Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Google redirect (and random ads open)


  • This topic is locked This topic is locked
35 replies to this topic

#1 SafeDragon

SafeDragon

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 13 April 2012 - 04:16 AM

Hi, I have some kind of redirect bug that pops open random ads (cosmetics, health, etc.) including the infamous "happili". I'm also wondering what else might be buried deep, since that one seems to have slipped through!
(the best free software to protect myself in the future would be great, too!)

I have an HP Pavilion a1220n desktop with Windows XP running service pack 3. It's a Pentium 4 with 2.93 Ghz, 504MB RAM, and ~200 GB HDD.

I've run DDS and GMER, and am attaching the logs as instructed in the Prep Guide.

I'm grateful for any help I can get :)
Thanks!

[here is the DDS log:]
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by HP_Owner at 19:44:57 on 2012-04-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.107 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\HP_Owner\My Documents\Webbles\Programs\TaskBar Shuffle\taskbarshuffle.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uWindow Title = Microsoft Internet Explorer provided by Verizon Online
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - SidebarAutoLaunch Class
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [PCDrProfiler]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\hp_owner\start menu\programs\startup\pager.gif
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\taskba~1.lnk - c:\documents and settings\hp_owner\my documents\webbles\programs\taskbar shuffle\taskbarshuffle.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {A16C2BF4-501E-45FA-8A14-F26E022D5E16} - hxxp://adweb.music-eclub.com/php/adweb.php3?aid=143&arg=win%2Fmrinst.cab&ptx=mratdl
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} - hxxps://download.verizon.net/sfp/Cabs/hst/webinstall/HstWebInstall.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6E2B6DEC-A8B1-40B9-A2A5-9C4A286AA8F7} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B79CD0E0-7DB7-4724-A9D0-ED3179536593} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: Fly - smart.dll
Notify: igfxcui - igfxdev.dll
Notify: Love - LoveFly.dll
AppInit_DLLs:
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\4n78aj6f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll
.
============= SERVICES / DRIVERS ===============
.
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-1-24 100560]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-11 253600]
S3 PTAPCBUS;Pantech Android USB Composite Device (PTAPC);c:\windows\system32\drivers\PTAPCBUS.sys [2011-11-16 84608]
S3 PTAPCMDM;Pantech Android USB Modem Drivers (PTAPC);c:\windows\system32\drivers\PTAPCMDM.sys [2011-11-16 168704]
S3 PTAPCVSP;Pantech Android USB Serial Port (PTAPC);c:\windows\system32\drivers\PTAPCVSP.sys [2011-11-16 168704]
.
=============== Created Last 30 ================
.
2012-04-12 02:20:05 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-12 01:15:04 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-04-09 01:07:40 -------- d-----w- c:\program files\NCH Software
2012-04-09 01:07:36 -------- d-----w- c:\documents and settings\hp_owner\application data\NCH Software
2012-03-17 10:03:31 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-17 10:03:31 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
.
==================== Find3M ====================
.
2012-04-12 23:35:46 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
2012-02-18 08:42:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-18 08:42:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2005-07-14 19:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 22:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 05:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 07:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2005-02-28 20:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.
============= FINISH: 19:46:32.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:08 PM

Posted 13 April 2012 - 04:59 AM

Hello sclossick ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.





IMPORTANT NOTE: One or more of the identified infections is related to the rootkit ZeroAccess. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:




We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:


Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply



Regards,
Georgi

cXfZ4wS.png


#3 SafeDragon

SafeDragon
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 13 April 2012 - 05:12 PM

Hi, I'm replying from a secondary computer because after I ran Combofix, and it generated its log, I was not allowed to connect to the internet (for example, any page I opened, like Google, said that the server could not be found) and also the resolution of my screen has been downgraded to 800x600.

Is it safe to put a flashdrive in the computer you're helping me clean and transfer the log file onto it so I can put it on this secondary computer and post it here?

Thanks :)

#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:08 PM

Posted 13 April 2012 - 07:23 PM

Hi SafeDragon,


I am sorry to hear about your troubles with Combofix.

In order to protect a clean computer from getting infected, use Panda USB vaccine.

  • Please download Panda USB Vaccine and save it to your desktop.
  • Unzip the file to your desktop.
  • A folder will appear with the name, USBVaccine.
  • Double click on USBVaccine.exe to start the program, install and run it.
  • Click the button to vaccinate your computer.
  • Insert a USB drive. When the name of the drive appears in the dialog box, click the button to vaccinate your USB drive(s).
  • Click the red arrow to exit the program.
  • Keep in mind that USB drives that have been vaccinated cannot be reversed except with a format.

