Tech Support Forum banner
Status
Not open for further replies.
1 - 12 of 12 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter · #1 ·
Hello good people,

Problem was first noticed in IE7 when links found via google ended up going to various other unexpected sites. Initially, a bunch of pop ups claiming Antivirus System Pro would solve all my problems showed up. It also seemed to disable my Shaw Secure (similar to F-Secure) AV. Various windows update alerts were popping up and changing and there was so much activity on the screen I had to do a hard boot. My first attempt at fixing this was to download and run MalwareByte AntiMalware. This seemed to get rid of the Antivirus System Pro pop ups, however, the IE7 google redirection still occurs.
I ran SpyBot Search and Destroy and deleted what it recommended. Also removed P2P sharing stuff like Limewire.

However, the direction still occuring in IE. FF works fine.
I have my windows disks.

Here is my DDS output and also attached GMER files.
Thanks, Sam.

DDS (Ver_09-11-24.02) - NTFSx86
Run by Owner at 13:19:12.35 on 25/11/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.766.227 [GMT -8:00]

AV: Shaw Secure 8.00 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 8.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.5000.1021\en-us\msntb.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [hp 1000 firmware] c:\program files\hp laserjet 1000\fwdl.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [F-Secure Manager] "c:\program files\shaw secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\shaw secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [News Service] "c:\program files\shaw secure\fsgui\ispnews.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview5\NkvMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winfax~2.lnk - c:\windows\system32\wfxsnt40.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winfax~1.lnk - c:\program files\symantec\winfax\wfxctl32.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\shaw secure\fsps\program\fslsp.dll
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://spaces.msn.com//PhotoUpload/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://www.photolab.ca/en/Photo/ImageUploader3.cab
DPF: {ABAB45AD-4D69-4C01-A4A4-DD105F1EAE61} - hxxp://citymap.city.nanaimo.bc.ca/activeX/Toolbars.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup162.cab
DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} - hxxp://cdn.digitalcity.com/_media/dalaillama/ampx.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\symantec\winfax\WfxSeh32.Dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\6gfeih7b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: network.proxy.ftp - proxy
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2008-10-31 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2006-11-16 79904]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\shaw secure\hips\drivers\fshs.sys [2008-10-16 66720]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-18 54752]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [2006-1-6 227200]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\shaw secure\anti-virus\minifilter\fsgk.sys [2006-11-16 101496]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\shaw secure\orsp client\fsorsp.exe [2008-10-16 55904]
S2 gupdate1c98c0d8544a204;Google Update Service (gupdate1c98c0d8544a204);c:\program files\google\update\GoogleUpdate.exe [2009-2-10 133104]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\shaw secure\anti-virus\win2k\fsfilter.sys [2006-11-16 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\shaw secure\anti-virus\win2k\fsrec.sys [2006-11-16 25184]

=============== Created Last 30 ================

2009-11-25 03:42:54 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-11-25 03:42:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 03:42:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 03:42:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-25 03:42:42 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-29 02:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2008-09-11 10:06:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091120080912\index.dat

============= FINISH: 13:21:58.81 ===============
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello SamS,

It will require more than 1 round to clean the system. Please stay with me until given the 'all clear' even if symptoms seem to abate.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #3 ·
Hello again,
Here is the log file from ComboFix....

Sam


ComboFix 09-11-27.04 - Owner 27/11/2009 20:24.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.766.443 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Shaw Secure 8.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 8.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.inf

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-25 03:42 . 2009-11-25 03:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-25 03:42 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 03:42 . 2009-11-25 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-25 03:42 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 03:42 . 2009-11-25 03:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 02:58 . 2009-11-25 04:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\qquuog
2009-11-01 11:26 . 2009-11-01 11:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 16:05 . 2009-02-11 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-26 03:47 . 2004-11-28 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-25 21:12 . 2007-03-23 19:24 -------- d-----w- c:\program files\VIARAIL
2009-11-25 18:01 . 2004-11-28 03:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 04:05 . 2006-03-07 02:03 -------- d-----w- c:\program files\Shaw Secure
2009-10-16 23:04 . 2009-10-16 23:03 -------- d-----w- c:\program files\QuickTime
2009-10-16 22:58 . 2008-08-22 05:09 -------- d-----w- c:\program files\Common Files\Apple
2009-10-16 04:44 . 2009-10-16 04:31 -------- d-----w- c:\program files\WiliSoft Video Splitter
2009-10-14 01:57 . 2007-08-09 19:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-10-14 00:58 . 2008-07-09 19:12 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-09-22 04:31 . 2004-03-07 02:52 58144 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-11-03 00:35 . 2006-12-14 06:39 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-03 00:35 . 2006-12-14 06:39 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-03 00:35 . 2006-12-14 06:39 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-11-03 00:35 . 2006-12-14 06:39 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-11-03 00:35 . 2006-12-14 06:39 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1" [X]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"hp 1000 firmware"="c:\program files\hp LaserJet 1000\fwdl.exe" [2001-12-15 36864]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-14 655360]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2008-09-23 182936]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2008-09-23 957024]
"News Service"="c:\program files\Shaw Secure\FSGUI\ispnews.exe" [2005-05-31 356352]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-2-28 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NkvMon.exe.lnk - c:\program files\Nikon\NkView5\NkvMon.exe [2004-2-28 212992]
WinFax Application Port Starter.lnk - c:\windows\system32\wfxsnt40.exe [1997-10-8 36352]
WinFax PRO Controller.lnk - c:\program files\Symantec\WinFax\wfxctl32.exe [1997-10-9 530944]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\Symantec\WinFax\WfxSeh32.Dll" [1997-09-23 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-08-16 16:56 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [31/10/2008 1:16 AM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [16/11/2006 11:08 AM 79904]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [16/10/2008 3:12 PM 66720]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [18/09/2009 4:01 PM 54752]
R3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [06/01/2006 7:32 PM 227200]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [16/11/2006 11:07 AM 101496]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [16/10/2008 3:12 PM 55904]
S2 gupdate1c98c0d8544a204;Google Update Service (gupdate1c98c0d8544a204);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2009 9:56 PM 133104]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 9:48 PM 704864]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys [16/11/2006 11:07 AM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\win2k\fsrec.sys [16/11/2006 11:07 AM 25184]
.
Contents of the 'Scheduled Tasks' folder

2009-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-11-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-11 21:35]

2009-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 05:56]

2009-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 05:56]

2009-11-28 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\SHAWSE~1\ANTI-V~1\fsav.exe [2006-11-16 13:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
LSP: c:\program files\Shaw Secure\FSPS\program\fslsp.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6gfeih7b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: network.proxy.ftp - proxy
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
AddRemove-HijackThis - c:\documents and settings\Owner\Desktop\helloj\HijackThis.exe
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-Comp Meet Proxy - c:\docume~1\Owner\APPLIC~1\PLANAB~1\3264plus.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 20:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x83B40369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7768f28
\Driver\ACPI -> ACPI.sys @ 0xf76dbcb8
\Driver\atapi -> atapi.sys @ 0xf7693852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.SYS @ 0xf758dbb0
PacketIndicateHandler -> NDIS.SYS @ 0xf759aa21
SendHandler -> NDIS.SYS @ 0xf757887b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\WININET.dll
c:\program files\Shaw Secure\FSPS\program\fslsp.dll
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'csrss.exe'(632)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
Completion time: 2009-11-27 20:59
ComboFix-quarantined-files.txt 2009-11-28 04:58
ComboFix2.txt 2007-03-21 18:51

Pre-Run: 28,391,325,696 bytes free
Post-Run: 28,656,566,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 6EB73F3DED2BBB823A8B0CDC935C5900
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
I'd like to see the log that was produced when you ran Malwarebyte's a couple of days ago. Launch the program and click on the Logs tab. Post the contents in your next reply.


Click Start>Run and copy/paste the following text inside the quote box into the Run box and click OK:

cmd /c PEV --custom# #s #f #5 #c #m #d #n# %systemdrive%\atapi.sys >Log.txt&Log.txt&del Log.txt
When it completes, please post the log it produced.
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #5 ·
I actually ran Malwarebyte twice. The log from the first one is here followed by one on the next day. Also, the results from PEV --custom....

First one:
Malwarebytes' Anti-Malware 1.41
Database version: 3226
Windows 5.1.2600 Service Pack 3

24/11/2009 8:01:21 PM
mbam-log-2009-11-24 (20-01-21).txt

Scan type: Quick Scan
Objects scanned: 123003
Time elapsed: 15 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Swizzor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ugjlehwu (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ugjlehwu (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Application Data\qquuog\prebsysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\575.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


########################################################
########################################################
########################################################
The second Malwarebyte log:
Malwarebytes' Anti-Malware 1.41
Database version: 3226
Windows 5.1.2600 Service Pack 3

25/11/2009 9:35:37 AM
mbam-log-2009-11-25 (09-35-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 236051
Time elapsed: 2 hour(s), 1 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#######################################################
#######################################################
#######################################################
And thirdly, the results of: cmd /c PEV --custom# #s #f #5 #c #m #d #n# %systemdrive%\atapi.sys >Log.txt&Log.txt&del Log.txt


95,360 C:\WINDOWS\$NtServicePackUninstall$\atapi.sys CDFE4411A69C224BD1D11B2DA92DAC51 2008-09-11 05:47:36 2004-08-04 05:59:42 Microsoft Corporation

96,512 C:\WINDOWS\ERDNT\cache\atapi.sys 9F3A2F5AA6875C72BF062C712CFA2674 2009-11-28 04:53:40 2008-04-13 18:40:30 Microsoft Corporation

96,512 C:\WINDOWS\ServicePackFiles\i386\atapi.sys 9F3A2F5AA6875C72BF062C712CFA2674 2004-08-04 05:59:42 2008-04-13 18:40:30 Microsoft Corporation

96,512 C:\WINDOWS\system32\drivers\atapi.sys 9F3A2F5AA6875C72BF062C712CFA2674 2004-02-27 19:10:34 2008-04-13 18:40:30 Microsoft Corporation

86,912 C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys 95B858761A00E1D4F81F79A0DA019ACA 2004-02-27 19:10:33 2003-07-16 20:24:25 Microsoft Corporation
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Thank you. :)

Let's try the easy way first. Go to this site, download and run tdsskiller.

Then run ComboFix again and post the log it produces.
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #7 ·
Should I disable my AV before running tdskiller? I left my AV running at first and it says it will block access to rootkit.win32.TDSS.y virus. It recommends disinfecting it. Should I disinfect it, or disable my AV?
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Disable your AV, it cannot handle this rootkit. Let tdsskiller try to nail it.
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #9 ·
OK. I ran tdsskiller and here is the new output from ComboFix.....

ComboFix 09-11-28.01 - Owner 28/11/2009 14:44.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.766.464 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Shaw Secure 8.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-25 03:42 . 2009-11-25 03:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-25 03:42 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 03:42 . 2009-11-25 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-25 03:42 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 03:42 . 2009-11-25 03:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 02:58 . 2009-11-25 04:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\qquuog
2009-11-01 11:26 . 2009-11-01 11:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 22:31 . 2004-02-27 19:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-28 10:11 . 2006-03-07 02:03 -------- d-----w- c:\program files\Shaw Secure
2009-11-27 16:05 . 2009-02-11 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-26 03:47 . 2004-11-28 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-25 21:12 . 2007-03-23 19:24 -------- d-----w- c:\program files\VIARAIL
2009-11-25 18:01 . 2004-11-28 03:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-16 23:04 . 2009-10-16 23:03 -------- d-----w- c:\program files\QuickTime
2009-10-16 22:58 . 2008-08-22 05:09 -------- d-----w- c:\program files\Common Files\Apple
2009-10-16 04:44 . 2009-10-16 04:31 -------- d-----w- c:\program files\WiliSoft Video Splitter
2009-10-14 01:57 . 2007-08-09 19:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-10-14 00:58 . 2008-07-09 19:12 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-09-22 04:31 . 2004-03-07 02:52 58144 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-11-03 00:35 . 2006-12-14 06:39 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-03 00:35 . 2006-12-14 06:39 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-03 00:35 . 2006-12-14 06:39 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-11-03 00:35 . 2006-12-14 06:39 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-11-03 00:35 . 2006-12-14 06:39 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( [email protected]_04.51.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-28 22:34 . 2009-11-28 22:34 16384 c:\windows\temp\Perflib_Perfdata_4e4.dat
+ 2004-02-27 19:10 . 2009-11-28 22:31 96512 c:\windows\system32\dllcache\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1" [X]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"hp 1000 firmware"="c:\program files\hp LaserJet 1000\fwdl.exe" [2001-12-15 36864]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-14 655360]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2008-09-23 182936]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2008-09-23 957024]
"News Service"="c:\program files\Shaw Secure\FSGUI\ispnews.exe" [2005-05-31 356352]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-2-28 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NkvMon.exe.lnk - c:\program files\Nikon\NkView5\NkvMon.exe [2004-2-28 212992]
WinFax Application Port Starter.lnk - c:\windows\system32\wfxsnt40.exe [1997-10-8 36352]
WinFax PRO Controller.lnk - c:\program files\Symantec\WinFax\wfxctl32.exe [1997-10-9 530944]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\Symantec\WinFax\WfxSeh32.Dll" [1997-09-23 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-08-16 16:56 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [31/10/2008 1:16 AM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [16/11/2006 11:08 AM 79904]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [16/10/2008 3:12 PM 66720]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [18/09/2009 4:01 PM 54752]
R3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [06/01/2006 7:32 PM 227200]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [16/11/2006 11:07 AM 101496]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [16/10/2008 3:12 PM 55904]
S2 gupdate1c98c0d8544a204;Google Update Service (gupdate1c98c0d8544a204);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2009 9:56 PM 133104]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 9:48 PM 704864]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys [16/11/2006 11:07 AM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\win2k\fsrec.sys [16/11/2006 11:07 AM 25184]

--- Other Services/Drivers In Memory ---

*Deregistered* - KLMD
.
Contents of the 'Scheduled Tasks' folder

2009-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-11-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-11 21:35]

2009-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 05:56]

2009-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 05:56]

2009-11-28 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\SHAWSE~1\ANTI-V~1\fsav.exe [2006-11-16 13:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
LSP: c:\program files\Shaw Secure\FSPS\program\fslsp.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6gfeih7b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: network.proxy.ftp - proxy
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 14:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(712)
c:\program files\Shaw Secure\FSPS\program\fslsp.dll
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'explorer.exe'(3884)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(632)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
Completion time: 2009-11-28 15:03
ComboFix-quarantined-files.txt 2009-11-28 23:03
ComboFix2.txt 2009-11-28 04:59
ComboFix3.txt 2007-03-21 18:51

Pre-Run: 28,686,069,760 bytes free
Post-Run: 28,631,158,784 bytes free

- - End Of File - - A5BAE2CB348993926F85482867066CF8
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Tdsskiller seems to have taken care of the hard disk controller hijack. How is the system behaving now?


Using 'My Computer', navigate to and delete the following Folder (Right click and select 'Delete'):

c:\documents and settings\Owner\Local Settings\Application Data\qquuog

========================

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #11 ·
I think it's fixed! Clicking on links in IE now get directed to where they should. Kaspersky took most of the night to complete, but came back with a clean report. Dare I say the problem is solved? It seems that way. Thank you so much for your help Ried.

Any advice on preventing this from happening? The AV (Shaw Secure) I was using had worked flawlessly for the past 5 years, aside from this occurence. Any information I should send to Shaw?

Sam
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
That's great to hear, SamS. :smile:

At present, no AV can block this, nor fix this rootkit. All one can do is be careful of the sites one visits. The most common method of distribution is P2P file sharing, whether it be movies, music, and crack programs and sites.

We need to tend to some final housekeeping. The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

WOT - Web of Trust. This is a free browser add on that warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
  • SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.


- Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

- Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Please take some time to read the following articles. I think you'll find them quite enlightening:



-----------------------------------------------------


**Kindly respond one more time and let me know if we may consider this thread resolved.
 
1 - 12 of 12 Posts
Status
Not open for further replies.
Top