Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit/malware redirecting me other websites


  • Please log in to reply
18 replies to this topic

#1 marco55

marco55

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 23 November 2010 - 10:07 AM

Greetings,
Information about my infection can be found here:
http://www.bleepingcomputer.com/forums/topic360167.html
There is further information about my situation in my second and third posts.

Also I think should point a weird phenomenon that occurred maybe a few days before posting my original topic, when I went on my computer and all the pictures on my desktop icons changing every few seconds (for example a .RAR file might have the "Notepad" is icon picture, and Firefox might have a the music file picture, and so on, and then in maybe 10 seconds, everything would rearrange again. It made my computer very slow and wouldn't stop until I was finally able to end 'explorer.exe' in windows task manager, and run it again.
Not if this is any help, but I guess it's worth mentioning.

Since my posts in that thread, I have reset my router's settings (using the reset button on the back), and changed the password while booted from a flashdrive using a linux OS (I called verizon to ask for a replacement router, but they turned me down), and browsed the internet for a few hours, and didn't see anything suspicious.

As mentioned in the topic that I linked to, I plan reformat my hard drive, but in the event that it wasn't my router that had the problem, I guess that means that some other part of my computer is infected, meaning the reformat is useless.

So before I go ahead and reformat my hard drive, I would like to know where else an infection could be hiding in, and how I can clean those areas.

I would also like to know if my router could still have an infection. Does pressing (and holding for 20 seconds) the reset button, and changing the password fix everything with it, or no?

GMER didn't find anything (the log is blank but I attached it anyway), but most of the boxes that are checked in the screenshot in the guide were not checkable on my computer. I will attach a screenshot of what it looked like on my computer.

-------
EDIT: I would also like to mention strange changes to Google and Youtube ads.

On youtube videos like this:
(I edited the URL so it wouldn't show up as an embedded video in this post) hxxp://www.youtube dot com /watch?v=dQw4w9WgXcQ
(or any other "VEVO" videos), the VEVO ads below the videos lead to "bit.ly" links (on both my computers, even when I'm booted from my flash drive).

I am posting this using my netbook with XP, and noticing that when searching common company names on Google, using my Mywot firefox addon I can see that the links lead to false websites
For example, Google's ad for "CVS" pharmacy leads to "m1460.ic-live.com"
"Bose" ad and "Bank of America" ad lead to "clickserve.dartsearch.net"
"Mcafee" ad leads to "clickserve.us2.dartsearch.net"
"Walmart" ad leads to "114.xg4ken.com"

(DON'T CLICK THESE LINKS)
-------

Thank you very much in advance to anyone who can help. I really appreciate your taking the time to assist me.


Here is my DDS log:

DDS (Ver_10-11-10.01) - NTFS_AMD64
Run by Trevor at 2:46:47.49 on Tue 11/23/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3037.2368 [GMT -8:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Panda USB Vaccine\USBVaccine.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Trevor\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun: [<NO NAME>]
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe
mRun-x64: [IgfxTray] C:\Windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
mRun-x64: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\da5nigfq.default\
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R2 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2010-7-29 168544]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2010-8-12 810144]
R2 epfwwfp;epfwwfp;C:\Windows\System32\drivers\epfwwfp.sys [2010-7-29 50624]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-8-20 239616]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\PC-Doctor for Windows\pcdsrvc_x64.pkms [2009-9-16 23536]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-8-15 1255736]
S4 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]

=============== Created Last 30 ================

2010-11-20 17:18:53 0 ---ha-w- C:\Users\Trevor\BITD87.tmp
2010-11-11 20:14:11 -------- d-----w- C:\Users\Trevor\AppData\Roaming\Windows Live Writer
2010-11-11 20:14:11 -------- d-----w- C:\Users\Trevor\AppData\Local\Windows Live Writer
2010-11-01 02:23:38 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-11-01 02:23:38 472808 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-29 13:04:19 8006480 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{91182489-0E8D-46AA-9014-7CBCCA9CB0B7}\mpengine.dll
2010-10-28 15:26:04 -------- d-----w- C:\Users\Trevor\AppData\Roaming\ESET
2010-10-28 15:26:04 -------- d-----w- C:\Users\Trevor\AppData\Local\ESET
2010-10-28 15:25:22 -------- d-----w- C:\Program Files\ESET
2010-10-25 01:09:25 -------- d-----w- C:\Users\Trevor\AppData\Roaming\Malwarebytes
2010-10-25 01:09:18 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2010-10-25 01:09:17 -------- d-----w- C:\PROGRA~3\Malwarebytes
2010-10-25 01:09:16 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-10-25 01:09:16 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-10-19 18:41:44 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-10-03 03:09:07 406528 ----a-w- C:\Windows\SysWow64\ReWire.dll
2010-10-03 03:09:07 338432 ----a-w- C:\Windows\SysWow64\REX Shared Library.dll
2010-09-30 18:31:20 697690 ----a-w- C:\Windows\unins000.exe
2010-09-08 18:17:46 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2010-09-08 18:17:46 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2010-09-08 05:36:17 1192960 ----a-w- C:\Windows\System32\wininet.dll
2010-09-08 05:34:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-09-08 04:30:04 978432 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-09-08 04:16:38 482816 ----a-w- C:\Windows\System32\html.iec
2010-09-08 03:35:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-09-08 03:22:31 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-09-08 02:48:16 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-09-01 05:12:09 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2010-09-01 04:23:49 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2010-09-01 02:58:34 3123712 ----a-w- C:\Windows\System32\win32k.sys
2010-08-31 04:32:30 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll
2010-08-31 04:32:30 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll
2010-08-27 15:26:40 177904 ----a-w- C:\Windows\System32\drivers\pctplfw64.sys
2010-08-27 15:26:00 107864 ----a-w- C:\Windows\System32\drivers\pctNdis-PacketFilter64.sys
2010-08-27 06:14:02 236032 ----a-w- C:\Windows\System32\srvsvc.dll
2010-08-27 05:46:48 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2010-08-27 03:38:04 463360 ----a-w- C:\Windows\System32\drivers\srv.sys
2010-08-27 03:37:48 402944 ----a-w- C:\Windows\System32\drivers\srv2.sys
2010-08-27 03:37:26 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2010-08-26 05:27:28 148992 ----a-w- C:\Windows\System32\t2embed.dll
2010-08-26 04:39:58 109056 ----a-w- C:\Windows\SysWow64\t2embed.dll

============= FINISH: 2:47:09.45 ===============

Edited by Orange Blossom, 24 November 2010 - 09:50 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:41 AM

Posted 01 December 2010 - 11:03 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.scr
DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a log from the RKUnhooker anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:


Why we request you disable CD Emulation when receiving Malware Removal Advice

Scan With RKUnHooker

Please Download Rootkit Unhooker Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** You may get this warning:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


Just ignore it and continue. :thumbup2:


Best Regards,
oneof4.

Best Regards,
oneof4.


#3 marco55

marco55
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 02 December 2010 - 09:24 PM

I ran DDS again as you instructed. I think I should mention the this time I may or may not have more thoroughly disable my antivirus software this time than the last time I ran the scan. It's hard to remember the last time I did it, but this time I know I looked very thoroughly through my settings on Nod32 and disabled all the protection I saw.
Also, just incase it matters, I never downloaded DDS with the computer I'm using it to scan. I downloaded it with my netbook (XP) and used my flashdrive to copy it to the desktop of my Windows 7 desktop computer.

Here is my new DDS log:


DDS (Ver_10-11-27.01) - NTFS_AMD64
Run by Trevor at 10:56:25.17 on Thu 12/02/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3037.2150 [GMT -8:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Panda USB Vaccine\USBVaccine.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Trevor\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun: [<NO NAME>]
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe
mRun-x64: [IgfxTray] C:\Windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
mRun-x64: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\da5nigfq.default\
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\da5nigfq.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Extension: Xmarks: foxmarks@kei.com - C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\da5nigfq.default\extensions\foxmarks@kei.com

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R2 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2010-7-29 168544]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2010-8-12 810144]
R2 epfwwfp;epfwwfp;C:\Windows\System32\drivers\epfwwfp.sys [2010-7-29 50624]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-8-20 239616]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\PC-Doctor for Windows\pcdsrvc_x64.pkms [2009-9-16 23536]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-8-15 1255736]
S4 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]

=============== Created Last 30 ================

2010-12-02 18:21:09 0 ---ha-w- C:\Users\Trevor\BIT1BC9.tmp
2010-11-11 20:14:11 -------- d-----w- C:\Users\Trevor\AppData\Roaming\Windows Live Writer
2010-11-11 20:14:11 -------- d-----w- C:\Users\Trevor\AppData\Local\Windows Live Writer

