Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Agent t1w.OurMimeFilter


  • This topic is locked This topic is locked
12 replies to this topic

#1 DarrylB

DarrylB

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:40 AM

Posted 20 July 2013 - 01:53 AM

WinXP SP3 has been working fine for years. A few days ago Norton Internet Security disappeared from the system tray and I could not find any Norton/Symantec processes running in Task Manager. I could not launch NIS from the desktop icon or via All Programs. Suspicious that some form of malware attack was ongoing I've done the following:

  • attempted to uninstall NIS in add/remove progams and received a message that it was already uninstalled
  • downloaded and ran the Norton removal tool (apparently successfully) and then reinstalled NIS (again, successfully)
  • did a full system scan with NIS and 7 cookies were found and removed
  • ran chkdsk c: /r and no problems found with the hard drive
  • downloaded and ran Malwarebytes AntiMalware and it found 6 problems; the log is attached and refers to Trojan.Agent and t1w.OurMimeFilter. I selected the option to fix/remove the 6 problems.

I've downloaded and run dds.com as instructed and have included the dds.txt contents below. I've attached the attach.txt and the mbam log files.

 

Thank you for your assistance.

 

Darryl

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.21.2
Run by MDG User at 0:22:42 on 2013-07-20
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1534.618 [GMT -6:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\D-Link\DWA-125 revA\WZCSLDR2.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Argentum Backup\ab.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\OrganizeMY Electronic Filing Cabinet For Dummies\eOrgOE.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.scotiaitrade.com/pages/home/main.shtml
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: <No Name>: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\20.4.0.40\CoIEPlg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\20.4.0.40\ips\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - <orphaned>
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\20.4.0.40\CoIEPlg.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\20.4.0.40\CoIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Argentum Backup] "c:\program files\argentum backup\ab.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [] c:\program files\internet explorer\iexplore.exe  http://www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.5.26&build=Symantec&a=00000082.0000001e.0000004a&b=00000082.00000049.000000b9&c=00000082.000000d4.00000264
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [UserFaultCheck] c:\windows\system32\dumprep 0 -u
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [WUSB54Gv2] c:\program files\linksys wireless-g usb wireless network monitor\InvokeSvc3.exe
mRun: [D-Link D-Link DWA-125] c:\program files\d-link\dwa-125 reva\AirGCFG.exe
mRun: [WZCSLDR2] c:\program files\d-link\dwa-125 reva\WZCSLDR2.exe
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\organi~1.lnk - c:\windows\installer\{62ba23c9-51f0-4e55-8cd4-1c548a2e644a}\NewShortcut1_2C368C89F05449A7AF2E7CFBC2032958.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38071.6953356481
DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://globaltec.webex.com/client/T25L/support/ieatgpc.cab
TCP: NameServer = 64.59.135.145 64.59.128.114 192.168.1.1
TCP: Interfaces\{83A5A323-99C3-447C-B0AA-CE00F12FA93A} : DHCPNameServer = 64.59.135.145 64.59.128.114 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages =  msv1_0 relog_ap
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\28.0.1500.72\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1404000.028\symds.sys [2013-6-17 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1404000.028\symefa.sys [2013-6-17 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.4.0.40\definitions\bashdefs\20130715.001\BHDrvx86.sys [2013-7-19 1002072]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1404000.028\ccsetx86.sys [2013-6-17 134744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1404000.028\ironx86.sys [2013-6-17 175264]
R2 ANPD;ANPD Service;c:\windows\system32\ANPD.SYS [2011-7-6 29411]
R2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\d-link\dwa-125 reva\ANIWConnService.exe [2011-7-6 53248]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.4.0.40\definitions\ipsdefs\20130719.002\IDSXpx86.sys [2013-7-19 373728]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.4.0.40\definitions\virusdefs\20130719.020\NAVENG.SYS [2013-7-19 93272]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.4.0.40\definitions\virusdefs\20130719.020\NAVEX15.SYS [2013-7-19 1611992]
R3 rt2870;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Drt2870.sys [2011-7-6 829152]
S2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\d-link\dwa-125 reva\ANIWZCSdS.exe [2011-7-6 126976]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2006-5-27 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2006-5-27 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2006-5-27 39552]
.
=============== Created Last 30 ================
.
2013-07-20 05:38:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-20 05:38:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-07-20 03:14:13 -------- d-----w- c:\program files\CCleaner
2013-07-19 21:14:04 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-07-19 21:14:04 -------- d-----w- c:\program files\Symantec
2013-07-19 21:12:45 -------- d-----w- c:\program files\Norton Internet Security
2013-07-19 02:33:17 -------- d-----w- c:\documents and settings\mdg user\application data\Malwarebytes
2013-07-19 02:33:10 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
.
==================== Find3M  ====================
.
2013-07-20 03:54:28 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-20 03:54:28 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-08 05:55:44 385024 ----a-w- c:\windows\system32\html.iec
2013-06-07 21:56:06 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-06-04 07:23:02 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40:45 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-23 05:25:28 934488 ----a-r- c:\windows\system32\drivers\nis\1404000.028\symefa.sys
2013-05-21 05:02:00 367704 ----a-r- c:\windows\system32\drivers\nis\1404000.028\symds.sys
2013-05-16 20:00:58 4840960 ----a-w- c:\windows\system32\cdintf450.dll
2013-05-16 05:02:14 603224 ----a-r- c:\windows\system32\drivers\nis\1404000.028\srtsp.sys
2013-05-09 06:28:02 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-05-03 01:30:20 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:17 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-25 00:43:56 396760 ----a-r- c:\windows\system32\drivers\nis\1404000.028\symtdi.sys
2013-04-25 00:43:56 352344 ----a-r- c:\windows\system32\drivers\nis\1404000.028\symtdiv.sys
2013-04-25 00:43:56 339544 ----a-r- c:\windows\system32\drivers\nis\1404000.028\symnets.sys
.
============= FINISH:  0:26:05.04 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 AM

