Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Redirect Virus Spyware [Solved]

Started by shrutsats , Jan 16 2010 01:03 PM

  • This topic is locked This topic is locked

#1
shrutsats
Posted 16 January 2010 - 01:03 PM

shrutsats

    New Member

  • Member
  • Pip
  • 3 posts
Hi there!

I've been having the google search redirection issue as reported by many others on this forum. I have used Spybot and cleaned some suspect registry entries - this seems to have helped but here is my HijackThis log. Would appreciate if someone could double check it - thanks! Operating system is Windows 7.

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:17 PM, on 16/01/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Users\Shruti\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Shruti\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Shruti\AppData\Local\Google\Chrome\Application\chrome.exe
C:\windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msi.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msi.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Google Update] "C:\Users\Shruti\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_1_0 -reboot 1
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dll
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GRA32A~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\windows\system32\lxddcoms.exe
O23 - Service: Micro Star SCM - Micro-Star International Co., Ltd. - C:\Program Files\System Control Manager\MSIService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 10772 bytes

Also adding ComboFix log:
ComboFix 10-01-16.02 - Shruts 16/01/2010 14:51:54.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.3327.2341 [GMT -5:00]
Running from: c:\users\Shruti\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\nvstor32.sys was found and disinfected
Restored copy from - Kitty ate it :)
.
((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-16 19:45 . 2010-01-16 19:47 -------- d-----w- C:\32788R22FWJFW
2010-01-16 19:35 . 2010-01-16 19:35 -------- d-----w- c:\programdata\RegAce
2010-01-16 19:35 . 2010-01-16 19:45 -------- d-----w- c:\program files\RegAce
2010-01-16 18:53 . 2010-01-16 18:53 -------- d-----w- c:\program files\Trend Micro
2010-01-16 18:51 . 2010-01-16 18:51 -------- d-----w- c:\users\Shruti\AppData\Roaming\Safer Networking
2010-01-16 18:50 . 2010-01-16 18:50 -------- d-----w- c:\program files\Safer Networking
2010-01-16 17:48 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.005\CCERASER.DLL
2010-01-16 17:48 . 2009-12-14 09:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.005\ECMSVR32.DLL
2010-01-16 17:48 . 2009-09-17 06:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.005\NAVENG.SYS
2010-01-16 17:48 . 2009-09-17 06:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.005\EECTRL.SYS
2010-01-16 17:48 . 2009-09-17 06:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.005\NAVENG32.DLL
2010-01-16 17:48 . 2009-09-17 06:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.005\NAVEX32A.DLL
2010-01-16 17:48 . 2009-09-17 06:00 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.005\NAVEX15.SYS
2010-01-16 17:48 . 2009-09-17 06:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100116.005\ERASER.SYS
2010-01-16 06:12 . 2010-01-16 06:12 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-16 02:59 . 2010-01-16 02:59 -------- d-----w- c:\users\Shruti\AppData\Roaming\Lexmark Productivity Studio
2010-01-16 02:57 . 2010-01-16 03:03 -------- d-----w- c:\program files\Lx_cats
2010-01-16 02:57 . 2010-01-16 02:57 -------- d-----w- C:\logs
2010-01-16 02:57 . 2007-02-27 10:16 103936 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxdddrpp.dll
2010-01-16 02:56 . 2010-01-16 02:56 -------- d-----w- c:\program files\Lexmark Toolbar
2010-01-16 02:54 . 2010-01-16 02:54 -------- d-----w- C:\lexmark
2010-01-15 04:13 . 2009-04-21 03:12 149768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\cndcipsdefs\20100112.004\WPSHelper.sys
2010-01-14 04:41 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-14 04:41 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-08 02:10 . 2010-01-08 02:10 -------- d-----w- c:\users\Shruti\AppData\Roaming\AdobeUM
2010-01-07 05:36 . 2010-01-07 05:36 -------- d-----w- c:\programdata\Adobe Systems
2010-01-07 05:36 . 2010-01-07 05:36 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-01-06 02:13 . 2010-01-06 02:13 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2010-01-06 02:13 . 2010-01-06 02:13 -------- d-----w- c:\program files\MSECache
2010-01-05 03:59 . 2010-01-05 04:13 -------- d-----w- c:\program files\Microsoft Money 2007
2010-01-05 03:42 . 2010-01-05 03:42 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-01-05 03:41 . 2010-01-05 03:41 -------- d-----w- c:\users\Shruti\AppData\Local\Microsoft Help
2010-01-05 03:26 . 2010-01-05 03:26 -------- d-----w- c:\program files\7-Zip
2010-01-03 17:13 . 2010-01-03 17:13 -------- d-----w- c:\users\Shruti\AppData\Local\ElevatedDiagnostics
2010-01-03 17:10 . 2006-09-18 06:57 19456 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\sugs2pc.dll
2010-01-03 17:09 . 2006-12-04 06:25 22723 ----a-w- c:\windows\system32\SUGS2l3.dll
2010-01-03 17:09 . 2006-11-21 16:40 65536 ----a-w- c:\windows\system32\SUGS2ci.dll
2010-01-03 17:09 . 2006-11-20 13:22 151552 ----a-w- c:\windows\system32\SUGS2ci.exe
2010-01-03 17:09 . 2009-03-02 19:12 5120 ------w- c:\windows\system32\drivers\SSPORT.SYS
2010-01-03 17:09 . 2009-03-02 19:12 38400 ------w- c:\windows\system32\drivers\DGIVECP.SYS
2010-01-03 17:09 . 2010-01-03 17:09 -------- d-----w- c:\program files\SAMSUNG
2010-01-02 06:01 . 2010-01-02 06:02 -------- d-----w- c:\users\Shruti\AppData\Roaming\Web Page Maker
2010-01-02 06:00 . 2010-01-02 06:00 -------- d-----w- c:\program files\Web Page Maker
2010-01-02 03:00 . 2010-01-02 03:00 -------- d-----w- c:\users\Shruti\AppData\Local\Diagnostics
2009-12-28 23:36 . 2010-01-01 19:28 -------- d-----w- c:\users\Shruti\AppData\Local\CutePDF Writer
2009-12-28 23:34 . 2009-12-28 23:34 -------- d-----w- c:\users\Shruti\AppData\Local\CustomStamp
