Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sporadic redirects by Google Redirect virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 perplexedone

perplexedone

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 09 July 2012 - 07:49 PM

Hi Bleeping Computer volunteers,

My computer has been infected before by the Google Redirect but I reformated my PC to rid of it. That was a while back. Recently I have getting sporadic redirects when I click on legitimate links I searched on Google. These redirects are to spammy and shady spyware websites.

Please help me.

Posted below is the dds.txt.log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by X at 17:28:12 on 2012-07-09
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1505 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://secure.inetglobal.com/public/login.php
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\AxAutoMntSrv.exe" -automount
uRun: [Akamai NetSession Interface] "c:\documents and settings\x\local settings\application data\akamai\netsession_win.exe"
uRun: [Google Update] "c:\documents and settings\x\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
uPolicies-explorer: <NO NAME> =
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: ryerson.ca\vapps
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D8650CEC-C74B-49A5-97D2-8DA578C6336C} : DhcpNameServer = 192.168.0.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\x\application data\mozilla\firefox\profiles\dup75rpy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\documents and settings\x\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-1-31 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-1-31 353688]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-16 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-1-31 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-1-31 44808]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-3-5 136176]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [2012-6-19 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [2012-6-19 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [2012-6-19 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [2012-6-19 25088]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\lgandadb.sys [2012-6-19 25728]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-3-5 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 113120]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
.scr=AutoCADLTScriptFile
.
=============== Created Last 30 ================
.
2012-07-05 19:52:12 309320 ----a-w- c:\windows\system32\drivers\Trufos.sys
2012-07-04 14:05:32 -------- d-----w- c:\documents and settings\x\application data\Malwarebytes
2012-07-04 14:05:26 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-07-04 14:05:25 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-04 14:05:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-30 14:50:34 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-30 14:50:34 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-21 18:16:14 9984 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2012-06-21 14:40:44 -------- d-----w- c:\program files\Unlockroot
2012-06-19 23:41:02 -------- d-----w- c:\program files\PdaNet for Android
2012-06-19 19:44:13 25728 ----a-w- c:\windows\system32\drivers\lgandadb.sys
2012-06-19 19:44:13 25088 ----a-w- c:\windows\system32\drivers\lgandmodem.sys
2012-06-19 19:44:13 20736 ----a-w- c:\windows\system32\drivers\lganddiag.sys
2012-06-19 19:44:13 20096 ----a-w- c:\windows\system32\drivers\lgandgps.sys
2012-06-19 19:44:13 14336 ----a-w- c:\windows\system32\drivers\lgandbus.sys
2012-06-19 19:44:13 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2012-06-19 12:08:26 -------- d-----w- c:\documents and settings\x\.android
2012-06-19 12:07:01 -------- d-----w- c:\program files\Android
2012-06-19 11:57:58 -------- d-----w- c:\program files\LG Electronics
2012-06-17 04:33:14 -------- d-----w- c:\program files\Super Mouse Auto Clicker
.
==================== Find3M ====================
.
2012-07-03 16:21:53 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21:32 41224 ----a-w- c:\windows\avastSS.scr
.
============= FINISH: 17:28:34.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:11:27 AM

Posted 12 July 2012 - 03:47 PM

Hello perplexedone and welcome to Bleeping Computer!

I am D-FRED-BROWN and I will be helping you. :)


Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.


----------Step 1----------------
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


----------Step 3----------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 4----------------
In your next reply, please include the following:
  • TDSSKiller's logfile
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

#3 perplexedone

perplexedone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 12 July 2012 - 08:07 PM

Hi D-Fred-Brown,

Thanks for your help.