Now please copy/paste the ComboFix log file in your next reply



Regards,
Georgi

Edited by B-boy/StyLe/, 13 April 2012 - 08:43 PM.

cXfZ4wS.png


#5 SafeDragon

SafeDragon
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 13 April 2012 - 09:27 PM

Okay, I got PandaVaccine, and vaccinated my little "porting" drive and have brought over the ComboFix log. I'm also attaching a .PNG, if I may, of a screenshot I grabbed today before the scans that caught Happili read handed :D

[ComboFix Log:]
ComboFix 12-04-13.01 - HP_Owner 04/13/2012 14:21:00.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.318 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
.
ADS - system32: deleted 7228 bytes in 5 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\7E95B6FD.TMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Owner\Application Data\FFSJ
c:\documents and settings\HP_Owner\Application Data\FFSJ\FFSJ.cfg
c:\documents and settings\HP_Owner\g2mdlhlpx.exe
c:\documents and settings\HP_Owner\WINDOWS
c:\windows\$NtUninstallKB29699$\252368179
c:\windows\$NtUninstallKB29699$\2788872761\@
c:\windows\$NtUninstallKB29699$\2788872761\cfg.ini
c:\windows\$NtUninstallKB29699$\2788872761\Desktop.ini
c:\windows\$NtUninstallKB29699$\2788872761\L\wenmukca
c:\windows\$NtUninstallKB29699$\2788872761\oemid
c:\windows\$NtUninstallKB29699$\2788872761\U\00000001.@
c:\windows\$NtUninstallKB29699$\2788872761\U\00000002.@
c:\windows\$NtUninstallKB29699$\2788872761\U\00000004.@
c:\windows\$NtUninstallKB29699$\2788872761\U\80000000.@
c:\windows\$NtUninstallKB29699$\2788872761\U\80000004.@
c:\windows\$NtUninstallKB29699$\2788872761\U\80000032.@
c:\windows\$NtUninstallKB29699$\2788872761\version
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\iun6002.exe
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\disk.dll
c:\windows\system32\drivers\core.cache(2)(2).dsk
c:\windows\system32\npfmntor.dll
D:\Autorun.inf
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_slip
-------\Service_slip
.
.
((((((((((((((((((((((((( Files Created from 2012-03-13 to 2012-04-13 )))))))))))))))))))))))))))))))
.
.
2012-04-13 21:05 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-04-12 02:20 . 2012-04-12 23:35 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-09 01:07 . 2012-04-09 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-04-09 01:07 . 2012-04-11 07:21 -------- d-----w- c:\program files\NCH Software
2012-04-09 01:07 . 2012-04-09 01:10 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\NCH Software
2012-03-17 10:03 . 2012-03-17 10:03 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-17 10:03 . 2012-03-17 10:03 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-12 23:35 . 2011-08-19 13:18 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-04 19:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 14:10 . 2004-08-04 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 12:17 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-18 08:42 . 2012-02-18 08:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-18 08:42 . 2010-04-25 22:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-03-17 10:03 . 2011-11-09 02:21 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMan"="SOUNDMAN.EXE" [2005-05-04 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
pager.gif [2006-3-31 466292]
taskbarshuffle.lnk - c:\documents and settings\HP_Owner\My Documents\Webbles\Programs\TaskBar Shuffle\taskbarshuffle.exe [2009-12-12 818176]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-9-9 221247]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-08-30 21:29 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)
"IDriverT"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\NCH Swift Sound\\WavePad\\wavepad.exe"=
"c:\\Program Files\\FlashGet\\fbgtcre-sys.exe"=
"c:\\Program Files\\Netscape\\Navigator 9\\navigator.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\SmartCam\\SmartCam.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [1/24/2009 12:52 AM 100560]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/11/2012 7:20 PM 253600]
S3 PTAPCBUS;Pantech Android USB Composite Device (PTAPC);c:\windows\system32\drivers\PTAPCBUS.sys [11/16/2011 2:48 AM 84608]
S3 PTAPCMDM;Pantech Android USB Modem Drivers (PTAPC);c:\windows\system32\drivers\PTAPCMDM.sys [11/16/2011 2:48 AM 168704]
S3 PTAPCVSP;Pantech Android USB Serial Port (PTAPC);c:\windows\system32\drivers\PTAPCVSP.sys [11/16/2011 2:48 AM 168704]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/1/2006 6:05 AM 611064]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
slip
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 23:35]
.
2012-04-11 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Software\Switch\switch.exe [2012-04-09 01:07]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A16C2BF4-501E-45FA-8A14-F26E022D5E16} - hxxp://adweb.music-eclub.com/php/adweb.php3?aid=143&arg=win%2Fmrinst.cab&ptx=mratdl
DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} - hxxps://download.verizon.net/sfp/Cabs/hst/webinstall/HstWebInstall.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\4n78aj6f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-PCDrProfiler - (no file)
Notify-WgaLogon - (no file)
MSConfigStartUp-FlashGet - c:\program files\FlashGet\FlashGet.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
AddRemove-Game Maker - c:\program files\Game_Maker\DeIsL1.isu
AddRemove-Replay_720 - c:\windows\iun6002.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-13 14:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB29699$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f6,35,ec,46,d4,02,c1,49,b8,18,a0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f6,35,ec,46,d4,02,c1,49,b8,18,a0,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1428)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SOUNDMAN.EXE
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2012-04-13 14:53:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-13 21:52
.
Pre-Run: 27,979,374,592 bytes free
Post-Run: 29,293,543,424 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 515F5B84320783C7459BE1F56EE39D5E

