Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware redirecting my internet searches


  • This topic is locked This topic is locked
25 replies to this topic

#1 dj091231

dj091231

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 02 January 2010 - 01:32 AM

I originally posted this in a different section (Am I infected? What do I do?) but then followed your tutorial to prepare a DDS and rootrepeal log, which instructed me to post here. Please note that in addition to MalwareBytes, Adaware, Super Anti Spyware, I also ran Microsoft Security Essentials. Lastly, I also installed Hijack This but did not act on any of the results after running a scan.

Original post below:
---------------
My Dell Latitude E6500 with XP has had no problems until a few days ago when my wife visited the wrong internet site, resulting in a malware intrusion called Security Tool. I followed a forum instruction to remove it by changing the file name and then downloading MalwareBytes to remove it. It worked in removing Security Tool but my computer is still infected with malware that is redirecting my internet searches. My computer has trend micro installed as the default antivirus software but it did not detect anything when I ran a scan. I downloaded free versions of adaware and super anti spyware and ran scans, which picked up a few trojans, cookies, etc. that malwarebytes missed but did not fix the search redirect problem. I downloaded PC Tools spyware doctor, which identified a threat called rootkit.agent.ex but would not remove it unless I paid for another software (I don't see how this is different from Security Tool's bait and switch...) Can you help me get the rest of the bugs?

DJ

---------------

Requested logs below and attached:

DDS (Ver_09-12-01.01) - NTFSx86
Run by usa00504 at 21:51:56.54 on 01/01/2010 Fri
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.932.81.1033.18.3536.2527 [GMT -8:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {BAF00F5C-ECB1-46C6-9704-7C1796D62C23}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\dellxpm09b_6017v022\wdm\stacsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Lotus\Notes\nsd.exe
D:\Program Files\Lotus\Notes\ntmulti.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\TEMP\LW7210.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Documents and Settings\USA00504\Local Settings\Temporary Internet Files\Content.IE5\4D4YFPEG\dds[1].scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Vqivuharuculihiw] rundll32.exe "c:\windows\ehuvujep.dll",Startup
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
StartupFolder: c:\docume~1\usa00504\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\usa00504\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://sslcn.suntech-power.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258022984109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://suntech-power.webex.com/client/T27L/webex/ieatgpc.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\usa00504\applic~1\mozilla\firefox\profiles\4913wr42.default\
FF - HiddenExtension: XULRunner: {9F1910E5-46FA-480E-8E11-7C90949397A5} - c:\documents and settings\usa00504\local settings\application data\{9f1910e5-46fa-480e-8e11-7c90949397a5}\
FF - HiddenExtension: XULRunner: {EAC3F723-1DC6-4310-B2D8-094122046350} - c:\documents and settings\usa00504\local settings\application data\{eac3f723-1dc6-4310-b2d8-094122046350}\
FF - HiddenExtension: XULRunner: {1E9A55FE-7B28-4FF4-9540-951173BC2137} - c:\documents and settings\usa00504\local settings\application data\{1E9A55FE-7B28-4FF4-9540-951173BC2137}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-29 64288]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;d:\program files\lotus\notes\nsd.exe [2008-12-6 3315080]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-11-26 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-11-26 36368]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2008-8-20 370872]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-5-1 108160]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-5-1 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-5-1 244368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-5-1 110080]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S0 bcgige;bcgige; [x]
S0 cerc6;cerc6; [x]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-12-29 652552]

=============== Created Last 30 ================

2009-12-31 21:47:15 0 d-----w- c:\windows\system32\NtmsData
2009-12-31 20:56:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-31 20:56:17 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-31 20:56:17 0 d-----w- c:\docume~1\usa00504\applic~1\SUPERAntiSpyware.com
2009-12-31 20:55:29 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-31 20:27:41 0 d-----w- c:\program files\common files\PC Tools
2009-12-30 17:04:48 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-30 16:25:55 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-30 07:07:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-30 00:51:41 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-30 00:51:04 0 d-----w- c:\program files\Lavasoft
2009-12-29 17:55:56 21 ----a-w- C:\tmuninst.ini
2009-12-29 17:55:11 142992 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-29 17:55:11 0 d-----w- c:\windows\system32\log
2009-12-29 17:54:59 72072 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-12-28 22:33:00 0 d-----w- c:\program files\Microsoft Security Essentials
2009-12-28 22:27:20 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-28 15:40:47 0 d-----w- c:\docume~1\usa00504\applic~1\Malwarebytes
2009-12-28 15:40:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-28 15:40:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-28 15:40:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 15:40:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-27 02:48:09 120 ----a-w- c:\windows\Lfemalos.dat
2009-12-27 02:48:09 0 ----a-w- c:\windows\Khaxuleboduyeviw.bin
2009-12-27 02:44:27 0 --sha-w- c:\windows\nvDrv.sy
2009-12-16 22:30:55 70144 -c--a-w- c:\windows\system32\dllcache\pintlphr.exe
2009-12-16 22:21:19 23 ----a-w- c:\windows\bo407cdw.ini

