Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Hijack and Rogue keep returning.


  • This topic is locked This topic is locked
2 replies to this topic

#1 thadpg

thadpg

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Location:Amarillo, TX
  • Local time:09:42 PM

Posted 24 July 2009 - 01:23 AM

I have tried just about everything, but the infection keeps coming back. I had AVG to begin with, but uninstalled it thinking that maybe Grisoft was slacking because this kept coming back. I have Avira now with no better results. I went about 5 days without noticing any suspicious activity, (my record since I first got this nasty virus about 2 weeks ago), then today my search results in Google started linking to other "search sites". I have ran MalwareBytes and nearly all others I have heard of without any luck. I was a PC tech for a few years, but I have been out of the game for a couple and this has me pulling my hair out. I have found a few other posts with similar stories on Google within the last week or so also. The most suspicious file I have found on my PC is (\\?\globalroot\systemroot\system32\hjgruimfxenkha.dll) which is superhidden and attaches itself to running processes. Anyways, here are the DDS and zip files. Thank you for any help. :thumbup2:

PS - A lot of the others I have seen have a similar file. (\\?\globalroot\systemroot\system32\(random 14 character name).dll

DDS (Ver_09-06-26.01) - NTFSx86
Run by Thad & Jennifer at 0:53:28.64 on Fri 07/24/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.759.326 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Security\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Security\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\alg.exe
C:\Program Files\Security\IObit Security 360\IS360srv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Security\IObit Security 360\IS360tray.exe
C:\Program Files\Security\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Security\IObit Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Security\IObit Security 360\IObit Security 360.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Thad & Jennifer\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: CoTGT_BHO Class: {c333cf63-767f-4831-94ac-e683d962c63c} - c:\program files\tgtsoft\stylexp\TGT_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\security\iobit advanced systemcare 3\AWC.exe" /startup
mRun: [LogonStudio] "c:\program files\logonstudio\logonstudio.exe" /RANDOM
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [IObit Security 360] c:\program files\security\iobit security 360\IS360tray.exe
mRun: [avgnt] "c:\program files\security\avira\antivir desktop\avgnt.exe" /min
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {29850FAC-CCBB-4DB9-970D-417D0AC63534} = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\efcBrpqp

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thad&j~1\applic~1\mozilla\firefox\profiles\9f2rt88w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\security\avira\antivir desktop\avgio.sys [2009-7-16 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-10 353672]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\security\avira\antivir desktop\sched.exe [2009-7-16 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\security\avira\antivir desktop\avguard.exe [2009-7-16 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-16 55640]
R2 IS360service;IS360service;c:\program files\security\iobit security 360\IS360srv.exe [2009-7-15 303888]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 wrqthgbc;wrqthgbc;\??\c:\windows\system32\drivers\inwzngzsdfk.sys --> c:\windows\system32\drivers\inwzngzsdfk.sys [?]
S3 ATHFMWDL;NETGEAR WPN111 Bootloader driver;c:\windows\system32\drivers\athwpn.sys --> c:\windows\system32\drivers\athwpn.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-10-1 17149]
S3 HpUsbPVR;HP USB TV Tuner and Personal Video Recorder Device;c:\windows\system32\drivers\HpUsbPVR.sys [2003-7-2 131200]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\42.tmp --> c:\windows\system32\42.tmp [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-8-5 40832]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [2008-9-7 3567]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [2009-1-4 1694592]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\wpn111.sys --> c:\windows\system32\drivers\WPN111.sys [?]
S3 xpvcom;XPVCOM Port;c:\windows\system32\drivers\XPVCOM.sys [2007-3-23 30032]
S4 gupdate1c9dcdd35c19232;Google Update Service (gupdate1c9dcdd35c19232);c:\program files\google\update\GoogleUpdate.exe [2009-5-24 133104]

=============== Created Last 30 ================

2009-07-17 23:49 <DIR> --d----- c:\windows\tracing
2009-07-17 04:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\11327654
2009-07-16 22:40 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-16 22:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-16 21:59 <DIR> --d----- c:\program files\Support Tools
2009-07-16 20:40 <DIR> --d----- c:\docume~1\thad&j~1\applic~1\IObit
2009-07-15 20:25 245,248 -c------ c:\windows\system32\dllcache\mswsock.dll
2009-07-15 20:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IObit
2009-07-15 20:04 <DIR> --d----- c:\program files\Security
2009-07-14 21:29 1,076,108 a------- c:\windows\system32\kernel1.rar
2009-07-14 21:18 369 a------- C:\boot.bkp
2009-07-14 20:38 8,576 a------- c:\windows\system32\drivers\yfkqwsjdflok.sys
2009-07-14 20:32 <DIR> --d----- c:\documents and settings\thad & jennifer\Pavark
2009-07-14 09:09 <DIR> --d----- c:\program files\CodeStuff
2009-07-11 03:11 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-07-11 02:39 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-11 01:29 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 01:29 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-11 01:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 09:48 57,801 a------- c:\windows\system32\igfx.hlp
2009-07-06 00:56 163,840 a------- c:\windows\system32\igfxres.dll
2009-07-06 00:35 <DIR> --d----- c:\docume~1\thad&j~1\applic~1\dp3d
2009-07-06 00:35 <DIR> --d----- c:\program files\Dream Pinball 3D Demo
2009-07-05 21:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-06-26 15:38 <DIR> --d----- c:\program files\VideoLAN

==================== Find3M ====================

2009-07-11 03:12 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-01 16:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 16:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 16:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 16:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 16:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 16:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-28 23:52 659,456 a------- c:\windows\system32\wininet.dll
2009-04-28 23:52 81,920 a------- c:\windows\system32\ieencode.dll
2007-09-10 17:57 72,760 a------- c:\docume~1\thad&j~1\applic~1\GDIPFONTCACHEV1.DAT
2008-08-09 01:41 75 ---shr-- c:\windows\CT5PRET.BIN
2008-07-12 22:17 721,797 a--sh--- c:\windows\system32\pqprBcfe.ini2

============= FINISH: 0:55:53.59 ===============

Attached Files


Edited by thadpg, 24 July 2009 - 01:52 AM.


BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:42 PM

Posted 25 July 2009 - 02:22 PM

Hello thadpg,

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

Please post the last Malwarebytes log so I can see what it is finding.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Edited by SifuMike, 25 July 2009 - 02:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:42 PM

Posted 31 July 2009 - 08:57 PM

This thread will now be closed due to lack of feedback.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users