Jump to content

Recommended Posts

Hi all,

I have the same issue as others have experienced recently. XP Machine was infected with Windows Restore and cleaned by MalwareBytes. After this, random audio began playing. Ads, music, sound effects. Every time an audio file is played, a java script error appears on the screen. I believe that TDSS was also identified and removed previously. I have been successful in removing most malware before, but this one has me stumped and am going to need a little help.

I have already modified the settings to unhide the files, cleared the JAVA cache and ran ATF cleaner. Here are the MBAM and DDS logs.

Thanks in advance...

***********************************

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6502

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/3/2011 11:12:15 PM

mbam-log-2011-05-03 (23-12-15).txt

Scan type: Quick scan

Objects scanned: 176304

Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

**************************************

DDS (Ver_11-03-05.01) - NTFSx86

Run by Lou at 23:13:54.20 on Tue 05/03/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.997.189 [GMT -4:00]

.

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\csasvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\csifcsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

E:\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.excite.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"

mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on

mRun: [<NO NAME>]

mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\csconn~1.lnk - c:\wincsi\tools\connectbgdl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {009F119F-8723-11D3-8791-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/RSFormsTV.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {187728C3-71FD-11D3-878E-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/Dll/RSFCalc.cab

DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} - hxxps://eformrs.com/RSLoginModule.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab

DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1187637106937

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187642300718

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {99140A4E-88C5-11D3-8793-00A0C9EF9624} - hxxps://eformrs.com/FormOpen/RSFormsDP.cab

DPF: {C5F6B73A-D6E8-46DD-895C-8FE98DC8CFA4} - hxxps://eformrs.com/RSFConvert.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

.

============= SERVICES / DRIVERS ===============

.

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]

R2 CSAPrintService;Creative Solutions Accounting Print Service;c:\windows\csasvc.exe [2007-8-20 114688]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110503.003\naveng.sys [2011-5-3 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110503.003\navex15.sys [2011-5-3 1393144]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]

.

=============== Created Last 30 ================

.

2011-05-04 02:50:45 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{c9867880-dfe1-47a2-a59d-386bb812d33b}\mpengine.dll

2011-05-01 04:33:56 -------- d-----w- c:\program files\ESET

2011-05-01 03:05:51 -------- d-----w- c:\windows\system32\appmgmt

2011-04-29 03:15:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-04-29 02:55:30 388096 ----a-r- c:\docume~1\lou\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-04-29 02:55:29 -------- d-----w- c:\program files\Trend Micro

2011-04-28 15:46:42 -------- d-----w- c:\documents and settings\lou\log

2011-04-28 03:25:43 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-04-28 02:53:01 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-04-28 02:53:01 -------- d-----w- c:\windows\system32\wbem\Repository

2011-04-28 01:51:12 -------- d--h--w- c:\windows\PIF

2011-04-26 01:48:42 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-04-26 01:47:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hi

**************************************************************

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.