Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Hijack Virus - ComboFix Trouble


  • This topic is locked This topic is locked
2 replies to this topic

#1 cleopard

cleopard

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 05 August 2010 - 11:44 AM

Hi everyone,

First I'd like to thank all the active supporters of this site for their help, and apologize for coming here directly with a problem on my first post.

I caught that Google Result Hijacking virus. I ran Malware Bytes and Avast, and they both caught various trojans but didnt fix the search results. After some research I ran across ComboFix and decided to run it. Admitedly, I should have done more research, but in my haste went ahead and ran it. So now, none of my browsers seem to connect to the internet at all. Seems the cure was worst than the disease. Attached is my log. Please help.

EDIT: I read one of the posts asking not to attach logs, so i will go ahead and just paste here to be safe

ComboFix 10-08-04.05 - Administrator 08/05/2010 16:18:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1230 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\PixArt\PAC207\Monitor.exe
c:\windows\system32\msconfig.exe
c:\windows\system32\msippsth.dll

Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TCPIP_PASS-THROUGH_FILTER
-------\Service_TCPIP Pass-through Filter


((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
.

2010-08-05 15:24 . 2010-08-05 15:24 -------- d-----w- c:\windows\system32\xircom
2010-08-05 15:24 . 2010-08-05 15:24 -------- d-----w- c:\windows\system32\wbem\snmp
2010-08-05 15:24 . 2010-08-05 15:24 -------- d-----w- c:\windows\system32\oobe
2010-08-05 15:24 . 2010-08-05 15:24 -------- d-----w- c:\windows\srchasst
2010-08-05 15:24 . 2010-08-05 15:24 -------- d-----w- c:\program files\microsoft frontpage
2010-08-05 01:52 . 2010-08-05 01:52 8192 ----a-w- c:\windows\system32\csdtm.dll
2010-07-20 16:26 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-20 16:26 . 2010-07-20 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 14:20 . 2010-02-18 01:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-05 14:16 . 2009-04-01 13:57 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-05 02:02 . 2009-03-30 03:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-08-05 01:40 . 2009-03-30 21:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\.purple
2010-07-29 14:48 . 2009-09-04 03:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-07-29 12:33 . 2009-09-04 03:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-07-21 18:15 . 2009-04-03 18:19 -------- d-----w- c:\program files\Alwil Software
2010-06-28 20:57 . 2009-04-03 18:19 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2009-04-03 18:20 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2009-04-03 18:20 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2009-04-03 18:20 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2009-04-03 18:20 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2009-04-03 18:20 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2009-04-03 18:20 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2009-04-03 18:20 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-25 03:58 . 2009-04-06 00:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\FrostWire
2010-05-22 07:27 . 2010-05-22 07:27 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6728e975-n\msvcp71.dll
2010-05-22 07:27 . 2010-05-22 07:27 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6728e975-n\jmc.dll
2010-05-22 07:27 . 2010-05-22 07:27 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6728e975-n\msvcr71.dll
2008-05-05 20:14 . 2009-03-30 01:12 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll
2008-05-05 20:14 . 2009-03-30 01:12 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll
.

------- Sigcheck -------

[-] 2008-05-06 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys



c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-01 77824]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-05-06 99840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [3/30/2009 2:54 AM 16640]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/3/2009 7:20 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2009 7:20 PM 17744]
S0 yvpldlt;yvpldlt;c:\windows\system32\drivers\dybilivi.sys --> c:\windows\system32\drivers\dybilivi.sys [?]
S3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [9/5/2009 5:55 AM 616064]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/30/2009 5:05 AM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1482476501-1801674531-500Core1cb1c78e5ed3f18.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 13:14]

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1482476501-1801674531-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 13:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\csdtm.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PAC207_Monitor - c:\windows\PixArt\PAC207\Monitor.exe
HKLM-Run-Monitor - c:\windows\PixArt\PAC207\Monitor.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-05 16:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\_asw_aisI.tm~a02448\onefile.dld 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\csdtm.dll

- - - - - - - > 'explorer.exe'(2424)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Microsoft ActiveSync\Wcescomm.exe
c:\progra~1\MICROS~3\rapimgr.exe
.
**************************************************************************
.
Completion time: 2010-08-05 16:29:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-05 15:29

Pre-Run: 16,089,780,224 bytes free
Post-Run: 16,651,698,176 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4C3C198C297A0FB9D32826EF720F9170

Attached Files


Edited by cleopard, 05 August 2010 - 12:08 PM.


BC AdBot (Login to Remove)

 


#2 cleopard

cleopard
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 05 August 2010 - 02:54 PM

Problem fixed.

ComboFix eradicated the virus, and to get back on the internet I ran the following command:

netsh winsock reset

Hope this can help others.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 05 August 2010 - 05:18 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users