Jump to content

Browser Re-directs and Flash Player Fake Install (ZeroAccess?) - DDS Logs Attached


Recommended Posts

Hi Folks,

Happy Thanksgiving.

I'm unfortunately trying to debug my parents' computer that has a few symptoms:

1) All browsers are issuing redirects for queries

2) All browsers also have new tabs created on the fly that forward me to a "Walmart" survey etc.

3) Periodically the Install Flash Player dialog box pops up but it automates the download, so it shows up and then shows it downloading content without my prompt or agreement. (I believe I've seen this before in a variant of ZeroAccessInf trojan.)

Without WiFi connected, the computer is running A LOT faster so it alludes to some malware running in the background.

The computer is running Windows XP Home and currently has no active Norton Antivirus (subscription expired).

I have not run any other tools besides DDS.

=================================

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2

Run by Manoo at 19:25:47 on 2012-11-23

#Option MBR scan is disabled.

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.117 [GMT -5:00]

.

.

============== Running Processes ================

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Java\jre7\bin\jqs.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Norton 360\Engine\3.8.3.6\ccSvcHst.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\McAfee Security Scan\3.0.285\SSScheduler.exe

C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe

C:\WINDOWS\system32\RAMASST.exe

C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Norton 360\Engine\3.8.3.6\ccSvcHst.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uSearch Bar = hxxp://www.google.com/ie

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uProxyServer = hxxp=127.0.0.1:8893

uProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\3.8.3.6\CoIEPlg.dll

BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\3.8.3.6\IPSBHO.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll

BHO: Browser Helper Object: {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} -

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\3.8.3.6\CoIEPlg.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\3.8.3.6\CoIEPlg.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe

mRun: [NDSTray.exe] NDSTray.exe

mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe

mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [TFncKy] TFncKy.exe

mRun: [TPSMain] TPSMain.exe

mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe

mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

mRun: [CFSServ.exe] CFSServ.exe -NoClient

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\docume~1\manoo\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE

StartupFolder: c:\docume~1\manoo\startm~1\programs\startup\viikii~1.lnk - c:\program files\viikiidesktopplugin\ViiKiiDesktopPlugin.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.285\SSScheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\metama~1.lnk - c:\program files\metamail inc\metamail tray\Metamail Trust Manager.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} - hxxp://oakrpacs.oakhealth.net/iSite3_3.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1345416512757

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://remote.oakwoodhealthcare.net/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F80B9305-A013-11D2-BD23-00A024978908} - file:///D:/viewer/accuradimage.cab

TCP: NameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{251A3DD5-090E-43A1-906E-E021C1B6D712} : DHCPNameServer = 75.75.75.75 75.75.76.76

Filter: text/html - {7169208c-af64-4649-9a11-be3ec596a73d} -

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.3.6\CoIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 217.20.175.74 www.review.2009softwarereviews.com

Hosts: 217.20.175.74 review.2009softwarereviews.com

Hosts: 217.20.175.74 a1.review.zdnet.com

Hosts: 217.20.175.74 www.d1.reviews.cnet.com

Hosts: 217.20.175.74 www.reviews.toptenreviews.com

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\manoo\application data\mozilla\firefox\profiles\6z9ami52.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll

FF - plugin: c:\windows\system32\npDeployJava1.dll

FF - plugin: c:\windows\system32\npptools.dll

FF - ExtSQL: 2012-11-16 22:26; {8545daff-ad1e-493f-a37e-eed1ac79682b}; c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\IPSFFPlgn

FF - ExtSQL: !HIDDEN! 2009-09-03 13:39; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

.

============= SERVICES / DRIVERS ===============

.

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308030.006\SymEFA.sys [2012-8-19 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308030.006\BHDrvx86.sys [2012-8-19 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308030.006\cchpx86.sys [2012-8-19 467592]

R1 NEOFLTR_600_14137;Juniper Networks TDI Filter Driver (NEOFLTR_600_14137);c:\windows\system32\drivers\NEOFLTR_600_14137.sys [2009-4-1 64160]

R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.3.6\ccSvcHst.exe [2012-8-19 117648]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20110107.002\IDSXpx86.sys [2011-1-7 341944]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.285\McCHSvc.exe [2012-9-5 234776]

S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110108.002\NAVENG.SYS [2011-1-8 86008]

S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110108.002\NAVEX15.SYS [2011-1-8 1360760]

.

=============== File Associations ===============

.

ShellExec: ymp.exe: open="c:\program files\yahoo!\yahoo! music engine\YahooMusicEngine.exe" -play "%1"

ShellExec: ymp.exe: play="c:\program files\yahoo!\yahoo! music engine\YahooMusicEngine.exe" -play "%1"

.

=============== Created Last 30 ================

.

2012-11-20 14:32:18 -------- d-----w- c:\documents and settings\all users\application data\McAfee Security Scan

2012-11-20 14:31:59 -------- d-----w- c:\program files\McAfee Security Scan

.

==================== Find3M ====================

.

2012-11-20 17:47:01 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-11-20 17:47:00 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-09-19 13:43:53 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-09-19 13:43:49 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-09-19 13:43:48 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-09-19 13:43:48 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll

2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec

.

============= FINISH: 19:27:22.21 ===============

dds.txtattach.txt

Link to post
Share on other sites

  • Staff

Please run the following:

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

NEXT

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT

Download ComboFix from the following location:

Link

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

CF_RC_notice.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

cfRC_screen_2.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.