TechSpot

Malware - AVSuite, Virtumonde, Smitfraud + Google Redirects

By shebagrl
Jul 12, 2010
  1. Four days ago, behind a locked wifi network on an XP machine, I was using Firefox normally, Googling away. Within 10 minutes, the fake AV popups started (AVSecuritySuite). I checked and was still firewalled, in addition to running Norton Corporate edition (virus definitions last updated 3 or 4 days prior). I immediately disconnected from the network and tried to close the programs, but was prevented from even opening msconfig. I rebooted normal and immediately opened msconfig (it seems there's a delay before the malware runs after a reboot.) I booted into safemode, ran a full AV scan, but nothing was found. I ran spybot and AVSuite, Virtumonde and smitfraud were found. I "removed" through spybot, followed Norton's instructions on how to remove lingering elements (disable sys restore, update virus definitions, run full av scan, deleted the added values to the registry.) I have yet to reenable the system restore because, after those steps, I got google redirects to ad sites. After a few more scans, some noodling around, and a dozen reboots in and out of safe mode, the redirects have stopped, as have the pop-ups. I'd like to get my system safe enough to reenable the system restore point. If you could help me, I would really appreciate it.

    I followed your 6 removal instructions and the logs are attached.

    Thanks in advance for your help!
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, I'll check these logs. In the meantime, please run the following:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.


    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    For the record, you didn't find Combofix in the steps! Please run Malwarebytes, which is included in Step 3: You would have found that it removes much of the malware:http://www.techspot.com/vb/topic58138.html

    We don't remove the old restore points until the end of cleaning. Someday, Norton might catch on as to why they shouldn't be disabled at the beginning!

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  4. shebagrl

    shebagrl TS Rookie Topic Starter

    I'm sorry I had attached the wrong log file! I had run combofix prior to finding your instructions. Oops :eek:

    I had run MBAM before, but mistook it's log file with that of the first combofix log when I first created this thread.

    I have rerun MBAM and attached both the old and new logs. The combofix (fresh download) log and eset logs are attached, also. The results of the Eset scan show win32/bagle.gen.zip and a variant of win32/cimag.cw trojan were found.

    Edit: Just a few mins ago, Norton auto-protect came up with a message that a risk was found (Backdoor.Tidserv!inf) but it could not be quarantined or removed. I've copied the information and pasted below:

    Scan type: Auto-Protect Scan
    Event: Security Risk Found!
    Risk: Backdoor.Tidserv!inf
    File: C:\System Volume Information\_restore{C4F251F9-D782-4487-9D6F-8D3C08306253}\RP2\A0001471.sys
    Location: Unknown Storage
    Computer: COLD_LAMPIN
    User: COLD_LAMPIN\SYSTEM
    Action taken: Clean failed : Quarantine failed : Access denied
    Date found: Monday, July 12, 2010 4:51:28 PM
     

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The Eset log shows 2 entries> both have already been handled. Qoobox is where Combofix puts the quarantined files, so that entry has been handled. The other is the entry Spybot has quarantined, so go into that program and delete those files.

    Regarding the Norton auto-protect:
    File: C:\System Volume Information\_ is where the system restore points are held. Not to worry- it's not active in the system and will be removed at the end of cleaning. At some point you must have had the TDSS server malware and it was removed.

    The reason you see "Action taken: Clean failed : Quarantine failed : Access denied" is because this is a System Folder and Norton can't remove it. Maybe someone will write their program not to even try to remove it and alarm the user! The only danger it presents is if you did a System Restore and should happen to pick the date the malware got into the restore point.

    Both of the Mbam logs are clean.
    ==================================
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip
    c:\windows\Hmuvasoyuyebi.dat
    c:\windows\Bdanitubalikoqa.bin
    
    DDS::
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = <local>
    
    Folder::
    c:\documents and settings\NetworkService\Local Settings\Application Data\ppggwhjei
    c:\documents and settings\shebagrl\Local Settings\Application Data\qrxxbvjmy
    c:\documents and settings\LocalService\UserData
    
    Registry::
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please uninstall these versions of Java in Add/Remove Programs: They are vulnerabilities.
    Java(TM) 6 Update 10
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Install the current version v6u20: Check this site for Java Updates
    =====================
    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Please paste the new Combofix report and HijackThis log in your next reply.
     
  6. shebagrl

    shebagrl TS Rookie Topic Starter

    OK, I did all of those steps (thanks for the java uninstall tip - I had no idea!)

    Here is the Combofix log:

    ComboFix 10-07-12.02 - shebagrl 07/12/2010 20:55:46.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.387 [GMT -4:00]
    Running from: c:\documents and settings\shebagrl\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\shebagrl\My Documents\Downloads\CFScript.txt
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    FILE ::
    "c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip"
    "c:\windows\Bdanitubalikoqa.bin"
    "c:\windows\Hmuvasoyuyebi.dat"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip
    c:\documents and settings\LocalService\UserData
    c:\documents and settings\LocalService\UserData\index.dat
    c:\documents and settings\LocalService\UserData\TGWJXPG1\pmocntr[1].xml
    c:\documents and settings\NetworkService\Local Settings\Application Data\ppggwhjei
    c:\documents and settings\shebagrl\Local Settings\Application Data\qrxxbvjmy
    c:\windows\Bdanitubalikoqa.bin
    c:\windows\Hmuvasoyuyebi.dat

    .
    ((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))
    .

    2010-07-10 20:50 . 2010-07-10 20:50 -------- d-----w- c:\program files\ESET
    2010-07-10 14:16 . 2010-07-10 14:16 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2010-07-10 14:16 . 2010-07-10 14:16 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2010-07-10 14:16 . 2010-07-10 14:16 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2010-07-10 14:15 . 2010-06-07 23:57 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2010-07-10 14:15 . 2010-06-07 23:57 10256384 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-07-09 16:35 . 2010-07-09 16:35 -------- d-----w- c:\documents and settings\shebagrl\Application Data\Malwarebytes
    2010-07-09 16:35 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-09 16:35 . 2010-07-12 16:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-09 16:35 . 2010-07-09 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-09 16:35 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-08 23:18 . 2010-07-08 23:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-07-08 18:53 . 2010-07-08 18:53 -------- d-----w- c:\documents and settings\shebagrl\Local Settings\Application Data\{2C062FEB-6192-4838-AF45-F5216B3FD845}
    2010-07-01 21:17 . 2010-07-01 21:17 -------- d-----w- c:\program files\iPod
    2010-07-01 21:17 . 2010-07-01 21:18 -------- d-----w- c:\program files\iTunes
    2010-07-01 21:17 . 2010-07-01 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-07-01 21:10 . 2010-07-01 21:10 -------- d-----w- c:\program files\Bonjour
    2010-07-01 21:05 . 2010-07-01 21:05 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
    2010-06-20 21:26 . 2001-08-18 02:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
    2010-06-20 21:26 . 2001-08-18 02:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
    2010-06-20 21:26 . 2001-08-18 02:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
    2010-06-20 21:26 . 2001-08-18 02:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
    2010-06-20 21:26 . 2001-08-17 18:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
    2010-06-20 21:26 . 2001-08-17 18:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
    2010-06-20 21:26 . 2001-08-17 18:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
    2010-06-20 21:26 . 2001-08-17 18:55 5632 ----a-w- c:\windows\system32\kbd103.dll
    2010-06-20 21:26 . 2001-08-17 18:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
    2010-06-20 21:26 . 2001-08-17 18:55 6144 ----a-w- c:\windows\system32\kbd101b.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-13 00:52 . 2008-02-11 02:03 -------- d-----w- c:\program files\Symantec AntiVirus
    2010-07-10 14:17 . 2009-05-09 22:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-07-10 14:16 . 2009-08-24 22:52 -------- d-----w- c:\program files\NVIDIA Corporation
    2010-07-09 19:58 . 2008-01-18 18:58 -------- d-----w- c:\program files\Google
    2010-07-09 19:57 . 2008-11-26 17:55 -------- d-----w- c:\program files\Acro Software
    2010-07-09 19:56 . 2008-12-10 17:06 -------- d-----w- c:\program files\Common Files\ArcSoft
    2010-07-09 19:56 . 2007-05-10 00:55 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-07-09 17:18 . 2008-12-10 17:06 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
    2010-07-08 23:19 . 2009-09-24 01:54 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-08 23:19 . 2007-05-10 00:38 1100 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-07-01 21:27 . 2009-12-30 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-07-01 21:26 . 2007-11-24 01:47 -------- d-----w- c:\program files\Apple Software Update
    2010-07-01 21:17 . 2007-11-24 01:47 -------- d-----w- c:\program files\Common Files\Apple
    2010-07-01 21:14 . 2008-02-11 00:34 -------- d-----w- c:\program files\QuickTime
    2010-06-08 13:56 . 2010-06-08 13:56 -------- d-----w- c:\program files\TweetDeck
    2010-06-07 23:57 . 2009-09-24 02:18 600680 ----a-w- c:\windows\system32\nvudisp.exe
    2010-06-07 23:57 . 2009-08-17 04:57 2632296 ----a-w- c:\windows\system32\nvcuvenc.dll
    2010-06-07 23:57 . 2009-08-17 04:57 2186342 ----a-w- c:\windows\system32\nvdata.bin
    2010-06-07 23:57 . 2009-08-17 04:57 2165352 ----a-w- c:\windows\system32\nvcuvid.dll
    2010-06-07 23:57 . 2008-08-01 18:48 6300544 ----a-w- c:\windows\system32\nv4_disp.dll
    2010-06-07 23:57 . 2008-08-01 18:48 4554752 ----a-w- c:\windows\system32\nvcuda.dll
    2010-06-07 23:57 . 2008-08-01 18:48 232040 ----a-w- c:\windows\system32\nvcodins.dll
    2010-06-07 23:57 . 2008-08-01 18:48 232040 ----a-w- c:\windows\system32\nvcod.dll
    2010-06-07 23:57 . 2008-08-01 18:48 15192064 ----a-w- c:\windows\system32\nvoglnt.dll
    2010-06-07 23:57 . 2008-08-01 18:48 1359872 ----a-w- c:\windows\system32\nvapi.dll
    2010-06-07 23:57 . 2008-08-01 18:48 10531200 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
    2010-06-07 21:34 . 2010-06-07 21:34 81920 ----a-w- c:\windows\system32\nvwddi.dll
    2010-06-07 21:34 . 2010-06-07 21:34 277608 ----a-w- c:\windows\system32\nvmccs.dll
    2010-06-07 21:34 . 2010-06-07 21:34 13902440 ----a-w- c:\windows\system32\nvcpl.dll
    2010-06-07 21:34 . 2010-06-07 21:34 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-06-07 21:34 . 2010-06-07 21:34 154728 ----a-w- c:\windows\system32\nvsvc32.exe
    2010-06-07 21:34 . 2010-06-07 21:34 145000 ----a-w- c:\windows\system32\nvcolor.exe
    2010-06-02 14:28 . 2010-06-09 16:15 865792 ----a-w- c:\documents and settings\shebagrl\Application Data\Mozilla\Firefox\Profiles\zuwji7ux.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
    2010-05-28 16:58 . 2009-09-24 02:18 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
    2010-05-21 19:26 . 2009-12-30 22:53 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-05-20 15:37 . 2010-05-20 15:37 -------- d-----w- c:\documents and settings\shebagrl\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
    2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-05-18 13:43 . 2009-05-06 17:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-05-16 13:24 . 2010-05-12 15:31 -------- d-----w- c:\program files\Mozilla Thunderbird
    2010-05-02 05:22 . 2004-08-10 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-20 05:30 . 2004-08-10 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-16 16:09 . 2006-03-04 03:33 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-04-16 16:09 . 2004-08-10 11:00 81920 ----a-w- c:\windows\system32\ieencode.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "P17Helper"="P17.dll" [2005-05-04 64512]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-06-03 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-07 13902440]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-07 110696]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    SMCWUSB-G 802.11g Wireless USB Utility.lnk - c:\dell\drivers\SMCWGUTI.exe [2006-1-18 442368]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    2006-07-20 00:26 52896 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-08-05 17:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-12-12 13:58 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\HKO\\HKODM.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/28/2010 8:05 PM 102448]
    R3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2/7/2010 6:20 PM 408064]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 1:40 PM 135664]
    S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

    2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb0c1bce8628f0.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-06 17:40]

    2010-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1425521274-725345543-1003Core1cb0c1bd980f896.job
    - c:\documents and settings\shebagrl\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-14 04:47]

    2010-07-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-746137067-1425521274-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

    2010-07-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-746137067-1425521274-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.gmail.com/
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\shebagrl\Application Data\Mozilla\Firefox\Profiles\zuwji7ux.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - component: c:\documents and settings\shebagrl\Application Data\Mozilla\Firefox\Profiles\zuwji7ux.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
    FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    FF - plugin: c:\documents and settings\shebagrl\Application Data\Mozilla\Firefox\Profiles\zuwji7ux.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
    FF - plugin: c:\documents and settings\shebagrl\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\progra~1\SONYON~1\npsoe.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - HiddenExtension: XULRunner: {2C062FEB-6192-4838-AF45-F5216B3FD845} - c:\documents and settings\shebagrl\Local Settings\Application Data\{2C062FEB-6192-4838-AF45-F5216B3FD845}\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-12 21:01
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-07-12 21:02:44
    ComboFix-quarantined-files.txt 2010-07-13 01:02
    ComboFix2.txt 2010-07-12 16:53
    ComboFix3.txt 2010-07-10 20:44

    Pre-Run: 68,535,689,216 bytes free
    Post-Run: 68,529,446,912 bytes free

    - - End Of File - - 6E29AD84441742061157B7AB3DF97A46
     
  7. shebagrl

    shebagrl TS Rookie Topic Starter

    Here is the HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:15:57 PM, on 7/12/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\DELL\drivers\SMCWGUTI.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\shebagrl\My Documents\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: SMCWUSB-G 802.11g Wireless USB Utility.lnk = C:\DELL\drivers\SMCWGUTI.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193511158446
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 7472 bytes
     
  8. shebagrl

    shebagrl TS Rookie Topic Starter

    Thanks so much for the help so far! I reran spybot to see if I could remove that one entry, but it came up clear -- seems that whatever was noted in that log is what is already removed/quarantined, too.

    So far, everything seems to be running smoothly, but I would love to make sure everything is ok before I re-enable the system restore point.

    I really appreciate your help -- I don't know what I would've done without this forum! (Well, I know what I would've done, but it wouldn't have been pretty lol) :)
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Spybot has already "removed" the entry by putting it in Quarantine. You need to delete the contents of the quarantine folder. The logs look okay to me.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    Keep up the good work- here are some tips for you:

    Please follow these simple steps to keep your computer clean and secure:


    Stay current on updates:
    • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    Do regular Maintenance
    • Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
    • Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

    Have layered Security:
    • Antivirus Software(only one): Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o] Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.

    Ler me know if you need more help.
     
  10. shebagrl

    shebagrl TS Rookie Topic Starter

    THANK YOU SO MUCH! Your help has gone above and beyond exceeding my expectations -- I am so thankful for finding TechSpot and for your help. It's official...I love you, man. :grinthumb

    I got all the last steps done and will definitely take your advice on the additional precautions to take. One question -- would you suggest the a/v programs and firewall in addition to the Norton I have and the Windows firewall? I just want to make sure before I get them.

    Thanks again!
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're very welcome. Glad to help.

    You should have only 1 antivirus program and 1 software firewall. If Norton has both of these, do no add another of either.

    As far as firewalls go, the Windows firewall only listens at incoming ports. I think it's better to have the bi-directional firewall which listens at outgoing port also. There are 2 recommendations for these above. My better recommendation would be to remove Norton and it's bloat, add one of the free antivirus programs and one of the free bidirectional firewalls. Links in my post above. Since Norton is a paid program, you might want to wait until the end of the subscription to replace.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...