Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search qu


  • This topic is locked This topic is locked
3 replies to this topic

#1 SeanOC

SeanOC

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 24 May 2011 - 06:03 AM

Hi,

My browser has been 'hijacked' by search qu which is (after I searched) malware. I have included a log file below:
I normally use Chrome, but this is affecting Firefox too.

I did try to disable the manager app for search qu in startup via msconfig, but no joy.

I note that there is no reference to it in the log below either.

I usually scan with cc cleaner and malware bytes regularly, but slipped for a few weeks.

Any help much appreciated.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:45:55 p.m., on 24/05/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16766)
Boot mode: Normal

Running processes:
G:\Windows\system32\Dwm.exe
G:\Windows\system32\taskhost.exe
G:\Windows\Explorer.EXE
G:\Program Files\Avira\AntiVir Desktop\avgnt.exe
G:\Program Files\COMODO\COMODO Internet Security\cfp.exe
G:\Windows\System32\igfxtray.exe
G:\Windows\System32\hkcmd.exe
G:\Windows\System32\igfxpers.exe
G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\DivX\DivX Update\DivXUpdate.exe
G:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
G:\Program Files\Common Files\Java\Java Update\jusched.exe
G:\Program Files\Skype\Phone\Skype.exe
G:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
G:\Windows\System32\StikyNot.exe
G:\Program Files\Skype\Plugin Manager\skypePM.exe
G:\Windows\system32\wuauclt.exe
G:\Program Files\Windows Live\Messenger\msnmsgr.exe
G:\Program Files\Windows Live\Contacts\wlcomm.exe
G:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\OpenOffice.org 3\program\swriter.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
G:\Program Files\Google\Google Earth\client\googleearth.exe
G:\Users\Sean\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Users\Sean\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Users\Sean\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Windows\system32\rundll32.exe
G:\Users\Sean\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Users\Sean\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Users\Sean\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
G:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
G:\Users\Sean\Downloads\HijackThis.exe
G:\Windows\system32\SearchFilterHost.exe
G:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: YouTube Downloader Toolbar - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - G:\Program Files\YouTube Downloader Toolbar\IE\4.4\youtubedownloaderToolbarIE.dll
R3 - URLSearchHook: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - G:\Program Files\BitTorrentBar\tbBit1.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - G:\Program Files\vShare\vshare_toolbar.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - G:\Program Files\ConduitEngine\ConduitEngine.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - G:\Program Files\BitTorrentBar\tbBit1.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: UrlHelper Class - {A40DC6C5-79D0-4ca8-A185-8FF989AF1115} - G:\PROGRA~1\WI3C8A~1\Datamngr\IEBHO.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - G:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: YouTube Downloader Toolbar - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - G:\Program Files\YouTube Downloader Toolbar\IE\4.4\youtubedownloaderToolbarIE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - G:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - G:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll (file missing)
O3 - Toolbar: Yahoo!Xtra Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - G:\Program Files\vShare\vshare_toolbar.dll (file missing)
O3 - Toolbar: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - G:\Program Files\BitTorrentBar\tbBit1.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - G:\Program Files\ConduitEngine\ConduitEngine.dll (file missing)
O3 - Toolbar: YouTube Downloader Toolbar - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - G:\Program Files\YouTube Downloader Toolbar\IE\4.4\youtubedownloaderToolbarIE.dll
O4 - HKLM\..\Run: [avgnt] "G:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Internet Security] "G:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [IgfxTray] G:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] G:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] G:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DivXUpdate] "G:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "G:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SearchSettings] "G:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] G:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Skype] "G:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Sidebar] G:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] G:\Windows\System32\StikyNot.exe
O4 - HKCU\..\Run: [msnmsgr] "G:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "G:\Users\Sean\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] G:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] G:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://G:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - G:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - G:\Program Files\vShare\vshare_toolbar.dll (file missing)
O20 - AppInit_DLLs: G:\PROGRA~1\WI3C8A~1\Datamngr\datamngr.dll G:\PROGRA~1\WI3C8A~1\Datamngr\IEBHO.dll G:\Windows\system32\guard32.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - G:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - G:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Application Updater - Spigot, Inc. - G:\Program Files\Application Updater\ApplicationUpdater.exe
O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - G:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - G:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - G:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - G:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - G:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - G:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: @G:\Windows\Microsoft.NET\Framework\v4.0.30128\WPF\WPFFontCache_v0400.exe,-100 (WPFFontCache_v0400) - Unknown owner - G:\Windows\Microsoft.NET\Framework\v4.0.30128\WPF\WPFFontCache_v0400.exe (file missing)

--
End of file - 11175 bytes

After downloading iLivid, google search has now been taken over by searchqu malware.

Restore point wasn't set so I can't go back to a 'clean' state.

Any help appreciated. GMER file too large to attach sorry, but i am 32 bit.

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_25
Run by Sean at 23:04:34 on 2011-05-25
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.64.1033.18.2975.1319 [GMT 12:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: COMODO Defense+ *Enabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
.
============== Running Processes ===============
.
G:\Windows\system32\wininit.exe
G:\Windows\system32\lsm.exe
G:\Windows\system32\svchost.exe -k DcomLaunch
G:\Windows\system32\svchost.exe -k RPCSS
G:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
G:\Windows\system32\svchost.exe -k NetworkService
G:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
G:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
G:\Windows\system32\svchost.exe -k netsvcs
G:\Windows\system32\svchost.exe -k LocalService
G:\Windows\System32\spoolsv.exe
G:\Program Files\Avira\AntiVir Desktop\sched.exe
G:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
G:\Program Files\Avira\AntiVir Desktop\avguard.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
G:\Program Files\Application Updater\ApplicationUpdater.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\Program Files\Avira\AntiVir Desktop\avshadow.exe
G:\Windows\system32\conhost.exe
G:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
G:\Windows\system32\svchost.exe -k imgsvc
G:\Windows\system32\Dwm.exe
G:\Windows\system32\taskhost.exe
G:\Windows\Explorer.EXE
G:\Program Files\Avira\AntiVir Desktop\avgnt.exe
G:\Program Files\COMODO\COMODO Internet Security\cfp.exe
G:\Windows\System32\igfxtray.exe
G:\Windows\System32\igfxpers.exe
G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\DivX\DivX Update\DivXUpdate.exe
G:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
G:\Program Files\Common Files\Java\Java Update\jusched.exe
G:\Program Files\Skype\Phone\Skype.exe
G:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
G:\Windows\System32\StikyNot.exe
G:\Windows\system32\WUDFHost.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
G:\Program Files\Skype\Plugin Manager\skypePM.exe
G:\Program Files\Windows Media Player\wmpnetwk.exe
G:\Windows\System32\svchost.exe -k secsvcs
G:\Windows\system32\SearchIndexer.exe
G:\Program Files\Windows Live\Messenger\msnmsgr.exe
G:\Program Files\Windows Live\Contacts\wlcomm.exe
G:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
G:\Program Files\Google\Google Earth\client\googleearth.exe
G:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
G:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
G:\Windows\system32\taskhost.exe
G:\Windows\system32\Dwm.exe
G:\Windows\Explorer.EXE
G:\Program Files\Avira\AntiVir Desktop\avgnt.exe
G:\Program Files\COMODO\COMODO Internet Security\cfp.exe
G:\Windows\System32\igfxpers.exe
G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\DivX\DivX Update\DivXUpdate.exe
G:\Program Files\Common Files\Java\Java Update\jusched.exe
G:\Users\Administrator\Desktop\BitTorrent.exe
G:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
G:\Windows\System32\StikyNot.exe
G:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
G:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
G:\Windows\system32\wuauclt.exe
G:\Windows\servicing\TrustedInstaller.exe
G:\Windows\system32\wuauclt.exe
G:\Users\Sean\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Users\Sean\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Windows\System32\svchost.exe -k swprv
G:\Windows\system32\SearchProtocolHost.exe
G:\Windows\system32\SearchFilterHost.exe
G:\Users\Sean\Downloads\dds.scr
G:\Windows\system32\WSCRIPT.exe
G:\Windows\SoftwareDistribution\Download\Install\WU-IE9-Windows7-x86.exe
G:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - g:\program files\youtube downloader toolbar\ie\4.4\youtubedownloaderToolbarIE.dll
uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - g:\program files\bittorrentbar\tbBit1.dll
mURLSearchHooks: H - No File
mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - g:\program files\bittorrentbar\tbBit1.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - g:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - g:\program files\vshare\vshare_toolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - g:\program files\conduitengine\ConduitEngine.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - g:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - g:\program files\bittorrentbar\tbBit1.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - g:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: UrlHelper Class: {a40dc6c5-79d0-4ca8-a185-8ff989af1115} - g:\progra~1\wi3c8a~1\datamngr\IEBHO.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - g:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - g:\program files\youtube downloader toolbar\ie\4.4\youtubedownloaderToolbarIE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - g:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - g:\program files\daemon tools toolbar\DTToolbar.dll
TB: Yahoo!Xtra Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - g:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - g:\program files\vshare\vshare_toolbar.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - g:\program files\bittorrentbar\tbBit1.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - g:\program files\conduitengine\ConduitEngine.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - g:\program files\youtube downloader toolbar\ie\4.4\youtubedownloaderToolbarIE.dll
TB: {414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3} - No File
uRun: [Skype] "g:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Sidebar] g:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [RESTART_STICKY_NOTES] g:\windows\system32\StikyNot.exe
uRun: [msnmsgr] "g:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "g:\users\sean\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [avgnt] "g:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [COMODO Internet Security] "g:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [IgfxTray] g:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] g:\windows\system32\hkcmd.exe
mRun: [Persistence] g:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "g:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "g:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "g:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "g:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "g:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "g:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "g:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - g:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - g:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - g:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - g:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - g:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} -
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: g:\progra~1\wi3c8a~1\datamngr\datamngr.dll g:\progra~1\wi3c8a~1\datamngr\iebho.dll g:\windows\system32\guard32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - g:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - g:\users\sean\appdata\roaming\mozilla\firefox\profiles\kb5pfudh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.searchqu.com/406
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&q=
FF - component: g:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll
FF - component: g:\users\sean\appdata\roaming\mozilla\firefox\profiles\kb5pfudh.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll
FF - component: g:\users\sean\appdata\roaming\mozilla\firefox\profiles\kb5pfudh.default\extensions\[email protected]\components\RadioWMPCoreGecko19.dll
FF - plugin: g:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: g:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: g:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: g:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: g:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: g:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: g:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: g:\users\sean\appdata\local\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: g:\users\sean\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: g:\windows\microsoft.net\framework\v4.0.20506\wpf\NPWPF.dll
.
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;g:\windows\system32\drivers\cmdGuard.sys [2010-3-23 238960]
R1 cmdHlp;COMODO Internet Security Helper Driver;g:\windows\system32\drivers\cmdhlp.sys [2010-3-3 37592]
R2 avgntflt;avgntflt;g:\windows\system32\drivers\avgntflt.sys [2010-3-26 61960]
R3 RTL8167;Realtek 8167 NT Driver;g:\windows\system32\drivers\Rt86win7.sys [2009-6-11 139776]