Attached Files



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:08 PM

Posted 14 April 2012 - 05:52 AM

Hi SafeDragon,



We need to execute a CFScript to clean some remnants.

Please do this:


1. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

2. Copy/paste the text in the codebox below into it:

NetSvc::
slip
Folder::
c:\windows\$NtUninstallKB29699$

3. Save this as CFScript.txt to your flash drive and then transfer it to the infected PC. Save it in the same place as ComboFix.exe.

4. Close any open browsers.

5. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

6. Referring to the picture below, drag CFScript into ComboFix.exe

Posted Image


When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Also reply back to let me know how things are going. Still no internet ?


Regards,
Georgi

cXfZ4wS.png


#7 SafeDragon

SafeDragon
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 14 April 2012 - 03:52 PM

Hi, since my desktop was turned 16-bit and 800x600, I had to open a folder and navigate to the Desktop inside that, in order to drop the CFScript.txt onto the ComboFix.exe icon.

It then started the ComboFix scan process, looking exactly as it did when I first ran it (saying the scan shouldn't take more than ten minutes, etc.). This time, however, when it finished, I happened to still be looking at the screen when this box popped up (which I must have missed the first time):

"You are infected with RootKit.ZeroAccess!
It has inserted itself into the tcp/ip stack.
This is a particularly difficult infection.
If for any reason that you're unable to connect to the internet after running ComboFix, reboot once and see if that fixes it [which I did try].
If it's not fixed, run ComboFix one more time."

It only had an "okay" button, then went away before I clicked it, and ComboFix rebooted the PC by itself.

Then ComboFix (once PC rebooted) ran a window called "AutoScan" and counted through sections (e.g. 48, etc.) and when it finished, it rebooted the PC again.

Finally, after rebooting, it opened a window saying "ComboFix - Find3M, Preparing Log Report." and after a few minutes, it created the log, which I will paste below.

And, yes, the internet is working again on the ailing PC, which is where I'm posting this from - yay!

[ComboFix Log (#2):]
ComboFix 12-04-13.01 - HP_Owner 04/14/2012 13:09:12.2.1 - x86
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB29699$
c:\windows\$NtUninstallKB29699$\2575803827
c:\windows\$NtUninstallKB29699$\2788872761\U\00000001.$
c:\windows\$NtUninstallKB29699$\2788872761\U\00000002.$
c:\windows\$NtUninstallKB29699$\2788872761\U\00000004.$
c:\windows\$NtUninstallKB29699$\2788872761\U\80000000.$
c:\windows\$NtUninstallKB29699$\2788872761\U\80000004.$
c:\windows\$NtUninstallKB29699$\2788872761\U\80000032.$
.
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\netbt.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))
.
.
2012-04-14 20:22 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-04-14 20:22 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2012-04-13 21:05 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-04-12 02:20 . 2012-04-12 23:35 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-09 01:07 . 2012-04-09 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2012-04-09 01:07 . 2012-04-11 07:21 -------- d-----w- c:\program files\NCH Software
2012-04-09 01:07 . 2012-04-09 01:10 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\NCH Software
2012-03-17 10:03 . 2012-03-17 10:03 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-17 10:03 . 2012-03-17 10:03 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-12 23:35 . 2011-08-19 13:18 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-04 19:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 14:10 . 2004-08-04 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 12:17 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-18 08:42 . 2012-02-18 08:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-18 08:42 . 2010-04-25 22:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-03-17 10:03 . 2011-11-09 02:21 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-13_21.48.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-14 20:24 . 2012-04-14 20:24 16384 c:\windows\Temp\Perflib_Perfdata_e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMan"="SOUNDMAN.EXE" [2005-05-04 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
pager.gif [2006-3-31 466292]
taskbarshuffle.lnk - c:\documents and settings\HP_Owner\My Documents\Webbles\Programs\TaskBar Shuffle\taskbarshuffle.exe [2009-12-12 818176]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-9-9 221247]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-08-30 21:29 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)
"IDriverT"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\NCH Swift Sound\\WavePad\\wavepad.exe"=
"c:\\Program Files\\FlashGet\\fbgtcre-sys.exe"=
"c:\\Program Files\\Netscape\\Navigator 9\\navigator.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\SmartCam\\SmartCam.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [1/24/2009 12:52 AM 100560]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/11/2012 7:20 PM 253600]
S3 PTAPCBUS;Pantech Android USB Composite Device (PTAPC);c:\windows\system32\drivers\PTAPCBUS.sys [11/16/2011 2:48 AM 84608]
S3 PTAPCMDM;Pantech Android USB Modem Drivers (PTAPC);c:\windows\system32\drivers\PTAPCMDM.sys [11/16/2011 2:48 AM 168704]
S3 PTAPCVSP;Pantech Android USB Serial Port (PTAPC);c:\windows\system32\drivers\PTAPCVSP.sys [11/16/2011 2:48 AM 168704]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/1/2006 6:05 AM 611064]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 23:35]
.
2012-04-11 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Software\Switch\switch.exe [2012-04-09 01:07]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A16C2BF4-501E-45FA-8A14-F26E022D5E16} - hxxp://adweb.music-eclub.com/php/adweb.php3?aid=143&arg=win%2Fmrinst.cab&ptx=mratdl
DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} - hxxps://download.verizon.net/sfp/Cabs/hst/webinstall/HstWebInstall.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\4n78aj6f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-14 13:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f6,35,ec,46,d4,02,c1,49,b8,18,a0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f6,35,ec,46,d4,02,c1,49,b8,18,a0,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3944)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\SOUNDMAN.EXE
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2012-04-14 13:30:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-14 20:30
ComboFix2.txt 2012-04-13 21:53
.
Pre-Run: 29,388,746,752 bytes free
Post-Run: 29,381,246,976 bytes free
.
- - End Of File - - EC63517697B8D3E780B07228EBAA7AD0

#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:08 PM

Posted 14 April 2012 - 04:20 PM

Hi SafeDragon,


Did you try to change the resolution using the display properties?
If no joy you should probably reinstall the video driver.
What video card do you have?
If you don't know what video card you have, run this => start => run => type in dxdiag
Go to display, and tell me the exact model, so I can find you the appropriate driver.



Regards,
Georgi

cXfZ4wS.png


#9 SafeDragon

SafeDragon
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 14 April 2012 - 04:30 PM

Yes, I have been able to change my display properties back to normal.

What is my next step? (PC feels more responsive already!)

:)

#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:08 PM

Posted 14 April 2012 - 05:15 PM

Hi,



Great work.
Please carefully follow my next set of steps:



Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Posted Image

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.




Please download aswMBR.exe to your desktop.

  • Double click the aswMBR.exe icon to run it.
  • The program will offers to download the latest antivirus definitions from Avast servers. Click YES to agree.
  • When it's done in the AV Scan drop down options choose C:\
    Posted Image
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
Note - do NOT attempt any Fix or FixMBR yet.




  • Please download OTL from the link below:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 90
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the Posted Image textbox.
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    "%WinDir%\$NtUninstallKB*$." /30
    C:\Program Files\Common Files\ComObjects\*.* /s
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\Application Data\*.*
    %USERPROFILE%\Local Settings\Application Data\*.*
    %AllUsersProfile%\*.*
    %AllUsersProfile%\Application Data\*.*
    %USERPROFILE%\My Documents\*.*
    %CommonProgramFiles%\*.*
    %PROGRAMFILES%\*.*
    %systemroot%\system32\config\systemprofile\*.*
    %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.*
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.*
    %windir%\temp*.*
    %windir%\system32\*.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC_32\*.* /S /MD5
    %systemroot%\assembly\GAC_MSIL\*.* /S /MD5
    /md5start
    smss.exe
    winlogon.exe
    services.exe
    lsass.exe
    svchost.exe
    explorer.exe
    netbt.sys
    ipsec.sys
    hlp.dat
    /md5stop
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

cXfZ4wS.png


#11 SafeDragon

SafeDragon
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 14 April 2012 - 05:39 PM

Wow, okay, that's a lot, but I love how specific and in-depth it is (as well as easy to understand!) which really helps me feel like the PC is getting a good scrubbing :)

I imagine this'll take a bit of time, but I will definitely post the results today, no matter how late it gets!