Here is the Combofix.txt

ComboFix 12-07-12.02 - X 07/12/2012 20:50:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1558 [GMT -5:00]
Running from: c:\documents and settings\X\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-13 to 2012-07-13 )))))))))))))))))))))))))))))))
.
.
2012-07-10 16:50 . 2012-07-10 16:50 163644 ----a-w- c:\windows\system32\drivers\SECDRV.SYS
2012-07-05 19:52 . 2012-07-05 19:52 309320 ----a-w- c:\windows\system32\drivers\Trufos.sys
2012-07-05 15:37 . 2012-07-05 15:37 -------- d-----w- c:\documents and settings\Administrator
2012-07-04 14:05 . 2012-07-04 14:05 -------- d-----w- c:\documents and settings\X\Application Data\Malwarebytes
2012-07-04 14:05 . 2012-07-04 14:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-07-04 14:05 . 2012-07-04 14:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-04 14:05 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-30 14:50 . 2012-06-30 14:50 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-30 14:50 . 2012-06-30 14:50 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-21 18:16 . 2005-12-21 01:11 9984 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2012-06-21 14:40 . 2012-06-21 14:42 -------- d-----w- c:\program files\Unlockroot
2012-06-19 23:41 . 2012-06-24 18:26 -------- d-----w- c:\program files\PdaNet for Android
2012-06-19 19:44 . 2012-03-02 21:02 25728 ----a-w- c:\windows\system32\drivers\lgandadb.sys
2012-06-19 19:44 . 2012-03-02 21:02 25088 ----a-w- c:\windows\system32\drivers\lgandmodem.sys
2012-06-19 19:44 . 2012-03-02 21:02 20736 ----a-w- c:\windows\system32\drivers\lganddiag.sys
2012-06-19 19:44 . 2012-03-02 21:02 20096 ----a-w- c:\windows\system32\drivers\lgandgps.sys
2012-06-19 19:44 . 2012-03-02 21:02 14336 ----a-w- c:\windows\system32\drivers\lgandbus.sys
2012-06-19 19:44 . 2012-03-02 12:03 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2012-06-19 12:08 . 2012-06-19 19:45 -------- d-----w- c:\documents and settings\X\.android
2012-06-19 12:07 . 2012-06-20 19:48 -------- d-----w- c:\program files\Android
2012-06-19 11:57 . 2012-06-19 19:44 -------- d-----w- c:\program files\LG Electronics
2012-06-17 04:33 . 2012-06-17 05:09 -------- d-----w- c:\program files\Super Mouse Auto Clicker
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 21:42 . 2010-05-12 21:42 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-05-12 22:22 . 2010-05-12 22:22 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-05-12 21:43 . 2010-05-12 21:43 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-05-12 21:42 . 2010-05-12 21:42 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-05-12 21:42 . 2010-05-12 21:42 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-05-12 21:41 . 2010-05-12 21:41 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-05-12 21:42 . 2010-05-12 21:42 31160 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-05-12 21:42 . 2010-05-12 21:42 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2010-04-14 18:55 . 2010-04-14 18:55 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-05-12 21:43 . 2010-05-12 21:43 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2012-06-30 14:50 . 2012-01-31 17:00 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-01-01 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-16 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-16 137752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2010-08-20 11:03 33120 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [4/16/2010 4:22 PM 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/5/2012 9:24 AM 136176]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [6/19/2012 2:44 PM 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [6/19/2012 2:44 PM 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [6/19/2012 2:44 PM 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [6/19/2012 2:44 PM 25088]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\lgandadb.sys [6/19/2012 2:44 PM 25728]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/5/2012 9:24 AM 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 9:59 PM 113120]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 30114172
*NewlyCreated* - WS2IFSL
*Deregistered* - 30114172
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-05 14:24]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-05 14:24]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-796845957-725345543-1003Core.job
- c:\documents and settings\X\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-05-02 02:23]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-796845957-725345543-1003UA.job
- c:\documents and settings\X\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-05-02 02:23]
.
.
------- Supplementary Scan -------
.
uStart Page = https://secure.inetglobal.com/public/login.php
uInternet Settings,ProxyOverride = <local>
Trusted Zone: ryerson.ca\vapps
FF - ProfilePath - c:\documents and settings\X\Application Data\Mozilla\Firefox\Profiles\dup75rpy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Akamai NetSession Interface - c:\documents and settings\X\Local Settings\Application Data\Akamai\netsession_win.exe
SafeBoot-23663778.sys
SafeBoot-77115041.sys
MSConfigStartUp-avast - c:\program files\AVAST Software\Avast\avastUI.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-12 20:55
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'explorer.exe'(2876)
c:\windows\system32\msi.dll
.
Completion time: 2012-07-12 20:56:04
ComboFix-quarantined-files.txt 2012-07-13 01:56
.
Pre-Run: 153,880,399,872 bytes free
Post-Run: 154,844,872,704 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 650834AADFD097281D57E7AA809E7EF0

#4 perplexedone

perplexedone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 12 July 2012 - 08:08 PM

And here is the checkup.txt


Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 20
Java version out of Date!
Adobe Flash Player 11.1.102.55
Mozilla Firefox (13.0.1)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 15% Defragment your hard drive soon!
````````````````````End of Log``````````````````````

#5 perplexedone

perplexedone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 12 July 2012 - 08:10 PM

Hi D-Fred-Brown,

Additional details: My computer seemed to stop the redirects sometime after I posted the thread. It seems to be ok for now. Is this some latent form of the redirect virus?

Edited by perplexedone, 12 July 2012 - 08:11 PM.


#6 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:11:27 AM

Posted 12 July 2012 - 10:19 PM

Additional details: My computer seemed to stop the redirects sometime after I posted the thread. It seems to be ok for now. Is this some latent form of the redirect virus?

That is good news! However, we still have some more to clean up, as well as a final antivirus scan to make sure there isn't anything we may have missed. I'll let you know when you're in the clear. :thumbup2:

As for what you specifically had, it's tough to tell... My guess is that you only had a few traces of something that was mostly eliminated. There doesn't appear to be much left of it.

------

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::
30114172

File::
C:\Windows\System32\Drivers\30114172.sys

Reboot::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now ;)

Edited by D-FRED-BROWN, 12 July 2012 - 10:23 PM.


#7 perplexedone

perplexedone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 13 July 2012 - 09:33 AM

Whoo, that's good to hear that it just remnants of infection and nothing too serious.

Anyway here is the Combofix.txt below



ComboFix 12-07-13.02 - X 07/13/2012 10:08:12.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1535 [GMT -5:00]
Running from: c:\documents and settings\X\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\X\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\System32\Drivers\30114172.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_30114172
.
.
((((((((((((((((((((((((( Files Created from 2012-06-13 to 2012-07-13 )))))))))))))))))))))))))))))))
.
.
2012-07-13 02:13 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-13 02:13 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-13 02:13 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-13 02:13 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-13 02:13 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-13 02:13 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-07-13 02:13 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-07-13 02:13 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-07-13 02:13 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-07-13 02:13 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2012-07-10 16:50 . 2012-07-10 16:50 163644 ----a-w- c:\windows\system32\drivers\SECDRV.SYS
2012-07-05 19:52 . 2012-07-05 19:52 309320 ----a-w- c:\windows\system32\drivers\Trufos.sys
2012-07-05 15:37 . 2012-07-05 15:37 -------- d-----w- c:\documents and settings\Administrator
2012-07-04 14:05 . 2012-07-04 14:05 -------- d-----w- c:\documents and settings\X\Application Data\Malwarebytes
2012-07-04 14:05 . 2012-07-04 14:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-07-04 14:05 . 2012-07-04 14:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-04 14:05 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-30 14:50 . 2012-06-30 14:50 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-30 14:50 . 2012-06-30 14:50 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-21 18:16 . 2005-12-21 01:11 9984 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2012-06-21 14:40 . 2012-06-21 14:42 -------- d-----w- c:\program files\Unlockroot
2012-06-19 23:41 . 2012-06-24 18:26 -------- d-----w- c:\program files\PdaNet for Android
2012-06-19 19:44 . 2012-03-02 21:02 25728 ----a-w- c:\windows\system32\drivers\lgandadb.sys
2012-06-19 19:44 . 2012-03-02 21:02 25088 ----a-w- c:\windows\system32\drivers\lgandmodem.sys
2012-06-19 19:44 . 2012-03-02 21:02 20736 ----a-w- c:\windows\system32\drivers\lganddiag.sys
2012-06-19 19:44 . 2012-03-02 21:02 20096 ----a-w- c:\windows\system32\drivers\lgandgps.sys
2012-06-19 19:44 . 2012-03-02 21:02 14336 ----a-w- c:\windows\system32\drivers\lgandbus.sys
2012-06-19 19:44 . 2012-03-02 12:03 1419232 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2012-06-19 12:08 . 2012-06-19 19:45 -------- d-----w- c:\documents and settings\X\.android
2012-06-19 12:07 . 2012-06-20 19:48 -------- d-----w- c:\program files\Android
2012-06-19 11:57 . 2012-06-19 19:44 -------- d-----w- c:\program files\LG Electronics
2012-06-17 04:33 . 2012-06-17 05:09 -------- d-----w- c:\program files\Super Mouse Auto Clicker
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 21:42 . 2010-05-12 21:42 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-05-12 22:22 . 2010-05-12 22:22 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-05-12 21:43 . 2010-05-12 21:43 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-05-12 21:42 . 2010-05-12 21:42 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-05-12 21:42 . 2010-05-12 21:42 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-05-12 21:41 . 2010-05-12 21:41 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-05-12 21:42 . 2010-05-12 21:42 31160 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-05-12 21:42 . 2010-05-12 21:42 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2010-04-14 18:55 . 2010-04-14 18:55 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-05-12 21:43 . 2010-05-12 21:43 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2012-06-30 14:50 . 2012-01-31 17:00 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-01-01 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-07-13_01.55.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-13 15:16 . 2012-07-13 15:16 16384 c:\windows\temp\Perflib_Perfdata_64c.dat
+ 2001-08-18 11:00 . 2012-07-13 15:01 75416 c:\windows\system32\perfc009.dat
- 2001-08-18 11:00 . 2012-07-13 01:48 75416 c:\windows\system32\perfc009.dat
+ 2001-08-18 11:00 . 2012-07-13 15:01 455504 c:\windows\system32\perfh009.dat
- 2001-08-18 11:00 . 2012-07-13 01:48 455504 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-16 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-16 137752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2010-08-20 11:03 33120 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/12/2012 9:13 PM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/12/2012 9:13 PM 314456]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [4/16/2010 4:22 PM 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/12/2012 9:13 PM 20568]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/5/2012 9:24 AM 136176]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [6/19/2012 2:44 PM 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [6/19/2012 2:44 PM 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [6/19/2012 2:44 PM 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [6/19/2012 2:44 PM 25088]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\lgandadb.sys [6/19/2012 2:44 PM 25728]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/5/2012 9:24 AM 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 9:59 PM 113120]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-05 14:24]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-05 14:24]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-796845957-725345543-1003Core.job
- c:\documents and settings\X\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-05-02 02:23]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-796845957-725345543-1003UA.job
- c:\documents and settings\X\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-05-02 02:23]
.
.
------- Supplementary Scan -------
.
uStart Page = https://secure.inetglobal.com/public/login.php
uInternet Settings,ProxyOverride = <local>
Trusted Zone: ryerson.ca\vapps
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\X\Application Data\Mozilla\Firefox\Profiles\dup75rpy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-13 10:17
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'explorer.exe'(2440)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-07-13 10:19:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-13 15:19
ComboFix2.txt 2012-07-13 01:56
.
Pre-Run: 154,364,104,704 bytes free
Post-Run: 154,381,045,760 bytes free
.
- - End Of File - - 6DB05F4E8816D9B2757E67E36D3244B6

#8 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:11:27 AM

Posted 13 July 2012 - 01:45 PM

Looking good. :thumbup2:

Please run this online scan to verify there aren't any possible remaining traces left:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


#9 perplexedone

perplexedone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 13 July 2012 - 07:40 PM

Thanks again D-Fred-Brown,

Here is the ESET scan log.


thanks.



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=36882
# version=7
# iexplore.exe=7.00.5730.13 (longhorn(wmbla).070711-1130)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ea93b367aff6ac40b0599512c961eb96
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-13 11:45:09
# local_time=2012-07-13 06:45:09 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=52707
# found=3
# cleaned=0
# scan_time=2803
C:\Documents and Settings\X\Local Settings\Application Data\{AADFA74A-AA0C-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\X\My Documents\Downloads\unlockroot23-eng.exe a variant of Win32/Packed.VProtect.C application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Unlockroot\unlockroot.exe a variant of Win32/Packed.VProtect.C application (unable to clean) 00000000000000000000000000000000 I

#10 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:11:27 AM

Posted 14 July 2012 - 12:01 PM

Go ahead and run the scan again, but this time, leave Remove found threats and Scan unwanted applications both Checked.

#11 perplexedone

perplexedone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 14 July 2012 - 05:34 PM

Here is the log for the second scan. I didn't delete the quarantined files. Note: 2 of the 4 malicious items, is the program (UnRootme) I used to unroot my android. Has this program been known to be malicious? Because it did unroot my phone.

Thanks.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=36882
# version=7
# iexplore.exe=7.00.5730.13 (longhorn(wmbla).070711-1130)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ea93b367aff6ac40b0599512c961eb96
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-13 11:45:09
# local_time=2012-07-13 06:45:09 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=52707
# found=3
# cleaned=0
# scan_time=2803
C:\Documents and Settings\X\Local Settings\Application Data\{AADFA74A-AA0C-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\X\My Documents\Downloads\unlockroot23-eng.exe a variant of Win32/Packed.VProtect.C application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Unlockroot\unlockroot.exe a variant of Win32/Packed.VProtect.C application (unable to clean) 00000000000000000000000000000000 I
# version=7
# iexplore.exe=7.00.5730.13 (longhorn(wmbla).070711-1130)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ea93b367aff6ac40b0599512c961eb96
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-14 10:19:25
# local_time=2012-07-14 05:19:25 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=52316
# found=4
# cleaned=4
# scan_time=2692
C:\Documents and Settings\X\Local Settings\Application Data\{AADFA74A-AA0C-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\X\My Documents\Downloads\unlockroot23-eng.exe a variant of Win32/Packed.VProtect.C application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Unlockroot\unlockroot.exe a variant of Win32/Packed.VProtect.C application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{502C8386-670B-4185-843F-69B0CA1D00BC}\RP129\A0025740.exe a variant of Win32/Packed.VProtect.C application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#12 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:11:27 AM

Posted 14 July 2012 - 07:04 PM

Note: 2 of the 4 malicious items, is the program (UnRootme) I used to unroot my android. Has this program been known to be malicious? Because it did unroot my phone.

I can't seem to dig up much information about it, but that doesn't mean that it's suspicious.

I own an Android phone myself, but know very little about "rooting" :blush:. I'll link you to some articles that also mention rooting software- perhaps you might want to use one of these in the future as they appear to be reputable.
I hope that helps.



Now that your system is clean, let's update some of your programs. Program updates are a crucial measure to ensure your computer is safer from malware.

----------Step 1----------------
Before anything else, please set a new restore point. In case anything bad should happen, you'll be able to revert back to this current state.
  • Instructions are provided here by Microsoft.

----------Step 2----------------
Please consider updating to the latest Windows Service Pack.
  • Windows Service Pack 3 (SP3) contains critical security updates released since SP1 and SP2 plus support for new types of hardware and emerging hardware standards.
  • Please visit: Windows Update to download the latest Service Pack.
  • NOTE: you will have to install SP2 and a number of other updates before SP3. However, all of this will leave you much safer than before.

----------Step 3----------------
You are using Internet Explorer version 7. The latest version is 8. Using an outdated version of a web browser leaves you extremley vulnerable to malware!

----------Step 4----------------
Java is out of date and older versions contain vulnerabilities. Please update to the newest version.
  • Download the newest version from here http://java.com/en/download/index.jsp.
  • It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable
  • Go to Start > Control Panel and open Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).
  • They will have this icon next to them: Posted Image
  • Select each in turn and click Remove.
  • Once old versions are gone, please install the newest version.

----------Step 5----------------
Please let me know how the updates go, as failed updates may indicate additional malware.

#13 perplexedone

perplexedone
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 14 July 2012 - 10:18 PM

Really? Well if you got into it, Im sure you would be an expert in no time.

Thank you so much for helping me. One more thing, if I dont use IE almost at all, should I still update it? (im a firefox user thru and thru)

#14 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:11:27 AM

Posted 15 July 2012 - 12:03 PM

Really? Well if you got into it, Im sure you would be an expert in no time.

Cheers. :) I'll have to look into it one of these days!

Thank you so much for helping me. One more thing, if I dont use IE almost at all, should I still update it? (im a firefox user thru and thru)

My pleasure! Yes, I recommend that you still update it. Just because you don't use IE doesn't mean that it can't be used by malware. As long as it's out-of-date, you're at a pretty substantial risk.

#15 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:11:27 AM

Posted 01 August 2012 - 02:04 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users