==================== Find3M ====================


============= FINISH: 21:52:14.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 10 January 2010 - 09:03 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.
Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 dj091231

dj091231
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 11 January 2010 - 01:58 AM

Thank you for your assistance. The search engine redirect problem still remains unfixed since my last post below. I have taken some other actions though so the status of my computer may have changed. It was recommended to me that I try installing the Kaspersky antivirus software (trial version) on my computer. When I installed it, all other anti virus software on my computer was automatically uninstalled. I ran a full scan with Kaspersky. It said it found zero problems but my IE 8 browser still has the redirect problem. I then uninstalled Kaspersky and reinstalled Trend Micro. There are no other anti virus programs currently active on my computer. Please find my logs below and attached.

Best Regards,
DJ


DDS (Ver_09-12-01.01) - NTFSx86
Run by usa00504 at 22:37:37.65 on 01/10/2010 Sun
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.932.81.1033.18.3536.2947 [GMT -8:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {4A87AD34-134F-4021-9B01-F14F40555E82}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\dellxpm09b_6017v022\wdm\stacsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Lotus\Notes\nsd.exe
D:\Program Files\Lotus\Notes\ntmulti.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\VE55DC.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\USA00504\Local Settings\Temporary Internet Files\Content.IE5\HD366FT1\dds[1].scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Vqivuharuculihiw] rundll32.exe "c:\windows\ehuvujep.dll",Startup
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
StartupFolder: c:\docume~1\usa00504\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://sslcn.suntech-power.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258022984109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://suntech-power.webex.com/client/T27L/webex/ieatgpc.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;d:\program files\lotus\notes\nsd.exe [2008-12-6 3315080]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2009-12-24 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2009-12-24 36368]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2008-8-20 370872]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-5-1 108160]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-5-1 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-5-1 244368]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-5-1 110080]
S0 bcgige;bcgige; [x]
S0 cerc6;cerc6; [x]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-12-24 652552]

=============== Created Last 30 ================

2010-01-07 05:38:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-12-31 21:47:15 0 d-----w- c:\windows\system32\NtmsData
2009-12-31 20:56:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-31 20:56:17 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-31 20:56:17 0 d-----w- c:\docume~1\usa00504\applic~1\SUPERAntiSpyware.com
2009-12-31 20:27:41 0 d-----w- c:\program files\common files\PC Tools
2009-12-30 16:25:55 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-29 17:55:56 21 ----a-w- C:\tmuninst.ini
2009-12-29 17:55:11 142992 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-29 17:55:11 0 d-----w- c:\windows\system32\log
2009-12-28 22:27:20 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-28 15:40:47 0 d-----w- c:\docume~1\usa00504\applic~1\Malwarebytes
2009-12-28 15:40:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-27 02:48:09 120 ----a-w- c:\windows\Lfemalos.dat
2009-12-27 02:48:09 0 ----a-w- c:\windows\Khaxuleboduyeviw.bin
2009-12-27 02:44:27 0 --sha-w- c:\windows\nvDrv.sy
2009-12-25 06:07:10 72072 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-12-16 22:30:55 70144 -c--a-w- c:\windows\system32\dllcache\pintlphr.exe
2009-12-16 22:21:19 23 ----a-w- c:\windows\bo407cdw.ini

==================== Find3M ====================


============= FINISH: 22:37:50.93 ===============

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 12 January 2010 - 06:36 PM

Hello, dj091231.
Ok, you are definitely infected with some malware. Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!
I am a senior trainee, so my fix will be checked by a staff member. This may result in an extra day before I can reply.





Step 1

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.



Step 2

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.



Step 3

In your reply, please post:
  • Combofix log
  • GMER log


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 dj091231

dj091231
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 14 January 2010 - 12:29 PM

Dear Etavares,

Thank you for your help. Unfortunately, I am having problems obtaining the complete logs with Gmer. The default for Gmer only scans the C drive but I have a D and E drive as well (C drive contains documents and settings and most program files, D drive contains program files for my Lotus Notes, and E drive contains My Documents). I did not notice the first scan missing my D and E drives and the scan completed without problems. You can find this log attached. When I ran the program again to scan all drives, my computer crashed and I was given the error message found in the other attachment entitled errormsg. I tried rebooting my computer in safe mode but for some reason, my computer is not accepting my login password in safe mode. How should I proceed?

A few other questions:
1. I tried disabling my Trend Micro software before the Gmer scan but I could not find an option to disable real time protection. This may be because this is a work computer and the option is removed intentionally. My IT person previously suggested that if I want to run another antivirus software, I should uninstall Trend Micro and reinstall later. Is that my best option to ensure Gmer works properly?

2. I also performed a full backup of my computer before running the scan and I am now concerned about the possibility of my backup drive containing the malware. How do I ensure my backups are clean as well?

Best Regards,
DJ

Attached Files


Edited by dj091231, 14 January 2010 - 12:41 PM.


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 15 January 2010 - 07:09 AM

Hello, dj091231.
I am not sure why you can not log into your computer in safe mode, it could be malware, it could be something else. We can try to remove the malware and see if that helps. Can you log into Windows via a normal startup?

We'll try a different rootkit scanner since GMER isn't working. Sometimes they give errors. It happens. It's not an active malware remover the way we're running it, just a scanning tool so it didn't make any system changes.

Since you can't turn off Trend Micro, please uninstall it before running Combofix. This means your computer is vulnerable. Once CF is done, please either unplug your computer from the internet, or immediately reinstall Trend Micro.

Finally, your backup likely contains the malware. But, it's still smart you have a recent backup! :( Although it's infected, we can have access to your files if we need them, and we can always return to this point. So, be careful with that backup. At the end, we can make a new backup that is clean. But, hold onto that backup for now...don't erase it.





Step 1

Please go to start => Run, copy/paste the following line in the run box and click OK.
  • C:\DOCUME~1\USA00504\LOCALS~1\Temp\WER5875.dir00

    We need the following file to be uploaded: \Mini011410-01.dmp
  • Zip it first, to do that:
    • Right-click the file and select Send To from the Context menu => select Compressed (zip) Folder
    • Click Yes to any prompt. A zip file will be created in the same directory.
  • Click on this link: http://www.bleepingcomputer.com/submit-mal....php?channel=66
  • Click Browse... and navigate to: C:\Windows\Minidump
  • Highlight the zipped file and click Open.
  • Click Send File.


Step 2

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


Step 3

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.



Step 4

Please reply with the RootRepeal and CF logs; confirmation you uploaded the minidump file, and a description of any issues (e.g. are you still hijacked and can you log into safe mode).

PS> please copy and paste your logs into your reply instead of attaching. It makes it easier for me and allows it be searched by other people trying to figure out if they are infected.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 dj091231

dj091231
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 15 January 2010 - 07:31 PM

Dear Etavares,

I was unable to complete Step 1 as you outline below (for some reason, my computer would not run C:\DOCUME~1\USA00504\LOCALS~1\Temp\WER5875.dir00)

I returned to your original suggestions, restarting my computer in safe mode successfully this time, and completed a scan with GMER. Please find the log below. However, when I tried to run a scan with ComboFix, my computer froze up (after successfully installing Windows Recovery Console but before completing a scan). I tried a number of times and each time the blue screen that explains 'this scan may take 10 minutes or longer' successfully opens and backs up registries but then shows no activity. The cursor continues to blink but eventually the screen freezes, both in normal mode and safety mode. How should I proceed?

Best Regards,
DJ


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-15 13:45:39
Windows 5.1.2600 Service Pack 3
Running: 1rzh85ns.exe; Driver: C:\DOCUME~1\USA00504\LOCALS~1\Temp\axliifoc.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Adobe Acrobat 8 Standard - English, Fran
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Adobe Acrobat 8 Standard - English, Fran@SlowInfoCache 0x28 0x02 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Adobe Acrobat 8 Standard - English, Fran@Changed 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@UninstallString msiexec /I {AC76BA86-1033-F400-BA7E-000000000003}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@Size
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@DisplayIcon C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe,0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@DisplayName Adobe Acrobat 8.1.0 Standard
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@Language 1033
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@VersionMinor 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@VersionMajor 8
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@URLUpdateInfo http://www.adobe.com/acrofamily/main.html
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@URLInfoAbout http://www.adobe.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@Readme [INSTALLDIR]Readme.htm
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@Publisher Adobe Systems
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@InstallSource
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@InstallLocation C:\Program Files\Adobe\Acrobat 8.0\
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@InstallDate 10/23/2009
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@HelpTelephone
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@HelpLink http://www.adobe.com/support/main.html
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@DisplayVersion 8.1.0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Acrobat 8 Standard - English, Fran@Contact Customer Support
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@EncoderType 1

---- EOF - GMER 1.0.15 ----

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 16 January 2010 - 08:15 AM

It could be interference from your antivirus or malware. Did you uninstall Trend Micro before running? If not, please try that as directed in my last post, or let me know that it was uninstalled and I will modify the instructions.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 dj091231

dj091231
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 16 January 2010 - 12:01 PM

Yes. I uninstalled Trend Micro before running both Gmer and CF. Gmer ran fine.