==================== Find3M ====================

2010-11-01 02:23:32 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-10-19 18:41:44 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-10-03 03:09:07 406528 ----a-w- C:\Windows\SysWow64\ReWire.dll
2010-10-03 03:09:07 338432 ----a-w- C:\Windows\SysWow64\REX Shared Library.dll
2010-09-30 18:31:20 697690 ----a-w- C:\Windows\unins000.exe
2010-09-08 18:17:46 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2010-09-08 18:17:46 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2010-09-08 05:36:17 1192960 ----a-w- C:\Windows\System32\wininet.dll
2010-09-08 05:34:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-09-08 04:30:04 978432 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-09-08 04:16:38 482816 ----a-w- C:\Windows\System32\html.iec
2010-09-08 03:35:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-09-08 03:22:31 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-09-08 02:48:16 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

============= FINISH: 10:56:52.58 ===============


I was unable to access the link to the Rootkit Unhooker.
I should note that the last time (a few days ago) I accessed this computer (the netbook with XP)I received an error message from Avira. I took a screenshot of it, but when I tried to create a Bitmap file to (to paste the image onto), I got an error message saying something like (if I remember correct) 'there are insufficient resources to do that' or something of that nature. I tried to create a .txt document to type out Avira's message, but the same error message popped up as when I tried to make a BMP file.
I managed to write down the basics of what the message said though:
-
The application module C:\Program Files\Avira\Avira Desktop\ccwkrlib.dll can't be found ... has been modified or destroyed ... avwsc.exe can't be started.
-
I believe there were other buggy things that happened, but I can't recall.

Thank you for your reply and thank you to the staff member who replies to this post to help me.

EDIT: since the attachments in my original post don't seem to be there, maybe they didn't go through (probably do to Noscript).
I'll re-upload them on this post. ("Attach.txt" is the log from my original post)Attached File  gmer.png   78.27KB   3 downloads

Attached Files


Edited by marco55, 03 December 2010 - 11:29 AM.


#4 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:08:41 AM

Posted 03 December 2010 - 02:14 PM

Welcome to BC :)

  • Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, ensure Cure is selected (it should be by default)
  • Click Continue then click Reboot now
  • Once complete, a log will be produced at the root drive which is typically C:\

    For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.

Microsoft MVP Consumer Security--2007-2010

#5 marco55

marco55
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 03 December 2010 - 05:20 PM

Here is my log.
It didn't seem to find any infections.
Thank you very much for your time.
I appreciate it.

Attached Files



#6 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:08:41 AM

Posted 04 December 2010 - 05:44 PM

Posted Image Please download Malwarebytes' Anti-Malware from Here.



Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
Microsoft MVP Consumer Security--2007-2010

#7 marco55

marco55
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 07 December 2010 - 01:06 AM

Posted Image Please download Malwarebytes' Anti-Malware from Here.



Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.


Hi,
I have run Malwarebytes on the computer already (with no infections found), but I did use your link to download a new copy to install and run. However, upon clicking the download button on download.com, my download started but they attempted to redirect me to: hxxp://www.sammsoft.com/advanced_registry_optimizer/v52green/default.aspx?referrer=uc-D9rightOFL0219-aro&utm_source=Download.com&utm_medium=Overflow&utm_term=uc-D9rightOFL0219-aro&utm_content=728x90righteousSD&utm_campaign=Advanced%2BRegistry Optimizer
but my Mywot addon blocked it because of the website's poor reputation.

I googled "sammsoft.com" and the 4th result was their profile on download.com. After clicking on the reviews for their top-download program ("Advanced Registry Optimizer"), I saw many reviews saying that it was rogue/malicious software, and one review (on the 1st page) saying that the user ran into a page asking to download this program, while they were attempting to update Malwarebytes.
It's funny how the editor's ratings on this company's products are all 4-5 stars.

If CNET is collaborating with crooks, then I don't trust them, and I guess I don't trust Malwarebytes either anymore.

As stated before, I ran many many anti-malware programs and boot CDs and didn't find the infection.

What I really want to know is:
1a. Where else in my computer could be infected (beside my HD and my router)?
1b. How could I go about erasing those infections (even if the only way is to replace parts)?

2. Does anyone else see the same links as I do on youtube and google?

In the end, you guys are the experts, so if you really insist that certain things are necessary, I will do them (aside from things like this where I don't feel comfortable with the safety of it).

Thank you.

#8 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:08:41 AM

Posted 07 December 2010 - 07:27 PM

You can just update malwarebytes and it will upgrade to the latest version. Run a scan and post a reply. The thing before is probably just an ad.
Microsoft MVP Consumer Security--2007-2010

#9 marco55

marco55
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 07 December 2010 - 11:54 PM

You can just update malwarebytes and it will upgrade to the latest version. Run a scan and post a reply. The thing before is probably just an ad.


How can I update it without going online on the infected computer? Is there a way to copy the updated virus definitions from this computer to the other one?

And about that thing being an ad...I'm not saying that it was necessarily an attack, but I still should not have been redirected to another site which is known to dangerous.

Also, if you read the comment on this page http://download.cnet.com/Advanced-Registry-Optimizer/3640-2086_4-11173072.html titled "FRAUD FRAUD FRAUD FRAUD FRAUD!!!!!", they mentioned that they were bombarded with this malware while attempting to update Malwarebytes.

I'm not trying to be difficult, it's just that I don't feel comfortable with some things (in my opinion, with good reason).

#10 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:08:41 AM

Posted 08 December 2010 - 06:51 PM

You can go online to get the update, but it was good TDSSkiller didn't find anything.
Microsoft MVP Consumer Security--2007-2010

#11 marco55

marco55
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 08 December 2010 - 11:24 PM

OK. Here is the log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5249

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/8/2010 7:37:55 PM
mbam-log-2010-12-08 (19-37-55).txt

Scan type: Quick scan
Objects scanned: 139433
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----
I also ran a full scan and still nothing showed up.

#12 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:08:41 AM

Posted 09 December 2010 - 05:52 PM

Are you still getting redirected?

If so, its likely your router is infected. Please let me know.
Microsoft MVP Consumer Security--2007-2010

#13 marco55

marco55
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 12 December 2010 - 05:35 PM

Are you still getting redirected?

If so, its likely your router is infected. Please let me know.


I browsed the internet on the infected computer last night (while booted from a flashdrive using Linux Mint) and did not notice any redirections.

As I said before, does anyone else see the same links as I do on youtube and google?
Because if everyone else sees the same links, then I guess I'm probably no longer infected.

Thank you very much for your help so far.

Edited by marco55, 12 December 2010 - 05:52 PM.


#14 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:08:41 AM

Posted 12 December 2010 - 10:35 PM

Well good then i think your good to go.

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Microsoft MVP Consumer Security--2007-2010

#15 marco55

marco55
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 17 December 2010 - 05:17 AM

Hi,
I have found that on both computers, I am redirected searchassist.teoma.com URLs any time I type an incorrect URL. For example, typing "cfjvhjgcjfvhgkjh.net" redirects to
"http://searchassist.teoma.com/landing.jsf?p=cnksver&q=www.cfjvhjgcjfvhgkjh.net&rs=cfjvhjgcjfvhgkjh&id=jdadkgaecgaegk&t=9_33_1_0_1_12_1".
The website bears the Verizon logo (my ISP). I called them (to find out if they were legitimately associated with this site) and waited on hold for a while, and the lady they put me on with was a rude, condescending moron (similar to the last time I called verizon), and she said that it's not verizon redirecting me (which was probably just a guess) and her only advice was to "stop typing in fake URLs" and when I asked if I could talk to someone else (because she was disrespecting me and wasn't helping), she said that I should call Firefox. I hope she gets fired and I'm probably gonna switch my ISP.


Upon typing in the false URL, following URLs show up in my history:

hxxp://www.cfjvhjgcjfvhgkjh.net/

hxxp://searchassist.teoma.com/landing.jsf?p=cnksver&q=www.cfjvhjgcjfvhgkjh.net&rs=cfjvhjgcjfvhgkjh&id=jdadkgaecgaegk&t=9_33_1_0_1_12_1

hxxp://goto.searchassist.com/find?p=paxfire&s=www.cfjvhjgcjfvhgkjh.net&t=9_33_1_0_1_12_1

hxxp://wwwz.websearch.verizon.net/search?qo=www.cfjvhjgcjfvhgkjh.net&rn=4OMz0SlZOqckTlk


And also I'd like to know,

2. Does anyone else see the same links as I do on youtube and google?


Thanks very much for your help so far.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users