- c:\documents and settings\Florist\Local Settings\Application Data\VS Revo Group
2012-03-08 03:04 . 2009-12-30 15:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-03-08 03:04 . 2012-03-08 03:04 -------- d-----w- c:\program files\VS Revo Group
2012-03-07 22:38 . 2012-03-09 02:51 -------- d-----w- c:\program files\Nmap
2012-03-07 22:38 . 2012-03-09 02:45 -------- d-----w- c:\program files\iYogi
2012-03-07 19:35 . 2010-06-07 03:12 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2012-03-07 19:35 . 2012-03-07 19:44 -------- d-----w- C:\Netgear
2012-02-23 19:59 . 2008-03-21 18:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2012-02-23 18:46 . 2012-02-23 18:46 -------- d-----w- c:\documents and settings\Florist\Local Settings\Application Data\FileMaker
2012-02-23 18:46 . 2012-02-23 18:46 -------- d-----w- c:\documents and settings\Florist\Application Data\net.dacons.menucontrol
2012-02-23 18:46 . 2012-02-23 18:46 -------- d-----w- c:\documents and settings\Florist\Application Data\net.dacons.mail.it
2012-02-23 18:43 . 2004-03-29 20:23 90112 ----a-w- c:\windows\unvise32.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-05 03:23 . 2012-01-05 03:23 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-10-24 18:45 . 2011-10-24 18:45 302904 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-03-13 21:20 . 2012-01-05 00:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-03-14 18:59 1869152 ----a-w- c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-03-14 1869152]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-13 8523776]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-09-27 1443080]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-03-12 939872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Bomgar_Cleanup_ZD10082827033"="rd" [X]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2010-9-17 5961048]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-9-30 1156384]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2011\QBW32.EXE [2010-9-30 1178400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-01-27 17:09 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-12-07 23:21 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe"=
"c:\\Program Files\\Teleflora\\DovePOS\\Server\\CMCHost.exe"=
"c:\\Program Files\\Microsoft SQL Server\\MSSQL.1\\MSSQL\\Binn\\sqlservr.exe"=
"c:\\Program Files\\Teleflora\\DovePOS\\Server\\Teleflora.TFO.POS.Scheduler.App.exe"=
"c:\\Program Files\\Teleflora\\DovePOS\\Server\\Teleflora.TFO.POS.Server.App.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2011\\QBDBMgrN.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version7\\TeamViewer_Service.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [1/5/2007 2:39 PM 30968]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/12/2010 2:55 PM 88544]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [9/17/2010 6:04 PM 1248256]
R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [3/12/2012 12:49 PM 2886528]
R2 Teleflora.TFO.Client.COMMS.CMCHost;Teleflora Dove POS Communications Client;c:\program files\Teleflora\DovePOS\Server\CMCHost.exe [11/5/2010 9:20 AM 20480]
R2 Teleflora.TFO.POS.Scheduler.App.SchedulerService;Teleflora Dove POS Scheduler;c:\program files\Teleflora\DovePOS\Server\Teleflora.TFO.POS.Scheduler.App.exe [11/5/2010 9:20 AM 36864]
R2 Teleflora.TFO.POS.Server.App.POSWinService;Teleflora Dove POS Server;c:\program files\Teleflora\DovePOS\Server\Teleflora.TFO.POS.Server.App.exe [11/5/2010 9:21 AM 32768]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [3/14/2012 2:59 PM 918880]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/5/2011 6:34 AM 145936]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;"c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart --> c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [?]
S2 RumorServer;McAfee Peer Distribution Service;"c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /RunDLL=RumorServer.dll;ServiceHost --> c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [?]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/12/2010 2:55 PM 85152]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [3/7/2012 11:04 PM 27064]
S3 RTL8192cu;Surf Wireless Micro USB Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys --> c:\windows\system32\DRIVERS\RTL8192cu.sys [?]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [3/15/2011 1:11 AM 10112]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 WOIPoller;Teleflora Dove POS Wire Order Interface;c:\program files\Teleflora\DovePOS\Terminal\WOIPoller.exe [11/5/2010 9:22 AM 45056]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - revfs
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
aswlsvc
quickbooksdb
cis1284
TBPanel
scramby
konfig
HIDSwvd
lxcgcustomerconnect
EPSON_EB_RPCV4_01
DCamUSBGrandTek
GENERICDRV
bglivesvc
tos_sps32
sonypvu1
tme3srv
wg4n
matlabserver
NEOFLTR_600_13319
rdnaoflsvc
se2Eunic
ndiscm
pnrouter
Ncrc710
aexnsclient
FET5X86V
psadd
iirsp
netsvc
PD0620VID
SprintRcAppSvc
w810obex
SE2Dbus
nocashio
filterservice
ONSIO
HSFHWALI
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-14 c:\windows\Tasks\Defragment.job
- c:\windows\system32\defrag.exe [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/?rlz=1V1IPYX
uInternet Connection Wizard,ShellNext = hxxp://help.myteleflora.com/
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{4EC9D712-C5B3-4117-8FD6-3D4DE6E720E2}: NameServer = 4.2.2.2,4.2.2.1
TCP: Interfaces\{FD1BFDBE-B778-41C7-90DA-8870B09D4819}: NameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} - hxxps://altiris.teleflora.com/Altiris/NS/NSCap/Bin/Win32/x86/AeXClientBootstrap.cab
DPF: {6F0C8A8F-8B0D-11D2-801B-00105AA78F4A} - hxxp://help.myteleflora.com/support/ecare4/components/CobAgent_4.2.1.319.cab
FF - ProfilePath - c:\documents and settings\Florist\Application Data\Mozilla\Firefox\Profiles\yizay8dn.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B8a97bd47-6a60-4fd8-83c2-24271537b99d%7D&mid=8d9c41bea27547d08f0fd16b5fc7aa13-c52cc2eaf39a669a3130a39f99d1dcb0b664d20d&ds=AVG&v=10.0.0.7&lang=en&pr=fr&d=2012-03-12%2014%3A08%3A29&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
SafeBoot-Wdf01000.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-19 16:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1180)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(2024)
c:\windows\system32\WININET.dll
c:\program files\TeamViewer\Version7\tv_w32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\program files\Iomega\REV System Software\RevUDF.exe
c:\program files\Iomega\REV System Software\ImIconXp.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\TeamViewer\Version7\TeamViewer.exe
c:\program files\TeamViewer\Version7\tv_w32.exe
c:\windows\system32\wscntfy.exe
c:\program files\teamviewer\version7\TeamViewer_Desktop.exe
.
**************************************************************************
.
Completion time: 2012-03-19 16:52:03 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-19 20:51
.
Pre-Run: 49,997,533,184 bytes free
Post-Run: 49,716,215,808 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=""Microsoft Windows XP Professional" /noexecute=optin /fastdetect"
.
- - End Of File - - A07BF6C7D9B8CB1D58182D58951018C7

#11 Bshaf

Bshaf
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 19 March 2012 - 04:11 PM

On restart, I was able to run TDSSKiller, and it says it found an infection, Device/Harddisk0/DR0 Rootkit.Boot.SST.a. When I try to cure, it gives me an error, there is no disk in the drive, I hit cancel and it says can't cure MBR, If you have installed custom bootloader, you will need to reinstall them after treatment.

And I attach the zipped log.
Thanks

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 20 March 2012 - 01:17 PM

Disable the CD emulators....

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed. Or when this computer is clean.


===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===

When completed please run the TDSSKiller tool and post the log.
===

p.s.

HOW TO: Enable the CD Emulators... Only when all is clear.

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.



#13 Bshaf

Bshaf
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 20 March 2012 - 07:21 PM

awsMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-19 14:23:37
-----------------------------
14:23:37.154 OS Version: Windows 5.1.2600 Service Pack 3
14:23:37.154 Number of processors: 2 586 0x1706
14:23:37.154 ComputerName: 5111000-TSRVR UserName: Florist
14:23:37.951 Initialize success
14:24:21.373 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
14:24:21.373 Disk 0 Vendor: Intel___ 1.0. Size: 152585MB BusType: 8
14:24:21.373 Disk 0 MBR read successfully
14:24:21.373 Disk 0 MBR scan
14:24:21.373 Disk 0 Windows XP default MBR code
14:24:21.373 Disk 0 Partition - 00 0F Extended LBA 82568 MB offset 143380125
14:24:21.373 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 70009 MB offset 63
14:24:21.388 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 70001 MB offset 143380188
14:24:21.388 Disk 0 Partition - 00 05 Extended 12566 MB offset 286744185
14:24:21.404 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12566 MB offset 286744248
14:24:21.404 Disk 0 scanning sectors +312480315
14:24:21.451 Disk 0 scanning C:\WINDOWS\system32\drivers
14:24:24.716 Service scanning
14:24:31.076 Modules scanning
14:24:34.935 Disk 0 trace - called modules:
14:24:34.935 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89bf5fa9]<<
14:24:34.935 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a60c5c0]
14:24:34.935 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0x8a00d030]
14:24:34.935 \Driver\iaStor[0x8a5b5b30] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x89bf5fa9
14:24:34.935 Scan finished successfully
14:25:05.388 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Florist\Desktop\MBR.dat"
14:25:05.388 The log file has been saved successfully to "C:\Documents and Settings\Florist\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-20 20:16:20
-----------------------------
20:16:20.921 OS Version: Windows 5.1.2600 Service Pack 3
20:16:20.921 Number of processors: 2 586 0x1706
20:16:20.921 ComputerName: 5111000-TSRVR UserName: Florist
20:16:21.890 Initialize success
20:16:40.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
20:16:40.578 Disk 0 Vendor: Intel___ 1.0. Size: 152585MB BusType: 8
20:16:40.593 Disk 0 MBR read successfully
20:16:40.593 Disk 0 MBR scan
20:16:40.593 Disk 0 Windows XP default MBR code
20:16:40.593 Disk 0 Partition - 00 0F Extended LBA 82568 MB offset 143380125
20:16:40.593 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 70009 MB offset 63
20:16:40.609 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 70001 MB offset 143380188
20:16:40.609 Disk 0 Partition - 00 05 Extended 12566 MB offset 286744185
20:16:40.625 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12566 MB offset 286744248
20:16:40.640 Disk 0 scanning sectors +312480315
20:16:40.687 Disk 0 scanning C:\WINDOWS\system32\drivers
20:16:44.765 Service scanning
20:16:53.171 Modules scanning
20:16:56.218 Disk 0 trace - called modules:
20:16:56.234 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89bf0fa9]<<
20:16:56.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a57d030]
20:16:56.234 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0x8a57e030]
20:16:56.234 \Driver\iaStor[0x8a576030] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x89bf0fa9
20:16:56.234 Scan finished successfully
20:17:07.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Florist\Desktop\MBR.dat"
20:17:07.140 The log file has been saved successfully to "C:\Documents and Settings\Florist\Desktop\aswMBR.txt"


And the zip file is attached. If it means anything, defogger did not ask me to reboot. But it did say it was successful.
Thanks

Attached Files

  • Attached File  MBR.zip   510bytes   0 downloads


#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 AM

Posted 21 March 2012 - 08:36 AM

Now run the aswMBR.exe tool. Select the FixMBR button.

Important > you need to wait for the tool to report ... Infection fixed successfully
Do not reboot the machine until it has said so.

When you see the message restart the computer normally.

Run aswBMR.exe normally this time and post the log.

Let me know what problem persists.

#15 Bshaf

Bshaf
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 22 March 2012 - 03:26 PM

I am trying to run aswMBR.exe and it is giving me the same "do you want to run this program", I click Run then nothing again. I have restarted, used Defogger, disabled antivirus with the same result. And the browser is now redirecting again too. AVG is bringing up over 30 viruses, so it says. It says they are fixed, then they come back. So frustrating.
Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users