Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google search redirect virus

Started by kismet , Jan 13 2009 12:54 PM

  • Please log in to reply

#1
kismet
Posted 13 January 2009 - 12:54 PM

kismet

    New Member

  • Member
  • Pip
  • 1 posts
I am experiencing the same Google search redirection virus that I see others on this forum have mentioned in the past. To summarize the symptoms, when I search for anything in Google (in either Firefox or MSIE), the results page looks normal but all of the links are to sketchy ad-filled sites that are unrelated to my query. I can successfully stop this using the Firefox extension NoScript. When I do so, I can see that the page is attempting to run a malicious script from the IP address 7.7.7.0. Despite the fact that I can treat the symptom using NoScript, I'd much prefer to have the infection completely removed from my system. I would greatly appreciate any help you can provide.

As a side note, I have had a couple of Trojans in the past (e.g. Vundo), but they appeared to have been completely removed (running the vundo removal tool didn't find any infected files).

I have followed the instructions from the "You Must Read This Before Posting A Hijackthis Log" post, and have run CCleaner, created a system restore point, and ran ERUNT. I use Symantec Antivirus.

I ran MBAM yesterday, and it didn't find much. Here's the log:

================================================================
Malwarebytes' Anti-Malware 1.32
Database version: 1635
Windows 5.1.2600 Service Pack 3

1/12/2009 10:01:29 AM
mbam-log-2009-01-12 (10-01-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 325806
Time elapsed: 7 hour(s), 58 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
================================================================
Based on some other forum posts, I tried running SDFix. Here is the log it generated:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 12:59:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ae,6c,dd,2b,4b,e7,d0,a4,5e,b3,52,1b,5f,da,91,03,f1,29,c8,34,5b,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,2d,05,68,cd,6b,24,41,db,fd,72,f7,40,bb,10,b1,d4,53,..
"khjeh"=hex:5b,2d,9f,48,57,12,a1,1e,71,c7,77,cd,13,3b,64,2a,92,72,d6,4b,1c,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:cd,f9,ae,94,b5,03,33,38,c5,1c,80,ac,ad,49,c7,16,81,9c,7b,7d,6a,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ae,6c,dd,2b,4b,e7,d0,a4,5e,b3,52,1b,5f,da,91,03,f1,29,c8,34,5b,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,2d,05,68,cd,6b,24,41,db,fd,72,f7,40,bb,10,b1,d4,53,..
"khjeh"=hex:5b,2d,9f,48,57,12,a1,1e,71,c7,77,cd,13,3b,64,2a,92,72,d6,4b,1c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:cd,f9,ae,94,b5,03,33,38,c5,1c,80,ac,ad,49,c7,16,81,9c,7b,7d,6a,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ae,6c,dd,2b,4b,e7,d0,a4,5e,b3,52,1b,5f,da,91,03,f1,29,c8,34,5b,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,2d,05,68,cd,6b,24,41,db,fd,72,f7,40,bb,10,b1,d4,53,..
"khjeh"=hex:5b,2d,9f,48,57,12,a1,1e,71,c7,77,cd,13,3b,64,2a,92,72,d6,4b,1c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:cd,f9,ae,94,b5,03,33,38,c5,1c,80,ac,ad,49,c7,16,81,9c,7b,7d,6a,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

================================================================
Here is my Hijackthis logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:27 PM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\BisonCam\BisonTrayIcon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\x85xbgnd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\xrxbeacn.exe
C:\WINDOWS\system32\xnetsrvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=128.0.0.2:21;http=128.0.0.2:80;https=128.0.0.2:443
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BisonTrayIcon] C:\WINDOWS\BisonCam\BisonTrayIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [KeyAccess] C:\WINDOWS\keyacc32.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [XeroxBackgroundTask] C:\WINDOWS\system32\x85xbgnd.exe 1
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontec...2ie06101001.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11486 bytes
================================================================
Here is my Hijackthis uninstall list, in case it's of use:

Adobe Acrobat 7.0.7 Professional
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.1.0
Andor SOLIS
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.4
Azureus
BisonCam
Cache View
CCleaner (remove only)
Cisco Systems VPN Client 4.8.02.0010
DeadAIM
DivX Content Uploader
DivX Web Player
Dizzy v1.11.4
EphPod
ERUNT 1.1j
Hamachi 1.0.1.1
HDAUDIO Soft Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Igor Pro
ImageJ 1.40g
Intel® PROSet/Wireless Software
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 11
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
KTP Ware PS/2-WDM 5.0.1.9
Last.fm 1.5.2.38918
LiveUpdate 3.1 (Symantec Corporation)
Malwarebytes' Anti-Malware
MATLAB R2008a
mCore
mDriver
mDrWiFi
mEoU
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 6.0 Professional Edition
MiKTeX 2.7
mIWA
mLogView
mMHouse
Mozilla Firefox (3.0.5)
Mozilla Thunderbird (2.0.0.19)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Multimedia / Internet Keyboard Driver VerR8.16
mWlsSafe
mXML
mZConfig
National Instruments Software
Nero OEM
Oblivion
Oblivion mod manager 1.1.9
PyMOL
Python 2.4.3
QuickTime
Realtek High Definition Audio Driver
Sassafras K2 Client
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sid Meier's Civilization 4
Sierra Utilities
Starcraft
Steam
Symantec AntiVirus
Texas Instruments PCIxx21/x515/xx12 drivers.
Unofficial Oblivion Patch v2.2.0
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VanDyke Software SecureCRT 5.2
VanDyke Software SecureFX 4.5
VeohTV BETA
Viewpoint Media Player
War Room 1, 0, 1, 0
Winamp
Windows Driver Package - Intel (w29n51) net (04/05/2006 9.0.4.13)
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinEdt
WinRAR archiver
Wolfram Mathematica 6
Wolfram Notebook Indexer 2.0
Xerox Phaser 8510_8560 Scan Driver
Xerox Support Centre
================================================================
I've done my best to try to clean my system, but at this point I don't know what to try next. Any suggestions you have to help me out would be *greatly* appreciated. Thanks in advance!




================================================================
EDIT: I forgot that I also ran ComboFix yesterday. Here is the log file:

ComboFix 09-01-05.05 - Alex Fields 2009-01-12 12:09:25.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1745 [GMT -5:00]
Running from: c:\rogueremoval\Fixes\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache
c:\windows\system32\idutapad.ini
c:\windows\system32\ipobujit.ini
c:\windows\system32\otimahef.ini
c:\windows\system32\owilesed.ini
c:\windows\system32\TDSSweat.dat
c:\windows\system32\ufuvenoy.ini
c:\windows\system32\ugunezoh.ini
c:\windows\system32\umedujod.ini
c:\windows\system32\wdmaud.sys

.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-12 11:49 . 2009-01-12 11:49 <DIR> d-------- c:\program files\CCleaner
2009-01-12 11:42 . 2009-01-12 11:42 <DIR> d-------- C:\rogueremoval
2009-01-12 10:53 . 2009-01-12 10:53 <DIR> d-------- c:\windows\ERUNT
2009-01-12 10:35 . 2009-01-12 11:13 <DIR> d-------- C:\SDFix
2009-01-12 10:29 . 2009-01-12 10:28 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-09 15:48 . 2009-01-09 15:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 15:48 . 2009-01-09 15:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 15:48 . 2009-01-09 15:48 <DIR> d-------- c:\documents and settings\Alex Fields\Application Data\Malwarebytes
2009-01-09 15:48 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 15:48 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 18:05 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-12 16:25 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-12 15:28 --------- d-----w c:\program files\Java
2008-12-16 07:05 --------- d-----w c:\documents and settings\Alex Fields\Application Data\WinEdt
2008-12-11 08:14 --------- d-----w c:\documents and settings\Alex Fields\Application Data\Azureus
2008-12-10 23:32 --------- d-----w c:\program files\National Instruments
2008-12-10 23:32 --------- d-----w c:\documents and settings\All Users\Application Data\National Instruments
2008-12-10 23:25 --------- d-----w c:\program files\Common Files\Merge Modules
2008-12-09 08:39 --------- d-----w c:\program files\Azureus
2008-12-09 06:01 --------- d-----w c:\program files\WinEdt Team
2008-12-09 05:27 --------- d-----w c:\program files\Last.fm
2008-12-09 05:27 --------- d-----w c:\program files\iTunes
2008-12-09 05:27 --------- d-----w c:\documents and settings\All Users\Application Data\Last.fm
2008-11-18 18:09 --------- d-----w c:\program files\SecureFX
2008-11-16 03:40 --------- d-----w c:\program files\MATLAB
2008-11-15 02:38 --------- d-----w c:\program files\Microsoft Silverlight
2004-03-15 22:51 114,688 ----a-w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2005-10-12 20:04 131,072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 15:48 133,920 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"KTPWare"="c:\program files\Elantech\ktp.exe" [2005-12-06 512000]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 569413]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"BisonTrayIcon"="c:\windows\BisonCam\BisonTrayIcon.exe" [2005-09-05 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-12 136600]
"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2004-02-28 144896]
"KeyAccess"="c:\windows\keyacc32.exe" [2005-08-01 331776]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2006-01-12 483328]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2007-03-14 125632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-14 267064]
"XeroxBackgroundTask"="c:\windows\system32\x85xbgnd.exe" [2006-08-02 60928]
"SDFix"="c:\sdfix\RunThis.bat" [2008-11-06 964661]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 c:\windows\RTHDCPL.exe]
"CHotkey"="mHotkey.exe" [2001-12-26 c:\windows\mHotkey.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2006-09-02 100032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-10-25 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-06-19 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
VPN Client.lnk - c:\windows\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico [2007-09-29 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= wdmaud.sys

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\ShareScan\\ShareScan 2.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\WINDOWS\\system32\\xnetsrvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\Mathematica.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\MathKernel.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\math.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 8.2\\LabVIEW.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 8.2\\rvi\\compileServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21:TCP"= 21:TCP:FTP
"10000:TCP"= 10000:TCP:VPN
"62515:UDP"= 62515:UDP:VPN
"4500:UDP"= 4500:UDP:VPN
"47466:UDP"= 47466:UDP:BT
"54012:TCP"= 54012:TCP:BT
"54012:UDP"= 54012:UDP:BT

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2007-02-15 15136]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [2006-07-29 27520]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-05 99376]
S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2007-02-22 25888]
S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2007-02-22 11552]
S3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2007-02-21 11552]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2007-02-15 11552]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2007-02-15 11552]
S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2007-02-22 20768]
S3 NiRioSrvk;NiRioSrv legacy support;c:\windows\system32\drivers\NiRioSrvkl.sys [2007-02-24 11552]
S3 nismbusk;nismbusk;c:\windows\system32\drivers\nismbusk.sys [2007-02-22 86304]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2007-02-22 11552]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2007-02-23 11552]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]
S4 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2007-02-22 11552]
S4 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2007-02-23 11552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b58f898-cec8-11db-9a6c-00130223e3b6}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Steam - (no file)
HKLM-Run-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = ftp=128.0.0.2:21;http=128.0.0.2:80;https=128.0.0.2:443
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Alex Fields\Application Data\Mozilla\Firefox\Profiles\6c9xdq6j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nature.com.ezp-prod1.hul.harvard.edu/nature/current_issue
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 13:07:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1196)

c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-12 13:13:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 18:13:40

Pre-Run: 5,705,940,992 bytes free
Post-Run: 10,226,925,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

199 --- E O F --- 2009-01-12 16:29:20
================================================================
Thanks again!

Edited by kismet, 13 January 2009 - 01:03 PM.

  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP