Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google Redirect/Control Panel/Admin Rights Hijack

  • This topic is locked This topic is locked
2 replies to this topic

#1 Bit Monkey

Bit Monkey

  • Members
  • 25 posts
  • Gender:Male
  • Location:Raleigh, NC
  • Local time:08:24 PM

Posted 11 December 2010 - 12:06 AM


I've been dis-infecting this computer that had a Nasty Google redirect to random ads, Control panel and Admin Rights hijack/denial. I've used Hijackthis, Malwarebyte, Spybot S&D, Super Anti-spyware, Avast boot-time scans, Kaspersky, and Combofix. After using them methodically, I've taken out Trojans, Worms, spyware, and tons of adware.

Although I've succeeded in re-establishing internet connection, stopping gooogle redirects, and getting access back to the Control panel, I still have some problems.

1. I'm logged in as admin, run programs as admin and still am blocked from certain files because I don't have admin rights. This also has affected abilities for the above anti-malware to scan because files are password protected. I believe my admin rights are messed with.

2. There is an Svchost that intermittely consumes a ton of resources.

3. GMER will not run properly. Although the DDS logs and attachments were ran before I used defogger, I did disable CD emulation and tried running GMER in both safe mode and normal. The program creates an unexpected shutdown and seems to poop out at this "FPS Creator" group of files which are one of the files protected by password that I can't get in. I have no idea what "FPS Creator" is other than the fact its unauthorized files and seems to be a game making program?

Here's my DDS report with other file attached. Would appreciate any help and support.

Thanks for your time

DDS (Ver_10-12-05.01) - NTFSx86
Run by Robin at 21:14:37.65 on Fri 12/10/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1917.1198 [GMT -5:00]

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\V CAST Music Manager\MEMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtblfs.exe
C:\Users\Robin\Desktop\Log Tools\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRunOnce: [DSC20Upgrade] "c:\programdata\dell\dsc20upgrade\DSC20UpgradeJobVista.exe"
StartupFolder: c:\users\robin\appdata\roaming\micros~1\windows\startm~1\programs\startup\memoni~1.lnk - c:\program files\v cast music manager\MEMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll

============= SERVICES / DRIVERS ===============

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2010-4-22 22104]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe [2010-7-1 352976]
R2 RVIEGVST;VSC VST Engine;c:\program files\roland\virtual sound canvas vst\RVIEg01VST.sys [2010-8-28 188276]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19984]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-11-1 30192]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2009-12-18 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-12-18 174720]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2010-11-30 90864]