DJ

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 17 January 2010 - 08:57 PM

Hello, dj091231.
OK, we'll do this a little different. In step 1, please save Combofix.exe as djfix.exe when you save it to your desktop.



Step 1

Next, please download ComboFix from one of these location:* IMPORTANT !!! Save ComboFix.exe to your Desktop and name it djfix.exe

Do not run it yet.





Step 2

Please download Rkill by Grinler and save to your desktop.
Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot once you run this tool, it will reset the temporary fixes. This program will help others to run by stopping malware that may interfere with the other tools.



Step 3

please run ComboFix using these instructions:
  • Close all applications and windows (including this one) so that you have nothing open and are at your Desktop.
  • Go to Start -> Run...
  • Copy the entire contents inside the CODE box below (do NOT copy the word "CODE" from the CODE box!), and paste them into the empty "Open:" box provided:
"%userprofile%\Desktop\djfix.exe" /killall
  • Click OK and follow the on-screen prompts. When you click Yes at the prompt to allow ComboFix to download and install the Microsoft Windows Recovery Console, you will get the following prompt: "You do not appear to be connected to the internet. Kindly connect before clicking 'OK'". At that point, do NOT click OK yet, but instead, please do this:
    • Go to Start -> Control Panel -> Network and Internet Connections -> Network Connections
    • Right-click your default connection, usually Local Area Connection or Dial-up Connection (if you are using dial-up), and left-click Repair
    • Once done, click Close and exit the Network Connections window.
  • Now click OK in order to let ComboFix download the Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • When the RC is successfully installed, click Yes to continue scanning for malware.
  • When finished, ComboFix shall produce a log for you (located at C:\ComboFix.txt). Post the entire contents of that report in your next reply for further review, and so we may continue cleansing the system.


Step 4

Please reply back with the Combofix log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 dj091231

dj091231
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 19 January 2010 - 02:45 AM

Unfortunately, CF is still not running properly. I downloaded rkill as instructed and the black dos box did appear. However, when I run CF, I am getting the same screen with bliking cursor and no apparent activity. Eventually I get a frozen screen. I did not get the prompts to connect to the internet but I assume this is because CF successfully installed the recovery console the first time I tried running the program.

The IT guy at work said I should just reformat the C drive. Is this going to help at all to remove the malware? I would like to stick to your instructions until there are no other options.

DJ

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 20 January 2010 - 07:04 AM

Hello, dj091231.

Reformatting will eliminate the viruses, although you will need to be careful as they will be in your backup and could reinfect the machine. The choice is up to you. If you'd like to try and continue, let's try this antivirus scan below. If you can't get into safe mode, try in normal mode.

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Please download DrWeb-CureIt and save it to your desktop. DO NOT start a scan yet.

Reboot your computer in SAFE MODE. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows logo appears), repeatedly press the F8 key. A menu will appear with options, use the arrows keys to navigate and select "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Custom Scan", then Select drives (a red dot will show which drives have been chosen).
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.csv report)

Edited by etavares, 20 January 2010 - 07:04 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 23 January 2010 - 06:53 AM

Hi dj091231-

Have you had a chance to try the Cure-It program?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 dj091231

dj091231
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 23 January 2010 - 07:16 PM

Yes. I ran the drweb cureit as instructed, first running an express scan, then running a custom scan with the 'heuristics scan' box unchecked. The custom scan took a very long time but when complete, reported that no viruses were found. It did not give me an option to save a report list. I did get a pop up during the process asking if I wanted to download the full trial version. Do I have to do this in order to run a complete scan correctly?

DJ

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 AM

Posted 24 January 2010 - 08:18 AM

Hello, dj091231.
OK, we'll do this the hard way. Nastly little virus, isn't it? You don't need to get the full trial version now. Let's do the following to start.



Step 1

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.



Step 2

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :processes
    explorer.exe
    :services
    bcgige
    cerc6
    :files
    c:\windows\Lfemalos.dat
    c:\windows\Khaxuleboduyeviw.bin
    c:\windows\nvDrv.sy
    c:\windows\ehuvujep.dll
    :Reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
    "{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
    "{472734EA-242A-422B-ADF8-83D1E48CC825}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{472734EA-242A-422B-ADF8-83D1E48CC825}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Vqivuharuculihiw"=-
    :Commands
    [start explorer]
    [resethosts]
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Please also post a fresh DDS log as well.
Step 3

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Step 4

In your reply, please include:
  • OTM log
  • the rootrepeal log
  • a fresh DDS log
  • a description of any remaining issues or things that have been fixed after running the above.

Edited by etavares, 24 January 2010 - 08:20 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users