Posted 22 July 2013 - 12:37 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 DarrylB

DarrylB
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:40 AM

Posted 22 July 2013 - 08:29 AM

Thank you Marius for your time and efforts.

 

Here is the result of the GMER scan:

 

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-07-22 07:26:26
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3160815A rev.3.AAD 149.05GB
Running: qk4qt40w.exe; Driver: C:\DOCUME~1\MDGUSE~1\LOCALS~1\Temp\pxdyapog.sys

---- System - GMER 2.1 ----

SSDT            89EC89D0                                      ZwAlertResumeThread
SSDT            89F58CB0                                      ZwAlertThread
SSDT            89F526E0                                      ZwAllocateVirtualMemory
SSDT            8A14FD58                                      ZwAssignProcessToJobObject
SSDT            8A160B58                                      ZwConnectPort
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS  ZwCreateKey [0xB112BED0]
SSDT            89ED8828                                      ZwCreateMutant
SSDT            89E90DC8                                      ZwCreateSymbolicLinkObject
SSDT            8A0D2360                                      ZwCreateThread
SSDT            8A14FE38                                      ZwDebugActiveProcess
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS  ZwDeleteKey [0xB112C150]
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS  ZwDeleteValueKey [0xB112C810]
SSDT            89EDE7C0                                      ZwDuplicateObject
SSDT            89F1F210                                      ZwFreeVirtualMemory
SSDT            89ED88F8                                      ZwImpersonateAnonymousToken
SSDT            89EC88F0                                      ZwImpersonateThread
SSDT            8A086278                                      ZwLoadDriver
SSDT            8A0CE760                                      ZwMapViewOfSection
SSDT            89ED8438                                      ZwOpenEvent
SSDT            89F5E120                                      ZwOpenProcess
SSDT            89FED0F0                                      ZwOpenProcessToken
SSDT            89ED8278                                      ZwOpenSection
SSDT            89ECDB88                                      ZwOpenThread
SSDT            8A14FC68                                      ZwProtectVirtualMemory
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS  ZwRenameKey [0xB112CD70]
SSDT            89F58D90                                      ZwResumeThread
SSDT            89EBC918                                      ZwSetContextThread
SSDT            89EC8C68                                      ZwSetInformationProcess
SSDT            89B46EC0                                      ZwSetSystemInformation
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS  ZwSetValueKey [0xB112CA90]
SSDT            89ED8358                                      ZwSuspendProcess
SSDT            8A014178                                      ZwSuspendThread
SSDT            8A1F8778                                      ZwTerminateProcess
SSDT            8A014238                                      ZwTerminateThread
SSDT            89F211A0                                      ZwUnmapViewOfSection
SSDT            89B7C308                                      ZwWriteVirtualMemory

---- Devices - GMER 2.1 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                      SYMTDI.SYS
AttachedDevice  \Driver\Tcpip \Device\Tcp                     SYMTDI.SYS
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1        snapman.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                     SYMTDI.SYS
AttachedDevice  \Driver\Tcpip \Device\RawIp                   SYMTDI.SYS

---- Disk sectors - GMER 2.1 ----

Disk            \Device\Harddisk0\DR0                         unknown MBR code

---- EOF - GMER 2.1 ----



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 AM

Posted 22 July 2013 - 11:49 PM

Add-/remove programms

Click on start-->control panel.

Vista/7: Open Programs and Features
XP: Open add/remove programs

Search for and remove the following programs

Ask Toolbar
Ask Toolbar Updater

 



Close the window.

 

 

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

 


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 DarrylB

DarrylB
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:40 AM

Posted 23 July 2013 - 01:07 AM

Ask Toolbar and Updater both uninstalled.

 

Combofix ran and here is the report:

 

 

ComboFix 13-07-22.01 - MDG User 22/07/2013  23:26:27.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1534.958 [GMT -6:00]
Running from: c:\documents and settings\MDG User\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\MDG User\Desktop\Setup.exe
c:\windows\Installer\{62BA23C9-51F0-4E55-8CD4-1C548A2E644A}\NewShortcut1_2C368C89F05449A7AF2E7CFBC2032958.exe
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\Email.exe
c:\windows\system32\SET6D.tmp
c:\windows\system32\SET6F.tmp
c:\windows\system32\SET73.tmp
c:\windows\system32\SET7B.tmp
c:\windows\system32\SET7D.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-23 to 2013-07-23  )))))))))))))))))))))))))))))))
.
.
2013-07-20 05:38 . 2013-07-20 05:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-07-20 05:38 . 2013-04-04 20:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-20 03:14 . 2013-07-20 03:14 -------- d-----w- c:\program files\CCleaner
2013-07-19 21:14 . 2013-07-19 21:14 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-07-19 21:14 . 2013-07-19 21:14 -------- d-----w- c:\program files\Symantec
2013-07-19 21:12 . 2013-07-19 21:12 -------- d-----w- c:\program files\Norton Internet Security
2013-07-19 02:33 . 2013-07-19 02:33 -------- d-----w- c:\documents and settings\MDG User\Application Data\Malwarebytes
2013-07-19 02:33 . 2013-07-19 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-20 03:54 . 2012-04-28 17:35 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-20 03:54 . 2011-06-02 15:08 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-08 05:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2013-06-07 21:56 . 2004-08-24 02:32 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2002-08-29 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-06-04 07:23 . 2002-08-29 12:00 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2002-08-29 12:00 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-23 05:25 . 2013-06-17 14:16 934488 ----a-r- c:\windows\system32\drivers\NIS\1404000.028\symefa.sys
2013-05-21 05:02 . 2013-06-17 14:16 367704 ----a-r- c:\windows\system32\drivers\NIS\1404000.028\symds.sys
2013-05-16 20:00 . 2011-06-02 15:50 4840960 ----a-w- c:\windows\system32\cdintf450.dll
2013-05-16 05:02 . 2013-06-17 14:16 603224 ----a-r- c:\windows\system32\drivers\NIS\1404000.028\srtsp.sys
2013-05-09 06:28 . 2006-10-19 03:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-05-03 01:30 . 2002-08-29 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2002-08-29 01:04 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-25 00:43 . 2013-06-17 14:16 396760 ----a-r- c:\windows\system32\drivers\NIS\1404000.028\symtdi.sys
2013-04-25 00:43 . 2013-06-17 14:16 352344 ----a-r- c:\windows\system32\drivers\NIS\1404000.028\symtdiv.sys
