Hijacked by Virus/Worm 1

[geeknerd]

Hello,

I can't stay on my machine 10 minutes before it will open another tab and bring to a site trying to sell me something. I have used AVG ,Spybot and MalwareBytes to no avail. I then used the recovery cd thinking that would get rid of it, but was later told the recovery doesn't reformat, it just bring you back to the default operating stage.

I did this in safe mode and it keeps coming back. It happens in both Firefox and IE.

Any help would be great appreciated. Thanks

 

[goombawaho]

Download combofix from a link provided on this page or using another computer and a flash drive.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Uninstall your AVG, reboot to safe mode.

Run combofix

 

[goombawaho]

I should have said "safe mode with networking" so that you can have internet access because combofix wants to download and install the Microsoft Recovery Console if it's not already installed and thus it must be downloaded.

If you're using wireless and you don't get internet with Safe Mode with Networking, you'll have to go with regular mode.

 

[BadBigBen]

after running ComboFix, run a scan with HiJackThis logging what it finds, post that log here for our perusal...

DO NOT FIX anything yet with HJT...

TrendMicro HiJachThis

http://free.antivirus.com/hijackthis/

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[kjv1611]

I then used the recovery cd

See reference on different types of recovery media:

http://vlaurie.com/computers2/Articles/recovery_disk.htm

That one looked interesting, anyway.

But in the short of it, as you found out:
Recovery disk = basically a system repair disk. It will allow you to access your previous restore points, if you have any.

Restore disk = take you back to whenever it was created - if you created, then back to when you made it. If it came with the computer, then it would take you back to store settings or "out of the box settings".

Another type of recover/restoration can be accessed without a disk. Oftentimes, the manufacturer will include a recovery partition on the system, which will allow you to get you system back to "out of the box" settings sometimes in as little as 10 or 15 minutes... or at least I've seen some that fast, it may not always be that fast. To access this, you'll have a specific key combination to press upon booting the machine.

Regardless, post your results from the aforementioned programs, and let us know how it goes.

 

[geeknerd]

Ok, going to try what you guys recommended tonight and post the results.Thanks

 

[geeknerd]

Here's the Combofix data -


c:\windows\system32\Thumbs.db
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
.
.
2011-03-15 18:27 . 2004-08-04 07:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-03-14 12:49 . 2011-03-14 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-14 12:48 . 2011-03-14 12:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-13 11:13 . 2011-03-13 11:13 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-03-13 11:04 . 2011-03-13 11:04 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-03-13 10:50 . 2011-03-13 10:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-13 10:40 . 2009-01-08 02:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-03-13 10:39 . 2011-03-13 10:48 -------- dc-h--w- c:\windows\ie8
2011-03-13 10:34 . 2004-08-17 11:21 87168 ----a-w- c:\windows\system32\drivers\drvmcdb.sys
2011-03-13 10:34 . 2004-07-14 10:56 40448 ----a-w- c:\windows\system32\drivers\drvnddm.sys
2011-03-13 10:34 . 2011-03-14 05:20 -------- d-----w- c:\windows\system32\dla
2011-03-13 10:34 . 2004-08-03 09:05 98358 ----a-w- c:\windows\dla.exe
2011-03-13 10:34 . 2004-08-03 09:05 61498 ----a-w- c:\windows\system32\tfswapi.dll
2011-03-13 10:34 . 2004-07-14 19:29 5627 ----a-w- c:\windows\system32\drivers\sscdbhk5.sys
2011-03-13 10:34 . 2004-07-14 19:28 23545 ----a-w- c:\windows\system32\drivers\ssrtln.sys
2011-03-13 10:34 . 2004-02-26 18:34 110592 ----a-w- c:\windows\system32\ArcSpl.ax
2011-03-13 10:34 . 2004-02-23 02:01 48128 ----a-w- c:\windows\system32\mpgvideo.ax
2011-03-13 10:34 . 2004-02-23 02:01 192512 ----a-w- c:\windows\system32\AdavVideoDec.dll
2011-03-13 10:34 . 2003-12-18 17:03 47616 ----a-w- c:\windows\system32\mpgaudio.ax
2011-03-13 10:34 . 2003-12-18 17:03 126976 ----a-w- c:\windows\system32\AdavAudioDec.dll
2011-03-13 10:30 . 1995-08-01 12:44 212480 ----a-w- c:\windows\PCDLIB32.DLL
2011-03-13 10:30 . 2002-09-29 18:56 139264 ----a-w- c:\windows\system32\PhotoBase Screen Saver.scr
2011-03-13 10:30 . 2011-03-13 10:30 -------- d-----w- c:\program files\ArcSoft
2011-03-13 10:12 . 2011-03-15 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-13 10:11 . 2011-03-13 10:11 -------- d-----w- c:\program files\AVG
2011-03-13 09:58 . 2011-03-13 10:11 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-13 09:34 . 2011-03-13 09:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-13 09:34 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-13 09:34 . 2011-03-13 09:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-13 09:34 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-13 09:31 . 2011-03-13 09:31 -------- d-----w- c:\program files\SymNetDrv
2011-03-13 08:19 . 2011-03-15 18:35 -------- d-----w- c:\documents and settings\uentin
2011-03-13 08:18 . 2004-11-16 06:07 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InterVideo
2011-03-13 08:18 . 2004-11-16 05:44 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AOL
2011-03-13 08:18 . 2004-11-16 05:30 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver
2011-03-13 08:18 . 2004-11-16 05:22 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InterTrust
2011-03-13 08:18 . 2004-11-16 05:07 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2011-03-13 08:18 . 2004-11-16 04:32 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intuit
2011-03-13 08:18 . 2004-11-16 03:57 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2011-03-13 08:18 . 2001-04-04 09:31 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\toshiba
2011-03-13 08:18 . 2011-03-13 08:18 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intel
2011-03-13 08:17 . 2011-03-13 08:17 17119 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-03-13 08:17 . 2011-03-13 08:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2011-03-13 08:16 . 2004-12-08 15:44 458752 ----a-w- c:\windows\system32\w29NCPA.dll
2011-03-13 08:16 . 2004-12-08 15:44 3222784 ----a-w- c:\windows\system32\drivers\w29n51.sys
2011-03-13 08:15 . 2004-12-08 15:44 1654784 ----a-w- c:\windows\system32\W29MLRES.DLL
2011-03-13 08:15 . 2004-11-16 03:57 -------- d-----w- c:\documents and settings\Default User\WINDOWS
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2003-08-27 22:19 . 2004-11-16 04:31 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2004-12-15 368640]
"NDSTray.exe"="NDSTray.exe" [BU]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-09-06 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 88363]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 135168]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2004-11-13 73728]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-03 122939]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" [2004-08-27 278528]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2004-11-03 147456]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 356352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-16 98304]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-12-7 155648]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 19:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://

http://www.chesscafe.com/

uInternet Connection Wizard,ShellNext = hxxp://toolbar.google.com/done
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\uentin\Application Data\Mozilla\Firefox\Profiles\7vd88vbh.default\
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-itlntfy - itlnfw32.dll
AddRemove-whitesmoketoolbar - c:\program files\whitesmoketoolbar\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

http://www.gmer.net

Rootkit scan 2011-03-15 10:58
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(988)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(2724)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Intel\Wireless\Bin\OProtSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-03-15 11:00:45 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-15 19:00
.
Pre-Run: 92,824,227,840 bytes free
Post-Run: 92,877,041,664 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B9730990EA2B3E511737B5A64F2FDADD

 

[goombawaho]

Well - does it boot now and run normally???

 

[geeknerd]

LOL....I guess I should have posted that, eh ? Yes, it is working good so far. Thanks guys/gals for all your help. This site is simply incredible.

Goombawaho, the drinks are on me buddy

 

[goombawaho]

The site it OK - the minds are great (some of them). Glad it's working for you. By the way, I only recommend that as a last resort because it kind of does what it wants to do and once in a while it will render a computer non-bootable.

But, that would be rarely. Still, don't recommend it as a first step. The ones you listed are first step programs to cure what ails you.

 

[sggaunt]

and the rest of us are now wondering, which of us dosent come into Goo's

the minds are great (some of them).

list?



Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

 

[kjv1611]

Goomb's just a wee bit quick with words, I s'ppose.

Frankly, the reason I've hung around tt this long is for the very fact that the vast majority of individuals are here for real genuine purposes:
1. To Learn
2. To Teach
3. To Learn through teaching others
4. To Learn through challenging one's own mind to solve other's technical issues.

I've seen this throughout LOTS of different technical categories, myself... both in helping, being helped, and seeing others helped.

Now I shall case my ramblings.

I know all too well how it is to be new to a product or new to a forum or group of sorts, and get the feeling that you're not part of the "in" crowd, and therefore your chances of learning anything are next to null. So, I always end up sticking with tek-tips.

No site is perfect, nor will any group of individuals be perfect. Why? Because no person is perfect.

But at least here, the general membership for the most part avoids profanity (big plus) and sticks to the topics (another big plus).

Another thing I like about this place? When you do see ads, they are technical-related ads, not pervert oriented ads that can come up in so many other discussion forums, including those which are supposed to be geared towards technical issues.

 

[goombawaho]

But at least here, the general membership for the most part avoids profanity (big plus) and sticks to the topics (another big plus)."
You would be flagged and your post "edited for content" pretty quickly if you were a true troll or a curse-monger.

I have no lists - good or bad. What I meant was that most people on here have perfectly good intentions and many have consistently good advice. I've just seen some dubious posts, so, like everything else - buyer beware. But, since it's a free forum and you're not paying anything, be even more wary of what advice you buy into.

It's sort of like web sites. There are some that I trust to be a good source of technical information on a regular basis. Other hits when you're googling a problem may be anything from junk to a virus hot spot. Just be careful what you try.

The other thing is that I've seen people trying to solve complex problems with servers and key systems without having two inches of technical depth. Would I try to service my furnace?? No, because I don't want to get CO poisoning!

 

[kjv1611]

It's sort of like websites. There are some that I trust to be a good source... Other hits .. anything from junk..

What? Wait. Everything on the Internet isn't true?!?!?!
[SHOCKED]

 

[ANFPS26]

know all too well how it is to be new to a product or new to a forum or group of sorts, and get the feeling that you're not part of the "in" crowd, and therefore your chances of learning anything are next to null. So, I always end up sticking with tek-tips.

I liked that statement. It is very true. I have been a member here since 2001 and have always felt accepted and I usually get an answer to whatever problem I am having. I used to provide some answers, too, but I haven't kept up with newer technology as much as others, so I don't post as much as I used to. I can remember running into the 'in-crowd' syndrome on some linux sites in the past. I use Google a lot on problems and read Tek-Tips daily. I learn something every time I come here.


Jim

 

[goombawaho]

I guess the whole reason I said the line about "the minds are great (some of them)" was that at one point, I started to notice this new guy posting lots of answers. They shall remain unnamed, but let's just say that their answers were very poor if not dangerous in some cases.

Reminded me of the old Windows 95 scam where they told you to look in a certain folder and if there was a "file xyz" you were infected and needed to delete that file.

 

[jlockley]

And then there's the fact that over the years solutions have been collected for things you would have to search for for weeks. I'm a groupie.

 

[goombawaho]

I honestly didn't understand that last comment - tired? stupid? (Me, not you).