Jump to content

AVG quarantines, bad files come back, Malwarebytes sees nothing


Recommended Posts

Summary: since 6/24, AVG has been showing up some Infection / Malware warnings but seems to be moving them to a virus vault. Malwarebytes fast and full scans show nothing.

This is long-winded but I started making notes of everything I saw - sorry if it's too much info.

System: Dell desktop running Windows Vista 64 bit. AVG professional antivirus, all definitions up to date. Windows firewall (had tried ZoneAlarm when we first got computer 2 years ago but it was causing connectivity issues).

*************************** my notes ***************************

Behavior of virus

Started 6/24 with Trojan Horse SHeur3.CGFZ, in file c:\users\(DAUGHTERS_NAME)\0.9212981353266809.exe. Caught by AVG at the midnight scan (just after midnight on the 24th). All in C:\users\(DAUGHTERS_NAME).

A couple more of those (all flagged as Infection), then a warning on a registry key referencing that numeric-named exe file.

At 9 AM on the 24th, brightly flagged MALWARE Win32/Tracur.X. Googling this got no hits. Some hits for Win32/Tracur with other letters.

Just after noon on the 25th, numerous instances of Trojan Horse Generic23.YWE, all in c:\users\(DAUGHTERS_NAME)\appdata\local\temp, the filename is setup#########.exe (# symbols are random numbers). Googled the Generic23 and found it with other extensions. I had noticed the AVG review, and did a lot of cleanup of temp files that evening.

Early on the 26th (During midnight scan) found a similar file in the recycle bin.

On 6/27 scan, found Trojan Horse Downloader.Generic11.AWJB. One in c:\users\(DAUGHTERS_NAME)\0.###############.exe (15 random numbers) and one in c:\users\(DAUGHTERS_NAME)\msiexec.exe.

On 6/28 at 10:42 AM, got another hit on SHeur3 (extension CGZY).

Evening of 6/28, ran quick MalwareBytes and the full scan, both turned up nothing.

Day of 6/29: Daughter got continuous Windows Vista security popups asking if she wanted to allow a program access to the computer. All were of the setup####.exe variety. Each time we clicked Cancel, a new one popped up with a slightly different name. Each time was asking for an admin user’s password, which obviously we did NOT provide. My daughter’s account does not have admin rights.

Note: (DAUGHTERS_NAME) thought it might be related to Deviant Art expiration and ads reappearing; however my credit card shows we set that up on 6/28/10 and this happened before that expired. Though in hindsight, the CC transaction might simply have taken a couple of days to post so the purchase date was a few days after the membership started.

Reviewed the directory referenced by the popups – c:\users\(DAUGHTERS_NAME)\appdata\local\temp – and found a bunch of the setup.exe files. Each one had a “last modified” time that corresponded to a time she’d have just logged onto the computer. There was also always a setup####.exe.manifest file. In addition, noticed a lot of files with “piywioe3” in the name. Extensions like “.cmdline”, “0.cs”, “.err”, Googling that word found no hits.

Evening: ran fast and full scan – neither turned anything up.

I have not yet deleted any files nor re-run the AVG scan. AVG will presumably run tonight at midnight and move them to the vault.

Following the steps listed here (http://forums.malwarebytes.org/index.php?showtopic=9573). I also have a dump of my daughter's browsing history (via the parental controls activity report) for the past 24 hours; the history before then seems to have been wiped.

*************************** end of my notes ***************************

*************************** Contents of DDS.TXT ***************************

.

DDS (Ver_2011-06-23.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_20

Run by Parents at 20:58:53 on 2011-06-29

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6142.1548 [GMT -4:00]

.