2013-04-25 00:43 . 2013-06-17 14:16 339544 ----a-r- c:\windows\system32\drivers\NIS\1404000.028\symnets.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Argentum Backup"="c:\program files\Argentum Backup\ab.exe" [2006-10-16 2036224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-27 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-04-22 54784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-17 1164912]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-17 1941784]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-17 87584]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-08 65536]
"WUSB54Gv2"="c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 24576]
"D-Link D-Link DWA-125"="c:\program files\D-Link\DWA-125 revA\AirGCFG.exe" [2010-05-21 1024000]
"WZCSLDR2"="c:\program files\D-Link\DWA-125 revA\WZCSLDR2.exe" [2010-04-21 122880]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE -b [1997-7-11 51984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1404000.028\symds.sys [17/06/2013 8:16 AM 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1404000.028\symefa.sys [17/06/2013 8:16 AM 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\BASHDefs\20130715.001\BHDrvx86.sys [19/07/2013 5:59 PM 1002072]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NIS\1404000.028\ccsetx86.sys [17/06/2013 8:16 AM 134744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1404000.028\ironx86.sys [17/06/2013 8:16 AM 175264]
R2 ANPD;ANPD Service;c:\windows\system32\ANPD.SYS [06/07/2011 11:59 AM 29411]
R2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\D-Link\DWA-125 revA\ANIWConnService.exe [06/07/2011 11:59 AM 53248]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [19/07/2013 11:38 PM 418376]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe [19/07/2013 3:12 PM 144368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [19/07/2013 7:02 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\IPSDefs\20130719.002\IDSXpx86.sys [19/07/2013 7:03 PM 373728]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [19/07/2013 11:38 PM 22856]
S2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\D-Link\DWA-125 revA\ANIWZCSdS.exe [06/07/2011 11:59 AM 126976]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [19/07/2013 11:38 PM 701512]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [27/05/2006 4:31 PM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [27/05/2006 4:31 PM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [27/05/2006 4:31 PM 39552]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GTNDIS5
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-13 17:18 1173456 ----a-w- c:\program files\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 03:54]
.
2013-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-27 16:40]
.
2013-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-27 16:40]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.scotiaitrade.com/pages/home/main.shtml
TCP: DhcpNameServer = 64.59.135.145 64.59.128.114 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\OrganizeMY Outlook Express Connector.lnk - c:\windows\Installer\{62BA23C9-51F0-4E55-8CD4-1C548A2E644A}\NewShortcut1_2C368C89F05449A7AF2E7CFBC2032958.exe
AddRemove-W1Z3F33D-CD0C-4AC4-86B4-X11E5511AA18_is1 - c:\program files\GlobalTec Solutions
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-22 23:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1128164811-3476939672-995284317-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\DISPLAY\Default_Monitor\4&4a12248&0&80861100&00&02\LogConf]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\DISPLAY\GSM4313\4&4a12248&0&80861100&00&02\LogConf]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\DISPLAY\IBM1993\4&4a12248&0&80861100&00&02\LogConf]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\DISPLAY\IN-KCH-8XX-CHIPSETS\4&4a12248&0&80863c61&00&02\LogConf]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\DISPLAY\IN-SB-8XX-PLATFORMS\4&4a12248&0&808639f1&00&02\LogConf]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\DISPLAY\MEL6140\4&4a12248&0&80861100&00&02\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(968)
c:\windows\system32\relog_ap.dll
.
Completion time: 2013-07-23  00:01:58
ComboFix-quarantined-files.txt  2013-07-23 06:01
.
Pre-Run: 134,975,930,368 bytes free
Post-Run: 135,726,592,000 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 7BF99C1CFD44EC1699A9F6E6D73074A6
5F8B5082F3482CC06B72EC5806598AE9
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 AM

Posted 23 July 2013 - 01:26 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 DarrylB

DarrylB
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:40 AM

Posted 23 July 2013 - 11:32 AM

2 items were found with the ESET scan. Here are the results:

 

C:\System Volume Information\_restore{13A0C9FF-2320-429F-832B-9648861A5A8B}\RP2238\A0419453.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\System Volume Information\_restore{13A0C9FF-2320-429F-832B-9648861A5A8B}\RP2279\A0425232.exe a variant of Win32/Bundled.Toolbar.Ask application

 

 

Darryl



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 AM

Posted 23 July 2013 - 11:43 PM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 DarrylB

DarrylB
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:40 AM

Posted 24 July 2013 - 12:06 AM

Everything is running fine. Both scans complete and included below.

 

# AdwCleaner v2.306 - Logfile created 07/23/2013 at 22:47:45
# Updated 19/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : MDG User - FREDCOMPUTER
# Boot Mode : Normal
# Running from : C:\Documents and Settings\MDG User\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\Documents and Settings\MDG User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gkcgjggoajjmljagopjnpjgbddigbcap
Deleted on reboot : C:\Documents and Settings\MDG User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gkcgjggoajjmljagopjnpjgbddigbcap
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Ask
Folder Deleted : C:\Documents and Settings\MDG User\Local Settings\Application Data\Conduit

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Google\Chrome\Extensions\gkcgjggoajjmljagopjnpjgbddigbcap
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\gkcgjggoajjmljagopjnpjgbddigbcap
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\46a1e86e065821dade4276712973d0c6-455821110
Key Deleted : HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Google Chrome v28.0.1500.72

File : C:\Documents and Settings\MDG User\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [3886 octets] - [23/07/2013 22:47:45]

########## EOF - C:\AdwCleaner[S1].txt - [3946 octets] ##########

 

 

 

 Results of screen317's Security Check version 0.99.71 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled! 
 ESET Online Scanner v3  
 Norton Internet Security   
`````````Anti-malware/Other Utilities Check:`````````
 Out of date Spybot installed!
 Spybot - Search & Destroy 1.5.2.20
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner    
 Java™ 6 Update 39 
 Java 7 Update 21 
 Java version out of Date!
 Adobe Reader XI 
 Google Chrome 28.0.1500.71 
 Google Chrome 28.0.1500.72 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 10%
````````````````````End of Log``````````````````````
 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 AM

Posted 24 July 2013 - 12:10 AM

Then you´re all clean now! :)

 

 

Please uninstall  Java™ 6 Update 39

Also, you have to update your Spybot.

 

 

Java runtime Environment out of date

Your Java runtime environment is outdated. We will fix this.

  • Get the actual JRE from here
  • Save jxpiinstall.exe to your desktop
  • Close all running programs, especially your browser(s)
  • Run jxpiinstall.exe. This will download the newest JRE installer and install the software
  • when finished, go to
    Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
  • When finished, reboot your computer.

After the reboot
  • Open control panel again and click the java symbol.
  • Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    The Delete Temporary Files dialog box appears
  • Click OK on Delete Temporary Files window.
  • Click OK again.

 

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  • Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice.
  • Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 DarrylB

DarrylB
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:40 AM

Posted 24 July 2013 - 07:33 AM

All done.

 

Thanks for your help.

 

What was the infection that MBAM found? It appears to be a Trojan that either came with the Ask Toolbar or somehow hooked itself into the toolbar.

 

Darryl



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 AM

Posted 24 July 2013 - 07:57 AM

Trojan.Downloader is just a family of files which are known downloading malware. To tell exactly what infections belong to your special file, we must have analyzed it.

The ask toolbar itself is just some kind of adware.

 

And:

 

You´re welcome! :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 AM

Posted 24 July 2013 - 07:57 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users