Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Windows-Defence Trojan in Firefox


captlat
 Share

Recommended Posts

:( Originally posted in wrong forum.

Windows-Defence Trojan-Virus has infected Firefox and (I think) Malwarebytes Anti-Malware. Upon opening either of these two programs, a User Account Control windows pops asking "Do you want to allow the following program to makes changes......." Answer No and will not open. Answer "YES" and Firefox is re-directed to alert that web site is attacked and you should not open. Clicking any part of alert sends to Windows-Defence.com page where you are urged to puchase the fake anti-virus.

I think MBAM is compromised due to the UAC pop-up before MBAM will load. I have licensed MBAM. Ran all three scans with no infections. Have run full scans with AVG and MS Security Essentials. Still infected. Have run latest Spybot S&D -- removed 100 items.

Finally running instructions on this forum:

1. Defogger

2. DDS: here is DDS.txt

DDS (Ver_10-10-10.03) - NTFS_AMD64

Run by bw at 9:59:33.07 on Wed 10/13/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3836.2106 [GMT -6:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\windows\system32\wininit.exe

C:\Program Files (x86)\AVG\AVG9\avgchsva.exe

C:\Program Files (x86)\AVG\AVG9\avgrsa.exe

C:\windows\system32\lsm.exe

C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\system32\atiesrxx.exe

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\atieclxx.exe

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\windows\system32\taskhost.exe

C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\windows\SysWOW64\svchost.exe -k hpdevmgmt

C:\windows\System32\svchost.exe -k HPZ12

C:\windows\system32\Dwm.exe

C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe

C:\windows\Explorer.EXE

C:\windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Realtek\11n USB Wireless LAN Utility\RtlService.exe

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files (x86)\Realtek\11n USB Wireless LAN Utility\RtWlan.exe

C:\Program Files (x86)\AVG\AVG9\avgam.exe

C:\Program Files (x86)\AVG\AVG9\avgnsa.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\Program Files\TOSHIBA\TECO\TecoService.exe

C:\PROGRA~2\SPEEDB~2\VideoAcceleratorService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ltmoh\ltmoh.exe

C:\windows\system32\SearchIndexer.exe

C:\Program Files (x86)\AVG\AVG9\avgemc.exe

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe

C:\Program Files\TOSHIBA\TECO\Teco.exe

C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe

C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\Ares\Ares.exe

C:\Program Files (x86)\SpeedBit Video Accelerator\VideoAccelerator.exe

C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe

C:\Program Files (x86)\AVG\AVG9\avgtray.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe

C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe

C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\system32\taskeng.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe

C:\PROGRA~2\SPEEDB~2\VideoAcceleratorEngine.exe

C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\windows\system32\svchost.exe -k HPService

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe

C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe

C:\Program Files\LSI SoftModem\agr64svc.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\TOSHIBA\rselect\RSelSvc.exe

C:\windows\system32\sppsvc.exe

C:\windows\System32\svchost.exe -k secsvcs

C:\windows\servicing\TrustedInstaller.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\SearchFilterHost.exe

C:\windows\system32\SearchProtocolHost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\DllHost.exe

C:\Users\bw\Downloads\dds.com

C:\windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = https://login.facebook.com/login.php?login_attempt=1

uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSNA&bmod=TSNA

mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

BHO: Reserch: {b2249032-6464-466d-a58e-c588f7dbac22} - C:\Users\bw\AppData\Roaming\Microsoft\Credentials\wscr.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll

TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - C:\Program Files (x86)\SpeedBit Video Downloader\TBU26\tbcore3.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll

TB: {0C8413C1-FAD1-446C-8584-BE50576F863E} - No File

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll

uRun: [skype] "C:\Program Files (x86)\Skype\\Phone\Skype.exe" /nosplash /minimized

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [ares] "C:\Program Files (x86)\Ares\Ares.exe" -h

uRun: [speedBitVideoAccelerator] C:\Program Files (x86)\SpeedBit Video Accelerator\VideoAccelerator.exe

uRun: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED

mRun: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

StartupFolder: C:\Users\bw\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

IFEO: image file execution options - svchost.exe

BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll

BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg64.dll

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

TB-X64: {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - No File

TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB-X64: {0C8413C1-FAD1-446C-8584-BE50576F863E} - No File

TB-X64: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File

mRun-x64: [(Default)]

mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

mRun-x64: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun-x64: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

mRun-x64: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

mRun-x64: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

mRun-x64: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

mRun-x64: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe

mRun-x64: [smartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe

mRun-x64: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r

mRun-x64: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe

mRun-x64: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe

mRun-x64: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

AppInit_DLLs-X64: avgrssta.dll

IFEO-X64: image file execution options - svchost.exe

Hosts: 74.125.45.100 4-open-davinci.com

Hosts: 74.125.45.100 securitysoftwarepayments.com

Hosts: 74.125.45.100 privatesecuredpayments.com

Hosts: 74.125.45.100 secure.privatesecuredpayments.com

Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - C:\Users\bw\AppData\Roaming\Mozilla\Firefox\Profiles\3bgw597p.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?

FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=

FF - component: C:\Program Files (x86)\SpeedBit Video Downloader\SPFireFox\components\Engine.dll

FF - component: C:\Users\bw\AppData\Roaming\Mozilla\Firefox\Profiles\3bgw597p.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll

FF - component: C:\Users\bw\AppData\Roaming\Mozilla\Firefox\Profiles\3bgw597p.default\extensions\fsl@fsl.net\components\fsl.dll

FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npclntax_HotbarSA.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - trueC:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 AvgRkx64;avgrkx64.sys;C:\Windows\System32\drivers\avgrkx64.sys [2010-5-11 56008]

R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NISx64\1105000.07F\symds64.sys [2010-3-14 433200]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1105000.07F\symefa64.sys [2010-3-14 221232]

R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\System32\drivers\tos_sps64.sys [2009-12-22 482384]

R1 AvgLdx64;AVG AVI Loader Driver x64;C:\Windows\System32\drivers\avgldx64.sys [2010-5-11 269904]

R1 AvgMfx64;AVG On-access Scanner Minifilter Driver x64;C:\Windows\System32\drivers\avgmfx64.sys [2010-5-11 35536]

R1 AvgTdiA;AVG Network Redirector x64;C:\Windows\System32\drivers\avgtdia.sys [2010-5-11 317520]

R1 ccHP;Symantec Hash Provider;C:\Windows\System32\drivers\NISx64\1105000.07F\cchpx64.sys [2010-3-14 615040]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100317.002\IDSviA64.sys [2010-3-23 466992]

R1 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\Windows\System32\drivers\NISx64\1105000.07F\symtdiv.sys [2010-3-14 451120]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-12-22 203264]

R2 avg9emc;AVG E-mail Scanner;C:\Program Files (x86)\AVG\AVG9\avgemc.exe [2010-6-22 921952]

R2 avg9wd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe [2010-6-22 308136]

R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2009-8-10 248688]

R2 ConfigFree Gadget Service;ConfigFree Gadget Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe [2009-7-14 42368]

R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-3-10 46448]

R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\ccsvchst.exe [2010-3-14 126392]

R2 Realtek11nSU;Realtek11nSU;C:\Program Files (x86)\Realtek\11n USB Wireless LAN Utility\RtlService.exe [2010-7-13 36864]

R2 RSELSVC;TOSHIBA Modem region select service;C:\Program Files\TOSHIBA\rselect\RSelSvc.exe [2009-7-7 65904]

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-10-12 1153368]

R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2009-8-11 252272]

R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\Windows\System32\drivers\TVALZFL.sys [2009-6-19 14472]

R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~2\SPEEDB~2\VideoAcceleratorService.exe -start -scm --> C:\PROGRA~2\SPEEDB~2\VideoAcceleratorService.exe -start -scm [?]

R3 FwLnk;FwLnk Driver;C:\Windows\System32\drivers\FwLnk.sys [2009-12-22 9216]

R3 PGEffect;Pangu effect driver;C:\Windows\System32\drivers\PGEffect.sys [2009-12-22 35008]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-11-5 291328]

R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\Windows\System32\drivers\rtl8192se.sys [2010-4-26 1103904]

R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-12-22 51512]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-8-3 137560]

R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2009-8-4 826224]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]

S1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100211.001\BHDrvx64.sys [2010-2-11 676912]

S1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NISx64\1105000.07F\ironx64.sys [2010-3-14 148528]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-3-14 135664]

S3 ATTRcAppSvc;AT&T RcAppSvc;"C:\Program Files (x86)\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc" --> C:\Program Files (x86)\AT&T\Communication Manager\RcAppSvc.exe [?]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files (x86)\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-5-11 430152]

S3 CAATT;AT&T Con App Svc;"C:\Program Files (x86)\AT&T\Communication Manager\ConAppsSvc.exe" /n "CAATT" --> C:\Program Files (x86)\AT&T\Communication Manager\ConAppsSvc.exe [?]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2009-12-22 222208]

S3 rtlss;Service for enabling selective suspend to RTL device;C:\Windows\System32\drivers\rtlss.sys [2010-6-21 27240]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-4-30 1255736]

S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2009-7-13 23040]

S3 ZD1211U(Linksys);Linksys Wireless-G USB Network Adapter Driver(Linksys);C:\Windows\System32\drivers\ZD1211U.sys [2010-7-12 351616]

=============== Created Last 30 ================

2010-10-13 15:37:14 7935824 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{29ECCD27-003F-4695-B735-1F804D9B1F02}\mpengine.dll

2010-10-13 15:26:58 -------- d-----w- C:\Program Files (x86)\CCleaner

2010-10-13 02:25:14 -------- d-----w- C:\79127b953f758500dafe

2010-10-12 23:43:54 167424 ----a-w- C:\Program Files\Windows Media Player\wmplayer.exe

2010-10-12 23:43:53 164864 ----a-w- C:\Program Files (x86)\Windows Media Player\wmplayer.exe

2010-10-12 23:43:53 12625408 ----a-w- C:\windows\SysWow64\wmploc.DLL

2010-10-12 23:43:52 12625920 ----a-w- C:\windows\System32\wmploc.DLL

2010-10-12 23:43:50 463360 ----a-w- C:\windows\System32\drivers\srv.sys

2010-10-12 23:43:49 9728 ----a-w- C:\windows\SysWow64\sscore.dll

2010-10-12 23:43:49 402944 ----a-w- C:\windows\System32\drivers\srv2.sys

2010-10-12 23:43:49 236032 ----a-w- C:\windows\System32\srvsvc.dll

2010-10-12 23:43:49 161792 ----a-w- C:\windows\System32\drivers\srvnet.sys

2010-10-12 23:43:48 3123712 ----a-w- C:\windows\System32\win32k.sys

2010-10-12 22:53:15 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy

2010-10-12 22:53:15 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy

2010-10-09 21:27:32 -------- d-----w- C:\PROGRA~3\WSCL

2010-10-09 21:24:49 -------- d-----w- C:\Users\bw\AppData\Local\Dfc

2010-10-09 15:07:34 -------- d-----w- C:\Program Files\Unlocker

2010-10-09 14:09:47 -------- d-----w- C:\Program Files (x86)\vSoft

2010-09-30 09:00:40 184832 ----a-w- C:\windows\System32\drivers\usbvideo.sys

2010-09-30 09:00:39 243712 ----a-w- C:\windows\System32\drivers\ks.sys

2010-09-29 14:51:29 2048 ----a-w- C:\windows\SysWow64\tzres.dll

2010-09-29 14:51:29 2048 ----a-w- C:\windows\System32\tzres.dll

2010-09-29 14:51:25 13312 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll

2010-09-29 14:51:25 13312 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll

2010-09-28 01:38:33 -------- d-----w- C:\Program Files (x86)\Ask.com

2010-09-28 01:38:31 -------- d-----w- C:\Program Files (x86)\BitTorrent

2010-09-28 01:37:09 -------- d-----w- C:\Users\bw\AppData\Roaming\BitTorrent

2010-09-28 00:19:37 -------- d-----w- C:\PROGRA~3\EmailNotifier

2010-09-22 00:04:58 -------- d-----w- C:\Program Files (x86)\Citrix

2010-09-22 00:00:58 -------- d-----w- C:\Users\bw\AppData\Local\Deployment

2010-09-16 14:10:58 -------- d-----w- C:\Program Files (x86)\Free Offers from Freeze.com

2010-09-15 18:53:32 -------- d-----w- C:\PROGRA~3\AT&T

2010-09-15 00:12:33 558592 ----a-w- C:\windows\System32\spoolsv.exe

==================== Find3M ====================

2010-09-08 05:36:17 1192960 ----a-w- C:\windows\System32\wininet.dll

2010-09-08 05:34:34 57856 ----a-w- C:\windows\System32\licmgr10.dll

2010-09-08 04:30:04 978432 ----a-w- C:\windows\SysWow64\wininet.dll

2010-09-08 04:28:15 44544 ----a-w- C:\windows\SysWow64\licmgr10.dll

2010-09-08 04:16:38 482816 ----a-w- C:\windows\System32\html.iec

2010-09-08 03:35:30 1638912 ----a-w- C:\windows\System32\mshtml.tlb

2010-09-08 03:22:31 386048 ----a-w- C:\windows\SysWow64\html.iec

2010-09-08 02:48:16 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb

2010-08-31 04:32:30 954752 ----a-w- C:\windows\SysWow64\mfc40.dll

2010-08-31 04:32:30 954288 ----a-w- C:\windows\SysWow64\mfc40u.dll

2010-08-26 05:27:28 148992 ----a-w- C:\windows\System32\t2embed.dll

2010-08-26 04:39:58 109056 ----a-w- C:\windows\SysWow64\t2embed.dll

2010-08-21 06:38:47 1024512 ----a-w- C:\windows\System32\wmpmde.dll

2010-08-21 06:36:49 340992 ----a-w- C:\windows\System32\schannel.dll

2010-08-21 06:31:06 633856 ----a-w- C:\windows\System32\comctl32.dll

2010-08-21 05:36:33 738816 ----a-w- C:\windows\SysWow64\wmpmde.dll

2010-08-21 05:36:24 224256 ----a-w- C:\windows\SysWow64\schannel.dll

2010-08-21 05:33:24 530432 ----a-w- C:\windows\SysWow64\comctl32.dll

2010-07-29 06:30:34 82944 ----a-w- C:\windows\SysWow64\iccvid.dll

2010-07-17 11:00:04 423656 ----a-w- C:\windows\SysWow64\deployJava1.dll

============= FINISH: 10:00:24.36 ===============

The zipped DDS Attach.txt is attached.

3. GMER Scan text log file is zipped and attached.

Thanks Capt lat

ark.zip

Attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Thanks screen317

Downloaded & ran TDSSKiller. No infection found, so no reboot requested. Log attched.

Thanks

TDSSKiller.2.4.4.0_14.10.2010_12.48.39_log.txt

Link to post
Share on other sites

  • Staff

Hi,

Please go to VirusTotal, and upload the following file for analysis:

C:\Users\bw\AppData\Roaming\Microsoft\Credentials\wscr.dll

Post the results in your reply.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi,

Please go to VirusTotal, and upload the following file for analysis:

C:\Users\bw\AppData\Roaming\Microsoft\Credentials\wscr.dll

Post the results in your reply.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

[Did you know if you press ESC it erases all you have typed in this reply? I will retype it all. Was trying to figure out how to upload screen shot]

1. Scanned wscr.dll with VirusTotal. Result: 0/43 (0.0%). Clean, eh.

2. Ran ESET Online Scan. Found and fixed 5 threats. Log pasted below:

C:\Users\bw\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\26e2fcd2-1724e522 multiple threats deleted - quarantined

C:\Users\bw\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\4678319b-26119410 multiple threats deleted - quarantined

C:\Users\bw\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\4e220c63-4fa196e6 a variant of Java/Rowindal.A trojan deleted - quarantined

C:\Users\bw\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\3207c172-56621750 a variant of Java/Rowindal.A trojan deleted - quarantined

C:\Users\bw\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\4808c9f2-36d2109d multiple threats deleted - quarantined

3. Ran Security Check. Log pasted below:

Results of screen317's Security Check version 0.99.5

Windows 7 (UAC is enabled)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

AVG 9.0

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 21

Adobe Flash Player 10.1.85.3

Adobe Reader 9.1

Out of date Adobe Reader installed!

Mozilla Firefox (3.6.10) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgemc.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

4. Attempted to load Firefox. Still UAC asks if Firefox permission to change computer. Click YES and Firefox starts loading, but no content of web site in windows. Also no popup of Windows-Defence attack. Tried loading different sites, still no content. Weird HTML coding appears in Firefox tool bar area. Screen shot attached. Should I download and reinstall Firefox?

I intend to reboot and try Firefox again and check MBAM to see if UAC requests allowing changes

post-55147-1287169784_thumb.jpg

Link to post
Share on other sites

  • Staff

Hi,

Thanks screen 317, or is that your name at the bottom, Chris? Thanks for the help.
Yes it is. You're welcome. :)

If you're still getting redirected then you are probably still infected. So before we address what you have, let's make sure it's all gone.

With that said, are you currently using a router?

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.