AV: AVG Anti-Virus 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\PROGRA~2\AVG\AVG10\avgchsva.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\system32\rundll32.exe

C:\Program Files\WTouch\WTouchService.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Windows\system32\AERTSr64.exe

C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files (x86)\AVG\AVG10\avgam.exe

C:\Program Files (x86)\AVG\AVG10\avgnsa.exe

C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\Pen_Tablet.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k HPService

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe

C:\Windows\RAVCpl64.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\wpcumi.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe

C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

C:\Program Files (x86)\AVG\AVG10\avgtray.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe

C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Windows\ehome\ehtray.exe

C:\Windows\System32\wpcumi.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\ehome\ehmsas.exe

C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe

C:\PROGRA~2\AVG\AVG10\avgrsa.exe

C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\rundll32.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe

C:\Windows\RAVCpl64.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\wpcumi.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Dell\DellDock\DellDock.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe

C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe

C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe

C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

C:\Program Files (x86)\AVG\AVG10\avgtray.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

C:\Windows\system32\rundll32.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe

C:\Windows\RAVCpl64.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\wpcumi.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Dell\DellDock\DellDock.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe

C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

C:\Program Files (x86)\AVG\AVG10\avgtray.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

C:\Users\Sonia\AppData\Local\Temp\0.7240766405778483.exe

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

C:\Windows\system32\rundll32.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe

C:\Windows\RAVCpl64.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\wpcumi.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Dell\DellDock\DellDock.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe

C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe

C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

C:\Program Files (x86)\AVG\AVG10\avgtray.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\splwow64.exe

C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files (x86)\AVG\AVG10\avgcsrvx.exe

C:\Windows\splwow64.exe

C:\Windows\system32\consent.exe

C:\Program Files\WTouch\WTouchUser.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files (x86)\AVG\AVG10\avgcsrvx.exe

C:\Program Files (x86)\AVG\AVG10\avgui.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll

mWinlogon: Userinit=userinit.exe

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent

uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe

mRun: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [AmazonGSDownloaderTray] "C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe"

mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun: [<NO NAME>]

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m

StartupFolder: C:\Users\Parents\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AUDIBL~1.LNK - C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

LSP: C:\Windows\system32\wpclsp.dll

Trusted Zone: intuit.com\ttlc

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1 71.252.0.12

TCP: Interfaces\{BA1F4A56-7110-415E-A97C-73485DB117C7} : DhcpNameServer = 192.168.1.1 71.252.0.12

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll

BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO-X64: HP Print Enhancer - No File

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll

BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File

BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO-X64: Search Helper - No File

BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: AVG Security Toolbar BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

BHO-X64: HP Smart BHO Class - No File

TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

TB-X64: AVG Security Toolbar: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll

EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File

mRun-x64: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

mRun-x64: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

mRun-x64: [AmazonGSDownloaderTray] "C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe"

mRun-x64: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun-x64: [(Default)]

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m

Hosts: 204.34.199.15 FMS16.dsadc.mil

Hosts: 204.34.199.16 FMS12.dsadc.mil

Hosts: 204.34.199.17 FMS17.dsadc.mil

Hosts: 204.34.199.19 FMS19.dsadc.mil

Hosts: 204.34.199.22 FMS22.dsadc.mil

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Parents\AppData\Roaming\Mozilla\Firefox\Profiles\jdgf4zjq.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6cc2c&v=7.005.030.004&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=

FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox4\components\avgssff4.dll

FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox4\components\avgssff5.dll

FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: C:\PROGRA~2\palmOne\PACKAG~1\NPInstal.dll

FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll

FF - plugin: C:\Program Files (x86)\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Parents\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: AVG Security Toolbar em:version=7.005.030.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared

FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - C:\Program Files (x86)\AVG\AVG10\Firefox4

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]

R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]

R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]

R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]

R1 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]

R2 AERTFilters;Andrea RT Filters Service;C:\Windows\system32\AERTSr64.exe --> C:\Windows\system32\AERTSr64.exe [?]

R2 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2010-1-7 401920]

R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-4-18 7398752]

R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2011-2-8 269520]

R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]

R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R2 RtNdPt60;Realtek NDIS Protocol Driver;C:\Windows\system32\DRIVERS\RtNdPt60.sys --> C:\Windows\system32\DRIVERS\RtNdPt60.sys [?]

R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2009-6-24 636144]

R2 TabletServicePen;TabletServicePen;C:\Windows\system32\Pen_Tablet.exe --> C:\Windows\system32\Pen_Tablet.exe [?]

R2 WTouchService;WTouch Service;C:\Program Files\WTouch\WTouchService.exe [2010-12-11 127784]

R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]

R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 WebUpdate4;Web Update Wizard Service V4;C:\Windows\SysWOW64\WebUpdateSvc4.exe --> C:\Windows\SysWOW64\WebUpdateSvc4.exe [?]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-5-12 1025352]

S3 EZUSB;EZUSB PC/SC Smart Card Reader;C:\Windows\system32\DRIVERS\ezusb64.sys --> C:\Windows\system32\DRIVERS\ezusb64.sys [?]

S3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]

S3 mfebopk;McAfee Inc. mfebopk;C:\Windows\system32\drivers\mfebopk.sys --> C:\Windows\system32\drivers\mfebopk.sys [?]

S3 mferkdk;McAfee Inc. mferkdk;C:\Windows\system32\drivers\mferkdk.sys --> C:\Windows\system32\drivers\mferkdk.sys [?]

S3 mfesmfk;McAfee Inc. mfesmfk;C:\Windows\system32\drivers\mfesmfk.sys --> C:\Windows\system32\drivers\mfesmfk.sys [?]

S3 MosIrUsb;MosIrUsb.sys;C:\Windows\system32\DRIVERS\MosIrUsb.sys --> C:\Windows\system32\DRIVERS\MosIrUsb.sys [?]

S3 PCD5SRVC{048DBD20-445E8C82-05040104};PCD5SRVC{048DBD20-445E8C82-05040104} - PCDR Kernel Mode Service Helper Driver;C:\PROGRA~2\DELLSU~1\HWDiag\bin\PCD5SRVC_x64.pkms [2008-11-4 28152]

S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\system32\DRIVERS\wacmoumonitor.sys --> C:\Windows\system32\DRIVERS\wacmoumonitor.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]

S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-10-20 89920]

.

=============== File Associations ===============

.

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

.

=============== Created Last 30 ================

.

2011-06-25 18:56:54 -------- d-----w- C:\Program Files (x86)\Dell DataSafe Online

2011-06-25 18:24:16 -------- d-----w- C:\Users\Parents\AppData\Roaming\Malwarebytes

2011-06-25 18:24:07 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-06-25 18:24:06 -------- d-----w- C:\ProgramData\Malwarebytes

2011-06-25 18:24:03 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-06-25 18:24:03 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-06-25 18:13:42 -------- d-----w- C:\Users\Parents\AppData\Local\Stardock_Corporation

2011-06-15 07:14:06 847360 ----a-w- C:\Windows\System32\oleaut32.dll

2011-06-15 07:14:06 563712 ----a-w- C:\Windows\SysWow64\oleaut32.dll

2011-06-15 07:14:05 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys

2011-06-15 07:14:05 145920 ----a-w- C:\Windows\System32\drivers\srvnet.sys

2011-06-15 07:14:01 405504 ----a-w- C:\Windows\System32\drivers\afd.sys

2011-06-15 07:13:56 275456 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys

2011-06-15 07:13:55 135680 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys

2011-06-15 07:13:55 107008 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys

2011-06-15 07:13:52 2762752 ----a-w- C:\Windows\System32\win32k.sys

2011-06-15 07:13:48 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat

2011-06-15 07:13:48 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat

2011-06-15 07:13:36 97792 ----a-w- C:\Windows\System32\drivers\dfsc.sys

2011-06-15 07:13:33 975360 ----a-w- C:\Windows\System32\inetcomm.dll

2011-06-15 07:13:33 739328 ----a-w- C:\Windows\SysWow64\inetcomm.dll

2011-06-15 01:31:27 -------- d-----w- C:\Cryoburn CD

2011-06-07 16:35:34 103864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll

2011-06-07 16:35:34 103864 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll

.

==================== Find3M ====================

.

