Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Malware Infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 W5682

W5682

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 14 July 2009 - 02:14 PM

I went on vacation recently, and when I returned a disreputable family member had been on the computer and obvious signs of an infection abounded. It's primarily a gaming system, so minimal use of antivirus on the system is deliberate. System is not to be used to browse. Should have passworded before leaving, evidently. Primary symptom is redirect searches from Google. Computer is also slow. I occasionally see memory access popups (memory at location cannot be read) and it seems to be blocking virus scans and new downloads (I have to unblock before I can run a download, and I had to rename hijack this before it would run). Scan details below. Any assistance appreciated.

DDS Log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by aldreyth at 11:51:25.25 on Tue 07/14/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1619 [GMT -7:00]


============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Analog Devices\SoundMAX\Smax4.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
F:\WINDOWS\system32\hphmon03.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Analog Devices\Core\smax4pnp.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\Windows Desktop Search\WindowsSearch.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\SearchIndexer.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Documents and Settings\aldreyth\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\DOCUME~1\aldreyth\LOCALS~1\Temp\b.exe
F:\Documents and Settings\aldreyth\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
F:\WINDOWS\system32\SearchProtocolHost.exe
F:\Documents and Settings\aldreyth\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - f:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - f:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - f:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - f:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "f:\program files\messenger\msmsgs.exe" /background
uRun: [Microsoft Works Update Detection] f:\program files\microsoft works\WkDetect.exe
uRun: [swg] f:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Cognac] f:\docume~1\aldreyth\locals~1\temp\b.exe
uRun: [Google Update] "f:\documents and settings\aldreyth\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMAX] "f:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [HPDJ Taskbar Utility] f:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] f:\windows\system32\hphmon03.exe
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "f:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows Defender] "f:\program files\windows defender\MSASCui.exe" -hide
mRun: [NvMediaCenter] RUNDLL32.EXE f:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMAXPnP] f:\program files\analog devices\core\smax4pnp.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - f:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197773561500
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.181,85.255.112.81
TCP: {0530FFC8-C95F-48C0-8D2A-0232E6E7B3E4} = 85.255.112.181,85.255.112.81
TCP: {C1C6BCCE-64F2-4907-B264-97ED23AEF78C} = 85.255.112.181,85.255.112.81
TCP: {FD860555-FD7C-44B7-8378-51868C55AE1D} = 85.255.112.181,85.255.112.81
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - f:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - f:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - f:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\aldreyth\applic~1\mozilla\firefox\profiles\ygbr2krb.default\
FF - plugin: f:\documents and settings\aldreyth\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
f:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
f:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
f:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
f:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
f:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
f:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
f:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
f:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
f:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
f:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
f:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
f:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
f:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R2 WinDefend;Windows Defender;f:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;f:\windows\system32\drivers\RTL8187.sys [2007-12-15 332928]
S3 Dot4Usb HPH09;Dot4Usb HPH09;f:\windows\system32\drivers\hphius09.sys [2008-5-30 18864]
S3 physX32;physX32;f:\windows\system32\drivers\physX32.sys [2007-12-16 120320]

=============== Created Last 30 ================

2009-07-14 11:11 <DIR> --d----- f:\program files\Trend Micro
2009-07-14 10:59 <DIR> --d-h--- f:\windows\PIF
2009-07-13 12:46 12,127 ac------ f:\windows\system32\dllcache\wadv02nt.sys
2009-07-13 12:45 50,688 ac------ f:\windows\system32\dllcache\umaxscan.dll
2009-07-13 12:44 149,376 ac------ f:\windows\system32\dllcache\tffsport.sys
2009-07-13 12:43 61,824 ac------ f:\windows\system32\dllcache\speed.sys
2009-07-13 12:42 104,064 ac------ f:\windows\system32\dllcache\sisgrp.sys
2009-07-13 12:41 179,264 ac------ f:\windows\system32\dllcache\s3sav3d.dll
2009-07-13 12:40 40,320 ac------ f:\windows\system32\dllcache\ql1080.sys
2009-07-13 12:39 41,984 ac------ f:\windows\system32\dllcache\ovui2rc.dll
2009-07-13 12:38 15,872 ac------ f:\windows\system32\dllcache\ne2000.sys
2009-07-13 12:37 320,384 ac------ f:\windows\system32\dllcache\mgaum.sys
2009-07-13 12:36 6,144 ac------ f:\windows\system32\dllcache\kbd106.dll
2009-07-13 12:35 8,192 ac------ f:\windows\system32\dllcache\i2omgmt.sys
2009-07-13 12:34 2,688 ac------ f:\windows\system32\dllcache\hidswvd.sys
2009-07-13 12:33 72,192 ac------ f:\windows\system32\dllcache\es1969.sys
2009-07-13 12:32 24,649 ac------ f:\windows\system32\dllcache\dfe650d.sys
2009-07-13 12:31 31,529 ac------ f:\windows\system32\dllcache\brzwlan.sys
2009-07-13 12:03 456,704 ac------ f:\windows\system32\dllcache\smtpsvc.dll
2009-07-13 12:02 189,986 ac------ f:\windows\system32\dllcache\c_1361.nls
2009-07-13 12:01 488 a---hr-- f:\windows\system32\logonui.exe.manifest
2009-07-13 12:01 749 a---hr-- f:\windows\WindowsShell.Manifest
2009-07-13 12:01 749 a---hr-- f:\windows\system32\wuaucpl.cpl.manifest
2009-07-13 12:01 749 a---hr-- f:\windows\system32\sapi.cpl.manifest
2009-07-13 12:01 749 a---hr-- f:\windows\system32\ncpa.cpl.manifest
2009-07-13 12:01 16,384 ac------ f:\windows\system32\dllcache\isignup.exe
2009-07-11 15:38 <DIR> --d----- f:\program files\BitPim
2009-07-05 16:47 102,664 a------- f:\windows\system32\drivers\tmcomm.sys
2009-07-05 14:41 410,984 a------- f:\windows\system32\deploytk.dll
2009-07-05 14:41 73,728 a------- f:\windows\system32\javacpl.cpl
2009-07-03 04:29 <DIR> --dsh--- f:\documents and settings\aldreyth\IECompatCache
2009-07-03 04:28 <DIR> --dsh--- f:\documents and settings\aldreyth\PrivacIE
2009-07-03 04:28 <DIR> --dsh--- f:\documents and settings\aldreyth\IETldCache
2009-07-03 04:11 <DIR> -cd-h--- f:\windows\ie8
2009-07-02 00:42 124,416 a------- f:\windows\msa.exe
2009-07-02 00:42 206,852 a------- f:\windows\system32\msxml71.dll

==================== Find3M ====================

2009-07-13 12:00 23,348 a------- f:\windows\system32\emptyregdb.dat
2009-05-25 00:24 350,208 a------- f:\windows\system32\mssph.dll

============= FINISH: 11:51:41.68 ===============



Hijack This Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:52 AM, on 7/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\DOCUME~1\aldreyth\LOCALS~1\Temp\b.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Analog Devices\SoundMAX\Smax4.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
F:\WINDOWS\system32\hphmon03.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Analog Devices\Core\smax4pnp.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\Windows Desktop Search\WindowsSearch.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\SearchIndexer.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Documents and Settings\aldreyth\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
F:\Documents and Settings\aldreyth\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
F:\Program Files\hijackthis\fumble.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - F:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - F:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - F:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAX] "F:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] F:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] F:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] F:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Cognac] F:\DOCUME~1\aldreyth\LOCALS~1\Temp\b.exe
O4 - HKCU\..\Run: [Google Update] "F:\Documents and Settings\aldreyth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Windows Search.lnk = F:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197773561500
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0530FFC8-C95F-48C0-8D2A-0232E6E7B3E4}: NameServer = 85.255.112.181,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1C6BCCE-64F2-4907-B264-97ED23AEF78C}: NameServer = 85.255.112.181,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD860555-FD7C-44B7-8378-51868C55AE1D}: NameServer = 85.255.112.181,85.255.112.81
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.181,85.255.112.81
O17 - HKLM\System\CS1\Services\Tcpip\..\{0530FFC8-C95F-48C0-8D2A-0232E6E7B3E4}: NameServer = 85.255.112.181,85.255.112.81
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.181,85.255.112.81
O17 - HKLM\System\CS2\Services\Tcpip\..\{0530FFC8-C95F-48C0-8D2A-0232E6E7B3E4}: NameServer = 85.255.112.181,85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.181,85.255.112.81
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - F:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Software Updater (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - F:\WINDOWS\system32\HPHipm09.exe

--
End of file - 7920 bytes

Attach file from DDS is attached. Again, thanks for the assist.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:32 PM

Posted 16 July 2009 - 09:19 PM

Hello W5682,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed :!:
This is somewhat suicidal in today's digital world. 8O
That's why I want you to install one first!!

Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThis log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 W5682

W5682
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 19 July 2009 - 12:41 PM

Thanks but help no longer needed. Blew off the harddrive and reinstalled windows.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:32 PM

Posted 19 July 2009 - 12:44 PM

Good to hear things are sorted out. I will close this thread.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users