=============== Created Last 30 ================

2010-12-09 17:12:17 -------- d-----w- c:\program files\Dell Support Center
2010-12-09 17:12:16 -------- d-----w- c:\program files\common files\supportsoft
2010-12-08 08:01:30 -------- d-----w- c:\windows\CheckSur
2010-12-08 08:00:48 231936 ----a-w- c:\windows\system32\msshsq.dll
2010-12-07 08:19:07 80896 ----a-w- c:\windows\system32\MSNP.ax
2010-12-07 08:19:07 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2010-12-07 08:19:02 428544 ----a-w- c:\windows\system32\EncDec.dll
2010-12-07 08:19:02 293376 ----a-w- c:\windows\system32\psisdecd.dll
2010-12-07 08:19:02 217088 ----a-w- c:\windows\system32\psisrndr.ax
2010-12-07 08:06:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-12-07 08:06:16 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-12-07 08:06:16 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-12-07 08:06:16 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-12-07 08:06:16 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-12-06 15:54:58 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-12-06 15:54:56 501760 ----a-w- c:\windows\system32\usp10.dll
2010-12-06 15:54:52 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-12-06 15:54:36 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2010-12-06 15:54:34 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-12-06 15:54:15 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-12-06 15:54:14 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-12-06 15:54:04 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-06 15:52:59 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-12-06 15:52:55 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-12-06 15:52:53 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-12-06 15:52:50 36352 ----a-w- c:\windows\system32\rtutils.dll
2010-12-06 15:52:47 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-12-06 15:44:06 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-12-06 15:43:53 90112 ----a-w- c:\windows\system32\wshext.dll
2010-12-06 15:43:53 135168 ----a-w- c:\windows\system32\wshom.ocx
2010-12-06 15:43:52 180224 ----a-w- c:\windows\system32\scrobj.dll
2010-12-06 15:43:52 172032 ----a-w- c:\windows\system32\scrrun.dll
2010-12-06 15:43:52 155648 ----a-w- c:\windows\system32\wscript.exe
2010-12-06 15:43:52 135168 ----a-w- c:\windows\system32\cscript.exe
2010-12-06 14:19:33 -------- d-sh--w- C:\found.000
2010-12-06 13:46:23 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-12-06 13:11:57 -------- d-----w- C:\PerfLogs
2010-12-06 10:43:00 97859 ----a-w- c:\windows\system32\drivers\klick.dat
2010-12-06 10:43:00 114243 ----a-w- c:\windows\system32\drivers\klin.dat
2010-12-06 10:40:01 -------- d-----w- c:\program files\Kaspersky Lab
2010-12-06 10:40:01 -------- d-----w- c:\progra~2\Kaspersky Lab
2010-12-06 10:26:44 -------- d-----w- c:\program files\CCleaner
2010-12-06 09:44:30 -------- d-----w- c:\progra~2\Kaspersky Lab Setup Files
2010-12-06 08:21:09 -------- d-sh--w- C:\$RECYCLE.BIN
2010-12-06 08:21:07 -------- d-----w- c:\users\robin\appdata\local\temp
2010-12-05 17:45:21 -------- d-----w- c:\users\robin\appdata\roaming\Malwarebytes
2010-12-05 17:45:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 17:45:16 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-05 17:45:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 17:45:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 07:37:15 -------- d-----w- c:\progra~2\Alwil Software
2010-12-05 05:55:16 -------- d-----w- c:\users\robin\appdata\roaming\SUPERAntiSpyware.com
2010-12-05 05:55:16 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-12-05 04:31:17 -------- d-----w- c:\users\robin\appdata\roaming\PC Tools
2010-12-05 03:54:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-05 03:54:43 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-12-05 03:28:32 -------- d-----w- C:\Thndrcats7294T
2010-12-05 03:26:21 98816 ----a-w- c:\windows\sed.exe
2010-12-05 03:26:21 89088 ----a-w- c:\windows\MBR.exe
2010-12-05 03:26:21 256512 ----a-w- c:\windows\PEV.exe
2010-12-05 03:26:21 161792 ----a-w- c:\windows\SWREG.exe
2010-12-05 03:26:16 -------- d-----w- C:\Thndrcats27801T
2010-12-05 03:24:21 -------- d-----w- C:\Thndrcats
2010-12-05 02:33:04 -------- d-----w- c:\windows\pss
2010-11-30 19:38:18 -------- d-----w- c:\progra~2\MFAData
2010-11-30 11:43:29 -------- d-----w- c:\progra~2\PCPitstop
2010-11-30 11:43:27 -------- d-----w- c:\program files\PCPitstop
2010-11-30 02:46:42 -------- d-----w- c:\progra~2\Norton
2010-11-26 12:49:51 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{2936b150-14f1-4e6f-890c-6ee427ae2050}\mpengine.dll

==================== Find3M ====================

2010-12-06 12:47:09 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-12-06 12:47:05 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 21:15:35.41 ===============
Attached File  Attach.txt   12.69KB   0 downloads

BC AdBot (Login to Remove)


#2 Judicandus


    Bleepin' Pasta

  • Malware Response Team
  • 730 posts
  • Gender:Male
  • Location:Around the world
  • Local time:09:24 PM

Posted 19 December 2010 - 08:48 AM

Hello and welcome to Bleeping Computer

I'm judicandus and I'll be helping you out.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to see some information about what is happening in your machine. Please perform the following scan:
Download DDS by sUBs from one of the following links. Save it to your desktop.
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Then run TDSSKiller:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.

#3 Judicandus


    Bleepin' Pasta

  • Malware Response Team
  • 730 posts
  • Gender:Male
  • Location:Around the world
  • Local time:09:24 PM

Posted 12 January 2011 - 02:38 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users