2009-12-28 23:34 . 2009-12-28 23:34 -------- d-----w- c:\users\Shruti\AppData\Local\CutePDF_Pro
2009-12-28 23:34 . 2009-12-28 23:34 -------- d-----w- c:\users\Shruti\AppData\Local\CutePDF
2009-12-28 23:34 . 2010-01-07 05:31 -------- d-----w- c:\program files\Acro Software
2009-12-28 19:32 . 2010-01-09 19:35 -------- d-----w- C:\Temp
2009-12-28 06:02 . 2009-12-28 06:02 -------- d-----w- c:\users\Shruti\AppData\Local\Programs
2009-12-28 06:00 . 2009-12-28 06:02 5299337 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2009-12-24 21:16 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-12-24 21:14 . 2009-10-29 07:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-24 21:07 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-24 21:02 . 2009-12-24 21:02 -------- d-----w- c:\users\Shruti\AppData\Local\Symantec
2009-12-24 21:02 . 2009-04-21 03:12 149768 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2009-12-24 21:01 . 2009-12-24 21:01 149768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\cndcipsdefs\BinHub\WpsHelper.sys
2009-12-24 21:01 . 2009-09-17 06:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\eeCtrl.sys
2009-12-24 21:01 . 2009-09-17 06:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ERASER.sys
2009-12-24 21:01 . 2009-09-17 06:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng.sys
2009-12-24 21:01 . 2009-09-17 06:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng32.dll
2009-12-24 21:01 . 2009-09-17 06:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex32a.dll
2009-12-24 21:01 . 2009-09-17 06:00 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex15.sys
2009-12-24 21:01 . 2009-10-26 14:54 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2009-12-24 21:01 . 2009-12-24 21:01 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-24 20:30 . 2009-12-24 20:30 -------- d-----w- c:\users\Shruti\AppData\Roaming\Malwarebytes
2009-12-24 20:30 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-24 20:30 . 2009-12-24 20:30 -------- d-----w- c:\programdata\Malwarebytes
2009-12-24 20:30 . 2010-01-16 06:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-24 20:30 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-24 20:01 . 2009-12-24 20:28 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-24 20:01 . 2009-12-24 20:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-24 19:18 . 2009-12-24 19:19 -------- d-----w- c:\users\Shruti\AppData\Local\Google
2009-12-24 19:18 . 2009-12-24 19:18 -------- d-----w- c:\users\Shruti\AppData\Local\Deployment
2009-12-24 19:18 . 2009-12-24 19:18 -------- d-----w- c:\users\Shruti\AppData\Local\Apps
2009-12-24 19:09 . 2010-01-08 01:48 111584 ----a-w- c:\users\Shruti\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-24 18:59 . 2009-08-29 06:57 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-12-24 18:59 . 2009-10-02 04:06 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-12-24 18:59 . 2009-09-03 07:04 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-12-24 18:59 . 2009-08-29 06:54 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-12-24 18:59 . 2009-08-19 07:20 442920 ----a-w- c:\windows\system32\winresume.exe
2009-12-24 18:59 . 2009-08-19 07:20 507568 ----a-w- c:\windows\system32\winload.exe
2009-12-24 18:59 . 2009-08-03 05:35 2613248 ----a-w- c:\windows\explorer.exe
2009-12-24 18:59 . 2009-07-30 04:44 293888 ----a-w- c:\windows\system32\atmfd.dll
2009-12-23 23:08 . 2010-01-08 02:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-23 23:06 . 2009-11-20 11:08 38784 ----a-w- c:\users\Shruti\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-23 23:06 . 2009-11-20 11:08 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-23 23:06 . 2009-12-23 23:06 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-23 23:05 . 2009-12-24 19:19 -------- d-----w- c:\users\Shruti\AppData\Local\Adobe
2009-12-23 23:04 . 2009-12-23 23:04 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-12-23 23:04 . 2009-12-24 20:58 -------- d-----w- c:\programdata\NOS
2009-12-23 22:35 . 2009-12-23 22:35 -------- d-----w- c:\users\Shruti\AppData\Local\Toshiba
2009-12-23 22:35 . 2009-12-23 22:35 -------- d-----w- c:\users\Shruti\AppData\Local\ArcSoft
2009-12-23 22:35 . 2009-12-24 19:59 -------- d-----w- c:\users\Shruti\AppData\Roaming\ArcSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 02:56 . 2010-01-16 02:55 -------- d-----w- c:\program files\Lexmark 2500 Series
2010-01-05 03:52 . 2009-11-06 21:01 -------- d-----w- c:\programdata\Microsoft Help
2010-01-05 03:45 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2009-12-28 06:03 . 2009-11-06 20:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-24 21:21 . 2009-11-06 20:50 -------- d-----w- c:\programdata\NVIDIA
2009-12-24 21:02 . 2009-12-24 21:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-24 21:02 . 2009-11-06 21:11 -------- d-----w- c:\programdata\Symantec
2009-12-24 21:01 . 2009-12-24 21:00 -------- d-----w- c:\program files\Symantec
2009-12-24 21:01 . 2009-12-24 21:01 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-24 21:01 . 2009-12-24 21:01 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-24 20:56 . 2009-11-06 21:11 -------- d-----w- c:\programdata\Norton
2009-12-24 19:59 . 2009-11-06 21:12 -------- d-----w- c:\programdata\ArcSoft
2009-12-23 22:22 . 2009-11-06 21:02 -------- d-----w- c:\program files\Microsoft Works
2009-12-23 22:20 . 2009-12-23 22:20 6 ----a-w- c:\windows\silentOnce.tmp
2009-12-14 09:00 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\CCERASER.DLL
2009-12-14 09:00 . 2009-12-14 09:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ECMSVR32.DLL
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Shruti\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-12-24 135664]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-07 13789728]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-05-22 7514656]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2009-07-24 2068480]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-26 115560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2009-04-27 291496]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2009-04-27 25256]