2011-04-15 01:28:12 117328 ----a-w- C:\Windows\System32\drivers\AVGIDSDriver.sys

2011-04-06 20:26:58 96544 ----a-w- C:\Windows\System32\dnssd.dll

2011-04-06 20:26:58 69408 ----a-w- C:\Windows\System32\jdns_sd.dll

2011-04-06 20:26:58 119584 ----a-w- C:\Windows\System32\dns-sd.exe

2011-04-06 20:20:16 91424 ----a-w- C:\Windows\SysWow64\dnssd.dll

2011-04-06 20:20:16 75040 ----a-w- C:\Windows\SysWow64\jdns_sd.dll

2011-04-06 20:20:16 107808 ----a-w- C:\Windows\SysWow64\dns-sd.exe

2011-04-05 04:59:54 377936 ----a-w- C:\Windows\System32\drivers\avgtdia.sys

.

============= FINISH: 20:59:17.36 ===============

*************************** Contents of DDS.TXT ***************************

Attach.zip

ark.zip

Link to post
Share on other sites

Hello MamaZappa and welcome to Malwarebytes! :welcome:

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

***Note: In order for ComboFix to run properly AVG must be uninstalled. Please go here and follow the instructions to uninstall AVG.

You can reinstall it after the computer is clean.

***Note: In order for ComboFix to run properly McAfee must be uninstalled. Please go here and follow the instructions to uninstall McAfee.

You can reinstall it after the computer is clean.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:

  • C:\ComboFix.txt
  • TDSSKiller log
  • Security Check checkup.txt

How is your computer running now?

Link to post
Share on other sites

AVG scans showed one other instance flagged MALWARE, plus numerous instances of the Generic23 trojan in the past 24ish hours. All are associated with one specific user (my daughter's account). Today, I added AdBlock Plus to her Firefox instance - had already added it to the admin account but I gather that didn't carry over to hers.

I've run through combofix etc. and results are appended.

I didn't see that any of these caught anything (though the two lines in the AVG vault labeled MALWARE are now gone). So it's possible the problem is some bad websites continually trying to download things, and AVG is doing its job?

ComboFix.txt

TDSSKiller.2.5.8.0_03.07.2011_10.52.53_log.txt

checkup.txt

Link to post
Share on other sites

Oh - and I re-installed AVG once the above was done. Redid a full scan - and now it's finding numerous Win32/Heur and Win32/Heur.dropper files in c:\program files (x86)\Wild Tangent\Dell Games files. I didn't even know those were on the computer, but it appears they were shipped with it (the usual vendor-installed bloatware).

The question of course is why didn't AVG pick these up 3 hours ago, and why is it picking them up now??? Our AVG install auto-updates daily.

I am, of course, going to kill all the Wild Tangent stuff.

Link to post
Share on other sites

Oh - and I re-installed AVG once the above was done. Redid a full scan - and now it's finding numerous Win32/Heur and Win32/Heur.dropper files in c:\program files (x86)\Wild Tangent\Dell Games files. I didn't even know those were on the computer, but it appears they were shipped with it (the usual vendor-installed bloatware).

The question of course is why didn't AVG pick these up 3 hours ago, and why is it picking them up now??? Our AVG install auto-updates daily.

I am, of course, going to kill all the Wild Tangent stuff.

Uninstall AVG immediately. AVG can and WILL cause serious conflicts with ComboFix.

Please do NOT reinstall AVG until I tell you its safe to do so.

Link to post
Share on other sites

Uninstall AVG immediately. AVG can and WILL cause serious conflicts with ComboFix.

Please do NOT reinstall AVG until I tell you its safe to do so.

Sorry - I did uninstall AVG (complete uninstall, not just deactivating) when I was doing the steps above including running ComboFix.

The kids needed to use the computer today, so once I'd done ComboFix etc. and posted the logs, I redownloaded and reinstalled it. I was not comfortable letting them online without something in place. I assumed that since I'd finished the diagnostics it was safe to re-install.

Then just for "fun", I ran the AVG scan - and got those hits. Googling this suggests they were false positives, but since the games software was bloatware anyway I uninstalled it.

I can kill it and redo everything including Combofix again in a couple of days.

I just ran AVG on my daughter's account again and got hits on c:\users\sonia\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\(couple of files) and ....\6.0\13\(couple of files). All say "Trojan Horse Java/Exploit.xx" where 'xx' is one of several 1-2 character extensions. I looked in the directory and it didn't look like any of the files had been changed in the past year, so I'm assuming this is another false positive. Could the ComboFix run have left things in a state somehow that AVG is stumbling? AVG did not remove the files, and Malwarebytes didn't complain.

If this is relevant, I didn't see any such hits on my son's account. All the errors we've had lately have been on my daughter's account, not any of the others.

Anyway: At this point, should I uninstall AVG again and just take the computer offline?

Link to post
Share on other sites

Anyway: At this point, should I uninstall AVG again and just take the computer offline?

Yes, remove AVG.

It is important that you do NOT let AVG delete ANY of the files it detected. Some of these files may be components of ComboFix, and removing them could really make things worse.

Let me know when you've removed AVG.

Link to post
Share on other sites

Yes, remove AVG.

It is important that you do NOT let AVG delete ANY of the files it detected. Some of these files may be components of ComboFix, and removing them could really make things worse.

Let me know when you've removed AVG.

Done. The initial files (that were part of the Wild Tangent bloatware) are gone because I did an uninstall of all of that.

The ones in the c:\users\sonia\AppData\LocalLow\Sun\Java\Deployment\cache\6.0.... directories are still there, AVG wasn't able to delete them and they don't appear in the vault.

Should I redo the Combofix etc. steps?

I'll be taking this computer offline (unplugging the ethernet) but will check this thread from another computer. I may not get back in until tomorrow evening or perhaps Tuesday.

Link to post
Share on other sites

Should I redo the Combofix etc. steps?

No, you should be fine ;)

Let's do some more cleanup with ComboFix:

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::

99864975

File::

C:\Windows\System32\Drivers\99864975.sys

Reglock::

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please post the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now :)

Link to post
Share on other sites

Can you try some Google searches to see if you're still getting redirected?

Also, I need to know if you're getting redirects in Firefox, Internet Explorer, or both. ;)

We weren't getting redirected as far as I can tell, though I'll check with the kids to see if either of them noticed any oddness. We just kept getting hits / malware warnings from AVG, and that one day where 'allow this program' popups appeared nonstop. The files seemed to appear whenever my daughter logged on.

I could reconnect the computer and tell my daughter to try some surfing but I'm very reluctant to do that without some antivirus active. I'm guessing some site she likes is either corrupted itself or is serving up some bad ads.

Link to post
Share on other sites

Let's run some more scans:

Please Launch Malwarebytes' Anti-Malware.

  • Please click Check for Updates to see if any updates are found. If so, please allow MBAM to download and install them.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a location you will remember.
  • Copy and Paste that log into your next reply.

Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK for either of the prompts and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately.

--------

Please download maxhandle.exe by noahdfear to your desktop

  • Double click and run the application
  • An active internet connection is required so that maxhandle.exe may download a tool from SysInternals (every time it is run).
  • Log is saved to c:\maxhandle.txt
  • If Max++ is not found Nothing found! is echoed to the screen - no log is produced.

Please post the results for my review

--------

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

--------

Please use the Internet Explorer and run a BitDefender Online scan from Here

  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan

Please post the results in your next reply.

--------

In your next reply, please include:

  • New Malwarebytes log
  • Maxhandle log (if one is created)
  • ESET log
  • BitDefender log

How is your computer running now? ;)

Link to post
Share on other sites

maxhandle.exe showed nothing, nor did the Eset scanner (and as far as I could tell it didn't generate a log). Ditto BitDefender and MalwareBytes.

At this point, does it look to you like all the steps have gotten rid of whatever was ailing this computer?

I still haven't re-installed AVG and so am not letting the kids do any web surfing (or us adults, either!).

BitDefender Report 2011-07-05 09.33.23.txt

mbam-log-2011-07-04 (21-34-59).txt

Link to post
Share on other sites

this point, does it look to you like all the steps have gotten rid of whatever was ailing this computer?

Your logs appear to be clean ;) However, we still have just a little more work to do :)

Before we move on, please take the time to install the following updates, as using outdated applications leaves you extremely vulnerable to getting infected again:

:excl:Please consider updating to Windows Vista Service Pack 2 (SP2).

Windows Vista Service Pack 2 (SP2) contains all the updates released since SP1 plus support for new types of hardware and emerging hardware standards.

It is now available via Windows Update or as a standalone installation here.

--------

You are using Internet Explorer version 8. Since you are using Windows Vista, you qualify for the latest version, which is 9. Using an outdated version of a web browser leaves you extremley vulnerable to malware!

Please see this link to download the latest version: http://windows.microsoft.com/en-US/internet-explorer/products/ie/home

--------

Java is out of date and older versions contain vulnerabilities. Please update to the newest version.

Download the newest version from here http://www.oracle.com/technetwork/java/javase/downloads/index.html.

It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.

Go to Start > Control Panel and open Add or Remove Programs.

Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).

They will have this icon next to them: javaicon.gif

Select each in turn and click Remove.

Once old versions are gone, please install the newest version.

--------

Your Flash Player is out of date!

To make sure you have the latest version of Adobe Flash Player installed:

1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe

2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger).

3. Double-click on the file you've downloaded to uninstall Flash.

4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).

Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

--------

Please let me know how the updates went, as failed updates may indicate additional malware ;)

Link to post
Share on other sites

Done - we already had Vista SP 2 - fully up to date except for one Windows add-on that includes things like a toolbar (Windows Live Essentials - looks like stuff we don't use). Also already using IE 9. I've updated Java and Flash as well.

So did the early scans actually show anything was actually on the computer? or is it impossible to tell? I know *something* was there at some point, just not sure whether AVG did its job and there was simply something attempting to re-infect every time my daughter did any surfing.

Link to post
Share on other sites

Done - we already had Vista SP 2 - fully up to date except for one Windows add-on that includes things like a toolbar (Windows Live Essentials - looks like stuff we don't use). Also already using IE 9. I've updated Java and Flash as well.

So did the early scans actually show anything was actually on the computer? or is it impossible to tell? I know *something* was there at some point, just not sure whether AVG did its job and there was simply something attempting to re-infect every time my daughter did any surfing.

Oh - and to clarify on IE9 - we usually use Firefox for browsing, but have IE9 installed.

Link to post
Share on other sites

So did the early scans actually show anything was actually on the computer?

Yes- you had quite a nasty one, but we used ComboFix to squish it like a bug ;)

Glad to hear the updates went well! :)

I will now provide you with some suggestions for security software, but first, ComboFix must be uninstalled ;):

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

**You may now reinstall AVG AntiVirus if you haven't already.

-------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :)

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.

AntiVir

AVG

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard

A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.

If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available

A tutorial on understanding and using firewalls may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

If you are interested, Firefox may be downloaded from here

Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

Link to post
Share on other sites

Many thanks!!!! We're IT people here, just not specializing in PC security, so had no idea what to do once the machine got nailed. Just goes to show that even folks who "know better" can get nabbed sometimes!

Out of curiosity, what critter did the computer have? is it one that I'd find info about if I did a web search? Also, whether it's one that likely came from a bad ad, or was embedded in the actual page she was enjoying, or was a result of something getting through the firewall. And what it was trying to do (just hijack our computer for botnet / DNS attacks? identity theft? something else?). In general, knowing more about it will help us avoid this in the future.

We do of course maintain antivirus - AVG. In fact I've felt twitchy not having it installed these past few days, even though the kids have not been allowed near the computer and I haven't gone online with that machine except to do this maintenance. We're pretty careful about keeping up with the Windows updates; the main reason we don't have it auto-update is because we like to look at the list (though we do install everything once we've done so.

Thanks for the info about the built-in firewall. We'd been running ZoneAlarm but found that it sometimes interfered with the computer even connecting to the internet, so we switched to the Windows one - I didn't realize it didn't block outbound. I think our router also has some firewall features, as most do... but given that Verizon set it up with WEP vs WPA (something we corrected immediately) I don't have too much faith in its firewall capabilities. Anyway - I'll add in one of the ones you suggested, as well as Spybot; I don't recall why we didn't install Spybot as soon as we got the computer 2 years ago but I assume I had a good reason at the time :).

Link to post
Share on other sites

Many thanks!!!!

You're welcome! :)

Just goes to show that even folks who "know better" can get nabbed sometimes!

Happens to all of us ;)

Out of curiosity, what critter did the computer have?

It looked very much like a remnant of one of the nastier rootkits floating around nowadays, TDL3

Another useful link: http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

Its tough to tell exactly where it came from, mostly because the game is changing every day. My inclination would be that it either a bad web site (not usually an advertisement), or that other malware downloaded it onto your computer.

If you Google "TDL3" or "TDL4" you'll for sure find some good articles on it ;)

And what it was trying to do (just hijack our computer for botnet / DNS attacks? identity theft? something else?

Newer versions indicate botnet capabilities. Overall the cybercriminals' main goal is to extort as much money out of you as possible. Those "rogue antivirus" programs often come bundled with this rootkit, and those are notorious for asking you to pay them with your credit card- you can imagine what happens from there ;)

I haven't personally seen identity theft common place among these types of rootkits, but I would not rule that out as a possibility under any circumstances (again, due to the changing nature of internet crime).

Thanks for the info about the built-in firewall. We'd been running ZoneAlarm but found that it sometimes interfered with the computer even connecting to the internet, so we switched to the Windows one - I didn't realize it didn't block outbound.

No problem, I'm glad you found it useful :)

Link to post
Share on other sites

The computer has now been updated with Spybot, and with Online Armor (paid - I don't want to have to remember to do manual updates!), in addition to AVG and Windows Firewall, plus of course Adblock, so (crossing fingers) hopefully we're OK here now. Off to do a bunch of password changes :::just in case::: though I haven't seen any unusual activity on any of my accounts. Will also be adding that IE add-in you mentioned just in case (though we rarely use "Internet Exploder") and the Noscript Firefox tool.

A question (and this is just speculating): I'm assuming that the rootkit was responsible for all the attempts to download those Trojans, and that AVG plus limited privileges (kids don't have admin; we do but we're a lot more careful about where we go) reduced the harm. Is that a reasonable assumption? Interesting that we didn't have the redirect troubles either - for example I had no trouble finding MalwareBytes via google.

Also, any idea why it only seemed to affect the one user? I'd have assumed that such a virus would have somehow gotten itself admin rights and downloaded the crap wherever it could.

Again, many thanks - you folks do a tremendous service here. I am very, very grateful for all your assistance!!!!!

Link to post
Share on other sites

): I'm assuming that the rootkit was responsible for all the attempts to download those Trojans, and that AVG plus limited privileges (kids don't have admin; we do but we're a lot more careful about where we go) reduced the harm. Is that a reasonable assumption?

I'd say so, yeah. :)

Also, any idea why it only seemed to affect the one user? I'd have assumed that such a virus would have somehow gotten itself admin rights and downloaded the crap wherever it could.

Possibly because you have UAC (User Accounts Control) enabled ;). Nothing can install itself in the critical parts unless it is done through the Administrator account.

Again, many thanks - you folks do a tremendous service here. I am very, very grateful for all your assistance!!!!!

You are welcome! :)

Link to post
Share on other sites

Oh hell - AVG caught two more infected files last night.

Infection / Trojan Horse Java/Exploit.BN in c:\users\Sonia\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\2e524588-7fe482da

and .....\6.0\13\(similar string of random stuff). Exploit.BK in this case.

Note that these are in the directories that AVG flagged before, when I mistakenly installed it too soon during the cleanup.

Should I back up the documents folder for that user and delete the user entirely?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.