Thank you!

#12 SafeDragon

SafeDragon
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 14 April 2012 - 07:01 PM

Hi, sorry, the Avast-style scan crashed in the middle.

I have attached pictures to show the errors, and the TDSS info.

Should I restart aswMBR?

Thanks!

Attached Files



#13 SafeDragon

SafeDragon
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 15 April 2012 - 12:56 AM

Sorry to post twice in a row, but I discovered that my display drivers were disabled (I ran dxdiag, with the result in an attached screenshot).

Here is the GPR info:
Intel 82915G/GV/910GL Express Chipset Family

I tried aswMBR again, but it froze again during the engine scan (I saw the word Microsoft I think, and "unPNP"), but I couldn't get a screenshot.

Thank you :)

Attached Files



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:08 PM

Posted 15 April 2012 - 02:15 AM

Hi SafeDragon,


Please download and install the following driver
http://downloadmirror.intel.com/12536/a08/win2k_xp142550.exe

Let me know if this resolve the issue.

About aswMBR please go ahead and open C:\Windows\Minidump\, copy the *.dmp files to your Desktop, zip them (right-click > Send to > compressed folder) and attach the zip file to your post or upload it here => http://www.filedropper.com/ and post the download link in your next reply. I want to send the files to the developer so he can fix that in the next version.


Now try this for me:

  • Double click the aswMBR.exe icon to run it.
  • The program will offers to download the latest antivirus definitions from Avast servers. Click No.
  • When it's done in the AV Scan drop down options choose none.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


Note - do NOT attempt any Fix or FixMBR yet.

If it crash again skip that part and proceed with OTL.



Regards,
Georgi

Edited by B-boy/StyLe/, 15 April 2012 - 02:16 AM.

cXfZ4wS.png


#15 SafeDragon

SafeDragon
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 15 April 2012 - 05:07 PM

Hi!

Unfortunately the PC wouldn't let me install the driver that you gave me, but the HP website had one that did go all the way to the end of the install process (including reboot) and now the display and display software are back to their original state.

I am now proceeding to the next steps you have outlined, but I wanted to let you know that was working, and go ahead and attach the "*.dmp" files.

I also have a copy of a log I made during the second time aswMBR ran, in case it crashed again (it did), and will paste the contents below in case they can be of use. I believe aswMBR also created a small DAT file called "MBR", which I can supply if you think it's useful.

Thank you :)

[Minidump zip:]
http://www.filedropper.com/minidump_1

[aswMBR log:]
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-14 20:07:04
-----------------------------
20:07:04.578 OS Version: Windows 5.1.2600 Service Pack 3
20:07:04.578 Number of processors: 1 586 0x401
20:07:04.578 ComputerName: YOUR-27E1513D96 UserName: HP_Owner
20:07:05.515 Initialize success
20:07:51.468 AVAST engine defs: 12041401
20:08:24.406 The log file has been saved successfully to "C:\Documents and Settings\HP_Owner\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-14 20:07:04
-----------------------------
20:07:04.578 OS Version: Windows 5.1.2600 Service Pack 3
20:07:04.578 Number of processors: 1 586 0x401
20:07:04.578 ComputerName: YOUR-27E1513D96 UserName: HP_Owner
20:07:05.515 Initialize success
20:07:51.468 AVAST engine defs: 12041401
20:08:24.406 The log file has been saved successfully to "C:\Documents and Settings\HP_Owner\Desktop\aswMBR.txt"
20:08:46.921 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
20:08:46.937 Disk 0 Vendor: Maxtor_6L200M0 BANC1G10 Size: 190782MB BusType: 3
20:08:47.015 Disk 0 MBR read successfully
20:08:47.031 Disk 0 MBR scan
20:08:47.875 Disk 0 unknown MBR code
20:08:47.921 Disk 0 Partition 1 00 0C FAT32 LBA RECOVERY 7692 MB offset 63
20:08:48.937 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 183086 MB offset 15755040
20:08:49.546 Disk 0 scanning sectors +390715920
20:08:50.046 Disk 0 scanning C:\WINDOWS\system32\drivers
20:09:20.687 Service scanning
20:09:51.906 Modules scanning
20:10:14.062 Disk 0 trace - called modules:
20:10:14.203 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
20:10:14.250 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82d6e920]
20:10:14.312 3 CLASSPNP.SYS[f84d3fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x82d752f0]
20:10:15.734 AVAST engine scan C:\
20:25:54.937 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Owner\Desktop\MBR.dat"
20:25:55.015 The log file has been saved successfully to "C:\Documents and Settings\HP_Owner\Desktop\aswMBR.txt"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users