c:\users\Shruti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2010-1-7 25214]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-8-26 2684256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [13/07/2009 6:52 PM 48128]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [06/11/2009 4:04 PM 160768]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [24/12/2009 3:01 PM 1153368]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [03/01/2010 12:09 PM 5120]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\System32\drivers\ArcSoftKsUFilter.sys [06/11/2009 4:13 PM 17920]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [24/12/2009 4:06 PM 102448]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [21/08/2009 8:24 PM 66592]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxddserv.exe [25/05/2007 9:41 AM 99248]
S3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\System32\drivers\netr28.sys [02/11/2009 2:22 AM 626688]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\drivers\RtsUStor.sys [06/11/2009 3:56 PM 166912]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\System32\drivers\Rt86win7.sys [10/06/2009 4:18 PM 139776]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3560011464-2132049022-3858852744-1000Core.job
- c:\users\Shruti\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-24 19:18]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3560011464-2132049022-3858852744-1000UA.job
- c:\users\Shruti\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-24 19:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msi.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SafeBoot-Symantec Antvirus


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\windows\system32\lxddcoms.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\windows\system32\taskmgr.exe
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2010-01-16 15:02:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-16 20:02

Pre-Run: 156,299,665,408 bytes free
Post-Run: 156,268,998,656 bytes free

- - End Of File - - 28F7DAAD5FECD1CAD967E3ABB47D4547

Edited by ldtate, 16 January 2010 - 02:11 PM.

  • 0

Advertisements

#2
ldtate
Posted 20 January 2010 - 04:24 PM

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Posted Image
Are you still getting redirected?
  • 0

#3
shrutsats
Posted 21 January 2010 - 09:54 PM

shrutsats

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
No, I'm not. ComboFix cleaned it up. Thanks!
  • 0

#4
ldtate
Posted 22 January 2010 - 04:25 PM

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
You can remove these leftover files and folders if listed:
C:\ComboFix
C:\QooBox
C:\combofix.txt
C:\combofix-quarantine-files.txt
  • 0

#5
ldtate
Posted 22 January 2010 - 04:25 PM

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP