Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google hijack, cmd dysfunction, can't download anti-virus updates


  • Please log in to reply
12 replies to this topic

#1 nellwal

nellwal

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 29 March 2009 - 02:03 PM

I have gotten some very stubborn malware that I can't find with my scans (avg, spybot, pctools etc.). I really don't want to have to rebuild this machine unless last resort type thing.

Here are the symptoms:

Google links hijacked
Can't get to windows update website
can't download avg virus update automatically - have to do so manually
can't run cmd.exe, regedit, notepad doesn't seem to work and various other executables.

Right now I"m running a full scan with spyware doctor..............and waiting on results. as soon as that's done I'll post the highjack this information.........

Here is a dump from regedit (where I changed the executable to red3edit and did an export - per another thread).......

one thing I saw that was curious is this jsxx.jpa...........

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Class Name: <NO CLASS>
Last Write Time: 3/22/2009 - 6:51 PM
Value 0
Name: midimapper
Type: REG_SZ
Data: midimap.dll

Value 1
Name: msacm.imaadpcm
Type: REG_SZ
Data: imaadp32.acm

Value 2
Name: msacm.msadpcm
Type: REG_SZ
Data: msadp32.acm

Value 3
Name: msacm.msg711
Type: REG_SZ
Data: msg711.acm

Value 4
Name: msacm.msgsm610
Type: REG_SZ
Data: msgsm32.acm

Value 5
Name: msacm.trspch
Type: REG_SZ
Data: tssoft32.acm

Value 6
Name: vidc.cvid
Type: REG_SZ
Data: iccvid.dll

Value 7
Name: VIDC.I420
Type: REG_SZ
Data: msh263.drv

Value 8
Name: vidc.iv31
Type: REG_SZ
Data: ir32_32.dll

Value 9
Name: vidc.iv32
Type: REG_SZ
Data: ir32_32.dll

Value 10
Name: VIDC.IYUV
Type: REG_SZ
Data: iyuv_32.dll

Value 11
Name: vidc.mrle
Type: REG_SZ
Data: msrle32.dll

Value 12
Name: vidc.msvc
Type: REG_SZ
Data: msvidc32.dll

Value 13
Name: VIDC.UYVY
Type: REG_SZ
Data: msyuv.dll

Value 14
Name: VIDC.YUY2
Type: REG_SZ
Data: msyuv.dll

Value 15
Name: VIDC.YVU9
Type: REG_SZ
Data: tsbyuv.dll

Value 16
Name: VIDC.YVYU
Type: REG_SZ
Data: msyuv.dll

Value 17
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv

Value 18
Name: msacm.msg723
Type: REG_SZ
Data: msg723.acm

Value 19
Name: vidc.M263
Type: REG_SZ
Data: msh263.drv

Value 20
Name: vidc.M261
Type: REG_SZ
Data: msh261.drv

Value 21
Name: msacm.msaudio1
Type: REG_SZ
Data: msaud32.acm

Value 22
Name: msacm.sl_anet
Type: REG_SZ
Data: sl_anet.acm

Value 23
Name: msacm.l3acm
Type: REG_SZ
Data: C:\WINDOWS\system32\l3codeca.acm

Value 24
Name: vidc.iv41
Type: REG_SZ
Data: ir41_32.ax

Value 25
Name: msacm.iac2
Type: REG_SZ
Data: iac25_32.ax

Value 26
Name: wave
Type: REG_SZ
Data: wdmaud.drv

Value 27
Name: midi
Type: REG_SZ
Data: wdmaud.drv

Value 28
Name: mixer
Type: REG_SZ
Data: wdmaud.drv

Value 29
Name: wave1
Type: REG_SZ
Data: serwvdrv.dll

Value 30
Name: wave2
Type: REG_SZ
Data: serwvdrv.dll

Value 31
Name: wave3
Type: REG_SZ
Data: serwvdrv.dll

Value 32
Name: vidc.tscc
Type: REG_SZ
Data: tsccvid.dll

Value 33
Name: wave4
Type: REG_SZ
Data: serwvdrv.dll

Value 34
Name: MSVideo8
Type: REG_SZ
Data: VfWWDM32.dll

Value 35
Name: wave5
Type: REG_SZ
Data: serwvdrv.dll

Value 36
Name: wave6
Type: REG_SZ
Data: serwvdrv.dll

Value 37
Name: VIDC.SP54
Type: REG_SZ
Data: SP5X_32.DLL

Value 38
Name: vidc.LEAD
Type: REG_SZ
Data: LCODCCMP.DLL

Value 39
Name: vidc.divx
Type: REG_SZ
Data: svmp4.dll

Value 40
Name: wave7
Type: REG_SZ
Data: serwvdrv.dll

Value 41
Name: wave8
Type: REG_SZ
Data: wdmaud.drv

Value 42
Name: mixer1
Type: REG_SZ
Data: wdmaud.drv

Value 43
Name: wave9
Type: REG_SZ
Data: wdmaud.drv

Value 44
Name: mixer2
Type: REG_SZ
Data: wdmaud.drv

Value 45
Name: vidc.MPG4
Type: REG_SZ
Data: Mpg4c32.dll

Value 46
Name: vidc.MP42
Type: REG_SZ
Data: Mpg4c32.dll

Value 47
Name: vidc.MP43
Type: REG_SZ
Data: Mpg4c32.dll

Value 48
Name: VIDC.TMPX
Type: REG_SZ
Data: tmpxvfw.dll

Value 49
Name: VIDC.TVTA
Type: REG_SZ
Data: TVTACodec.dll

Value 50
Name: VIDC.TVTX
Type: REG_SZ
Data: TVTXTDEC.DLL

Value 51
Name: VIDC.XVID
Type: REG_SZ
Data: XVIDVFW.DLL

Value 52
Name: msacm.scg726
Type: REG_SZ
Data: scg726.acm

Value 53
Name: aux
Type: REG_SZ
Data: C:\WINDOWS\system32\..\jsxx.jpa


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server
Class Name: <NO CLASS>
Last Write Time: 9/13/2003 - 7:45 PM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP
Class Name: <NO CLASS>
Last Write Time: 9/13/2003 - 7:45 PM
Value 0
Name: wave
Type: REG_SZ
Data: rdpsnd.dll

Value 1
Name: MaxBandwidth
Type: REG_DWORD
Data: 0x56b9

Value 2
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv

Value 3
Name: EnableMP3Codec
Type: REG_DWORD
Data: 0x1

Value 4
Name: midimapper
Type: REG_SZ
Data: midimap.dll

BC AdBot (Login to Remove)

 


#2 nellwal

nellwal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 29 March 2009 - 04:16 PM

I saw the note about the combofix log.........I didn't run one, I'm hoping that is just a generic message.

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:39 PM

Posted 29 March 2009 - 07:25 PM

Welcome to BC
It is not recommended to run Combofix without the assistance of a HJT team member
Combofix and HJT logs belong in another forum

------------------------------

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 nellwal

nellwal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 30 March 2009 - 10:02 AM

I must be on the right track, as I can't get to this website from the infected PC and the malware update download crashed also............ :thumbsup:

Fortunately my laptop isn't infected and is running completely separate from the infected PC.

So I'm downloading everything and transferring it.

Edited by nellwal, 30 March 2009 - 10:03 AM.


#5 nellwal

nellwal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 30 March 2009 - 10:30 AM

This didn't work. I ran the anti-malware. It removed a few files and I still have the problem.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:39 PM

Posted 30 March 2009 - 11:01 AM

Please post the results of your MBAM scan for review.

To retrieve the MBAM scan log information, launch MBAB.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download and scan with Dr.Web CureIt.
Follow the instructions here for performing a scan in "safe mode".
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 nellwal

nellwal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 30 March 2009 - 11:30 AM

Malwarebytes' Anti-Malware 1.35
Database version: 1893
Windows 5.1.2600 Service Pack 3

3/30/2009 11:23:02 AM
mbam-log-2009-03-30 (11-23-02).txt

Scan type: Quick Scan
Objects scanned: 110188
Time elapsed: 20 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.
C:\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:39 PM

Posted 30 March 2009 - 12:01 PM

Continue with the instructions already provided, then do this.

Your MBAM log indicates you are using an outdated database version. Please update it through the program's interface (preferable method). Usually if you're having problems updating through MBAM's interface, you can manually download the definition updates and just double-click on mbam-rules.exe to install. However, in your case, you are already using the most current rules posted in that download link.

Mbam-rules.exe is not updated daily. Another way to get the most current database definitions is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
If you cannot see the folder, you may have to Reconfigure Windows to show it. Then perform a new Quick Scan in normal mode and make sure you reboot afterwards. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 nellwal

nellwal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 30 March 2009 - 12:35 PM

Will do - thanks.

#10 nellwal

nellwal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 30 March 2009 - 12:55 PM

I THINK this may have gotten it. The trojan daonol (or something like that) came up as being found. We'll see.

#11 nellwal

nellwal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 30 March 2009 - 01:04 PM

THAT WORKED!!

Thank you so much. This was a bad one :thumbsup: ..........I was getting ready to rebuild............

thanks again!

#12 nellwal

nellwal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 30 March 2009 - 01:22 PM

Here is the log..............

Malwarebytes' Anti-Malware 1.35
Database version: 1918
Windows 5.1.2600 Service Pack 3

3/30/2009 1:53:02 PM
mbam-log-2009-03-30 (13-53-02).txt

Scan type: Quick Scan
Objects scanned: 94049
Time elapsed: 9 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{248dd897-bb45-11cf-9abc-0080c7e7b78d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{248dd890-bb45-11cf-9abc-0080c7e7b78d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{248dd892-bb45-11cf-9abc-0080c7e7b78d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{248dd893-bb45-11cf-9abc-0080c7e7b78d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{248dd896-bb45-11cf-9abc-0080c7e7b78d} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\SYSTEM32\MSWinSck.ocx (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\MSWinSck.ocx (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\jsxx.jpa (Trojan.Daonol) -> Quarantined and deleted successfully.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:39 PM

Posted 30 March 2009 - 01:46 PM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend disabling this feature as a method of prevention. Microsoft recommends doing the same in Security Advisory (967940): Update for Windows Autorun.

Edited by quietman7, 30 March 2009 - 01:47 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users