R3 SrvHsfHDA;SrvHsfHDA;g:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
R3 SrvHsfV92;SrvHsfV92;g:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;g:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 epmntdrv;epmntdrv;g:\windows\system32\epmntdrv.sys [2010-5-23 14216]
S3 EuGdiDrv;EuGdiDrv;g:\windows\system32\EuGdiDrv.sys [2010-5-23 8456]
.
=============== Created Last 30 ================
.
2011-05-25 10:58:41 -------- d-----w- g:\windows\system32\EventProviders
2011-05-24 20:35:23 6962000 ----a-w- g:\programdata\microsoft\windows defender\definition updates\{326c3bd6-e942-422d-8d7c-8dfd85fc64b4}\mpengine.dll
2011-05-24 09:28:53 83249512 ----a-w- g:\program files\common files\windows live\.cache\wlc35DD.tmp
2011-05-19 11:43:42 -------- d-----w- g:\users\sean\appdata\local\Ilivid Player
2011-05-19 11:43:29 -------- dc-h--w- g:\programdata\~0
2011-05-19 11:42:53 -------- d-----w- g:\program files\Windows iLivid Toolbar
2011-05-19 11:42:43 -------- d-----w- g:\users\sean\appdata\local\PackageAware
2011-05-18 03:06:35 -------- d-----w- g:\program files\YouTube Downloader Toolbar
2011-05-18 03:06:35 -------- d-----w- g:\program files\Application Updater
2011-05-17 08:12:21 123904 ----a-w- g:\windows\system32\poqexec.exe
2011-05-11 08:38:44 3957632 ----a-w- g:\windows\system32\ntkrnlpa.exe
2011-05-11 08:38:44 3901824 ----a-w- g:\windows\system32\ntoskrnl.exe
2011-05-07 11:49:17 -------- d-----w- g:\program files\AnyBizSoft
2011-05-07 08:04:07 -------- d-----w- g:\program files\iPod
2011-05-01 08:26:03 -------- d-----w- g:\program files\Free WMA to MP3 Converter
2011-04-29 09:31:41 -------- d-----w- g:\windows\rescache
2011-04-29 09:03:28 -------- d-sh--w- G:\found.000
.
==================== Find3M ====================
.
2011-05-12 12:19:43 284744 ----a-w- g:\windows\system32\guard32.dll
2011-05-12 12:19:41 37592 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
2011-05-12 12:19:40 238960 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
2011-05-12 12:19:40 19088 ----a-w- g:\windows\system32\drivers\cmderd.sys
2011-04-13 17:07:59 472808 ----a-w- g:\windows\system32\deployJava1.dll
2011-04-06 04:20:16 91424 ----a-w- g:\windows\system32\dnssd.dll
2011-04-06 04:20:16 75040 ----a-w- g:\windows\system32\jdns_sd.dll
2011-04-06 04:20:16 197920 ----a-w- g:\windows\system32\dnssdX.dll
2011-04-06 04:20:16 107808 ----a-w- g:\windows\system32\dns-sd.exe
2011-03-12 11:31:58 442880 ----a-w- g:\windows\system32\XpsPrint.dll
2011-03-11 05:44:09 146304 ----a-w- g:\windows\system32\drivers\storport.sys
2011-03-11 05:44:01 143744 ----a-w- g:\windows\system32\drivers\nvstor.sys
2011-03-11 05:44:01 1210240 ----a-w- g:\windows\system32\drivers\ntfs.sys
2011-03-11 05:44:01 117120 ----a-w- g:\windows\system32\drivers\nvraid.sys
2011-03-11 05:43:55 332160 ----a-w- g:\windows\system32\drivers\iaStorV.sys
2011-03-11 05:43:46 80256 ----a-w- g:\windows\system32\drivers\amdsata.sys
2011-03-11 05:43:46 22400 ----a-w- g:\windows\system32\drivers\amdxata.sys
2011-03-11 05:40:24 1164288 ----a-w- g:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- g:\windows\system32\mfc42.dll
2011-03-11 05:39:35 1686016 ----a-w- g:\windows\system32\esent.dll
2011-03-11 05:37:34 74240 ----a-w- g:\windows\system32\fsutil.exe
2011-03-08 05:38:13 740864 ----a-w- g:\windows\system32\inetcomm.dll
2011-03-03 05:29:23 132608 ----a-w- g:\windows\system32\dnsrslvr.dll
2011-03-03 05:27:30 28672 ----a-w- g:\windows\system32\dnscacheugc.exe
2011-03-03 03:31:32 2331136 ----a-w- g:\windows\system32\win32k.sys
2011-03-02 01:35:22 80208 ----a-w- g:\windows\system32\mfcm100.dll
2011-03-02 01:35:20 4342088 ----a-w- g:\windows\system32\mfc100.dll
2011-03-02 01:35:18 80720 ----a-w- g:\windows\system32\mfcm100u.dll
2011-03-02 01:35:18 770384 ----a-w- g:\windows\system32\msvcr100.dll
2011-03-02 01:35:18 4368720 ----a-w- g:\windows\system32\mfc100u.dll
2011-02-26 05:33:07 2614784 ----a-w- g:\windows\explorer.exe
.
============= FINISH: 23:08:50.36 ===============

EDIT: Topics merged ~Budapest

Attached Files


Edited by Budapest, 26 May 2011 - 04:15 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:35 PM

Posted 29 May 2011 - 02:31 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:35 PM

Posted 31 May 2011 - 11:37 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:35 PM

Posted 04 June 2011 - 01:14 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users