Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Maleware..Help Please


  • This topic is locked This topic is locked
16 replies to this topic

#1 splitbowman

splitbowman

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 29 August 2013 - 01:58 PM

When I open the internet I get the security warning telling me that not all information has been sent securly and do I want to open.  I also get a pop-up from FoodBuzz. DDS files attached:

 

If any assistance can be provided I'd appreciate it. 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by POS1 at 13:45:44 on 2013-08-29
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2039.210 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
\??\C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Documents and Settings\POS1\Application Data\SearchProtect\bin\cltmng.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\SearchProtect\bin\CltMngSvc.exe
C:\Program Files\FoodBuzz\Update\FoodBuzzUpdate.exe
C:\Program Files\GRBakPro\GRSrv.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\GRBakPro\GRBakPro.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\PCCW\Pccw.Exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\tgswin\winapps\MainMenu.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\dllhost.exe
C:\tgswin\winapps\POSINIT.exe
\??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe
\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyOverride = <local>
uURLSearchHooks: MixiDJ V30 Toolbar: {1122b43d-30ee-403f-9bfa-3cc99b0caddd} - c:\program files\mixidj_v30\prxtbMixi.dll
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: MixiDJ V30 Toolbar: {1122b43d-30ee-403f-9bfa-3cc99b0caddd} - c:\program files\mixidj_v30\prxtbMixi.dll
BHO: FoodBuzz: {1C6E034D-B4B6-4D96-94B5-4163A5EB2195} - c:\program files\foodbuzz\extension\adxloader.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - c:\program files\wot\WOT.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: WOT: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - c:\program files\wot\WOT.dll
TB: MixiDJ V30 Toolbar: {1122B43D-30EE-403F-9BFA-3CC99B0CADDD} - c:\program files\mixidj_v30\prxtbMixi.dll
TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - c:\program files\wot\WOT.dll
TB: MixiDJ V30 Toolbar: {1122b43d-30ee-403f-9bfa-3cc99b0caddd} - c:\program files\mixidj_v30\prxtbMixi.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [2FFBEEE19924D59FECA65A31887627DC83453CC0._service_run] "c:\program files\google\chrome\application\chrome.exe" --type=service
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ConduitFloatingPlugin_fdkednngfjmpnljkolbapdednncafhen] "c:\windows\system32\rundll32.exe" "c:\program files\conduit\ct3298566\plugins\TBVerifier.dll",RunConduitFloatingPlugin fdkednngfjmpnljkolbapdednncafhen
uRun: [SearchProtect] c:\documents and settings\pos1\application data\searchprotect\bin\cltmng.exe
uRun: [BrowserSafeguard] c:\program files\browsersafeguard\Browsersafeguard.exe
uRun: [FoodBuzzUpdate] c:\program files\foodbuzz\update\FoodBuzzUpdate.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SearchProtectAll] c:\program files\searchprotect\bin\cltmng.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/US/TechConsole/x86/RescueControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 10.1.10.1
TCP: Interfaces\{63A83616-EDC8-4206-9491-03D3BACFA475} : DHCPNameServer = 10.1.10.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs=  
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1    www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 255968]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2012-1-31 7391072]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 CltMngSvc;Search Protect by Conduit Updater;c:\program files\searchprotect\bin\CltMngSvc.exe [2013-5-8 97056]
R2 GRBackProGRSrv.exe;GRBackPro;c:\program files\grbakpro\GRSrv.exe [2008-9-4 69632]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2008-8-6 799256]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2007-9-5 455968]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-4-12 167264]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [2008-10-3 26304]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 VirtDisk;XSS Virtual Disk Driver;c:\windows\sminst\virtdisk.sys [2008-8-6 57344]
S4 POSPerformanceCounters;Point Of Service Performance Counters;c:\program files\microsoft point of service\Microsoft.PointOfService.Service.exe [2008-2-29 42056]
.
=============== File Associations ===============
.
ShellExec: pdfvista.exe: Open="c:\program files\pdf complete\pdfvista.exe"
ShellExec: pdfvista.exe: Read="c:\program files\pdf complete\pdfvista.exe"
.
=============== Created Last 30 ================
.
2013-08-28 15:27:17    --------    d-----w-    c:\documents and settings\pos1\application data\PriceGong
2013-08-28 15:09:46    --------    d-----w-    c:\program files\FoodBuzz
2013-08-28 15:09:26    --------    d-----w-    c:\program files\Browsersafeguard
2013-08-28 15:08:58    --------    d-----w-    c:\documents and settings\pos1\local settings\application data\MixiDJ_V30
2013-08-28 15:08:57    --------    d-----w-    c:\program files\MixiDJ_V30
2013-08-28 15:08:40    770384    ----a-w-    c:\windows\system32\msvcr100.dll
2013-08-28 15:08:40    421200    ----a-w-    c:\windows\system32\msvcp100.dll
2013-08-28 15:08:40    --------    d-----w-    c:\program files\SearchProtect
2013-08-28 15:08:32    --------    d-----w-    c:\documents and settings\pos1\application data\SearchProtect
2013-08-28 15:08:31    --------    d-----w-    c:\program files\Conduit
2013-08-28 15:08:31    --------    d-----w-    c:\documents and settings\pos1\local settings\application data\CRE
2013-08-28 15:08:31    --------    d-----w-    c:\documents and settings\pos1\local settings\application data\Conduit
2013-08-15 15:04:25    --------    d-----w-    c:\windows\system32\MRT
.
==================== Find3M  ====================
.
2013-08-29 18:17:22    60    ----a-w-    c:\windows\wpd99.drv
2013-07-31 20:11:22    810496    ------w-    c:\windows\system32\wmvdmod.dll
2013-07-26 02:47:17    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-07-26 02:47:13    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-07-26 02:47:12    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-07-25 15:52:59    385024    ----a-w-    c:\windows\system32\html.iec
2013-07-24 14:59:14    71048    -c--a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-24 14:59:14    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-07-10 10:37:53    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-04 03:03:25    2149888    ------w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30    2028544    ------w-    c:\windows\system32\ntkrnlpa.exe
2013-06-25 14:52:16    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-25 14:52:15    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-06-25 14:52:15    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-25 14:52:15    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-04 07:23:02    562688    ------w-    c:\windows\system32\qedit.dll
2013-06-04 01:40:45    1876736    ------w-    c:\windows\system32\win32k.sys
2012-02-01 19:01:19    5154304    ----a-w-    c:\program files\WindowsDefender.msi
.
============= FINISH: 13:46:17.45 ===============
 

Attached Files


Edited by Noviciate, 29 August 2013 - 03:56 PM.
Log added from attachment.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:48 PM

Posted 29 August 2013 - 04:03 PM

Good evening. :)

 

When I open the internet I get the security warning telling me that not all information has been sent securly and do I want to open.

Does this warning have any indication as to what it's origin is and what is it that it is offering to open?


So long, and thanks for all the fish.

 

 


#3 splitbowman

splitbowman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 29 August 2013 - 04:35 PM

It is an internet explorer warning.  The warning is as follows:

 

Security Warning

Do you want to view only the webpage that was delivered securely?

 

This webpage contains content that will not be delivered using a secure HTTPS connection,

which could compromise the security of the entire webpage.

 

This warning comes up at any website I open.

 

What I am more concerned with is the small window in the lower right corner that pop-ups from something called foodbuzz.  It is offering me the chance to purchase different anti-virus software.  I just tried to get the foodbuzz window to pop-up but the internet freeze's now and I get: not responding

 

 



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:48 PM

Posted 30 August 2013 - 02:01 PM

Good evening. :)

OK, we'll start with FoodBuzz - you should find an entry for this in your Program list in the Control Panel that you can uninstall. Do so and then take the browser for a spin and see if that solves that bit.


So long, and thanks for all the fish.

 

 


#5 splitbowman

splitbowman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 30 August 2013 - 03:06 PM

The Foodbuzz was in program list in the control panel.  Removing it has removed the warning I was receiving and I am not getting that pop-up.  Thanks.



#6 splitbowman

splitbowman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 30 August 2013 - 03:09 PM

Also...I noticed a new icon in my toolbar.  Its called "Browser Safeguard".  Any idea what this is or if it's malicious?  Thanks



#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:48 PM

Posted 31 August 2013 - 02:16 PM

Good evening. :)

 

There is an entry for that in the log that you originally posted, so you've had it for a bit - there is a web page for an app of the same name here. Did you by any chance visit it and download the same?


So long, and thanks for all the fish.

 

 


#8 splitbowman

splitbowman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 02 September 2013 - 08:27 AM

I did find the program in the control panel list. I did not download that program. I did delete the program from the computer.

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:48 PM

Posted 02 September 2013 - 02:42 PM

Good evening. :)

Can you tell me now how the system is behaving.


So long, and thanks for all the fish.

 

 


#10 splitbowman

splitbowman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 02 September 2013 - 03:12 PM

Most website appear to be functioning properly. I occasionally receive the warnin about how not all information was delivered securely and do I want to display all content. It's somewhat infrequent.

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:48 PM

Posted 02 September 2013 - 03:41 PM

Can you confirm for me which browser you are using and which version it is.


So long, and thanks for all the fish.

 

 


#12 splitbowman

splitbowman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 02 September 2013 - 03:58 PM

Internet Explorer version 8

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:48 PM

Posted 02 September 2013 - 04:31 PM

Ideally you need to find a new browser as IE8 is no longer supported by Microsoft, which makes for an insecure browsing experience, and XP doesn't have a newer version available to it. If you choose not to however, then the following link should solve your problem: http://answers.microsoft.com/en-us/ie/forum/ie8-windows_other/security-warning-do-you-want-to-view-only-the-web/e7526a5f-f953-4235-90c3-004f9b973585

 

Please do consider a newer browser though - Opera, Firefox, Chrome, to name but three are free.


So long, and thanks for all the fish.

 

 


#14 splitbowman

splitbowman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 03 September 2013 - 10:16 AM

I did make the switch to Chrome.  Thanks for the advice and notice.  So far I am not experiencing any issues on Chrome.



#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:48 PM

Posted 03 September 2013 - 01:59 PM

Good evening. :)

Assuming that all is well, i'd say you were done.


So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users