Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden Files and Google Misdirect At Same Time.


  • This topic is locked This topic is locked
3 replies to this topic

#1 enderst123

enderst123

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 01 June 2011 - 01:10 PM

Hi, I seem to have found a nasty virus or two. When I was browsing the net using Firefox v. 4.0.1 I happened upon a virus when i clicked a flash video to turn it on. (I have flash blocker) The computer locked up and WinPatrol (free addition) said something was trying to run I told it not to let it run but Firefox was still locked up. I could not close it and I could not hit CTRL + ALT + Del to come to the task manager to close it that way. So I hard shutdown the computer by pressing and holding the power button.

When the computer came back to life I could not see most of my files on c:. I was able to find them if i right clicked and went to properties and then went to previous versions and yesterdays version would show up just fine. I ran Malwarebytes and found a few (4) infected files which I deleted and then restarted my computer. When the computer came back alive there were still no files and so I went to Google to search the problem. every time I searched Google the search would be redirected to some spam site.

I have run Malwarebytes a few more times both in normal mode and in safe mode without networking with no new infections coming up. I have also run Adaware by lavasoft and it came up with a few cookies to be deleted.

I have run Rkill with nothing being found either.

Any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 enderst123

enderst123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 01 June 2011 - 02:57 PM

Here is DDS file

Run by Enderst at 14:34:57 on 2011-06-01
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3071.1908 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Windows\system32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\system32\nlssrv32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\Explorer.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CatcherBHO Class: {9b4df450-dcc7-4b07-935d-0cd757a64583} - c:\program files\moyea\youtube flv downloader\MoyeaCatcher.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Google Update] "c:\users\enderst\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
StartupFolder: c:\users\enderst\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\enderst\appdata\roaming\dropbox\bin\Dropbox.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{04D41C85-D6C8-4A20-94C3-1D2177427791} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{04D41C85-D6C8-4A20-94C3-1D2177427791}\16E6A6 : DhcpNameServer = 192.168.1.152 24.158.96.130 24.158.96.131
TCP: Interfaces\{BD552441-3220-4ADB-9E98-62E884A6E7A6} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\enderst\appdata\roaming\mozilla\firefox\profiles\tmi8ci8v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\enderst\appdata\local\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\users\enderst\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\enderst\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-19 64288]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2010-1-20 81920]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-7-6 176128]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-5-25 1336712]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2010-10-21 57344]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R2 TabletServicePen;TabletServicePen;c:\program files\tablet\pen\Pen_Tablet.exe [2010-8-25 6076272]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\tablet\pen\Pen_TouchService.exe [2010-8-25 616816]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-7-6 5882368]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-7-6 210944]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2010-8-24 13224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-31 136176]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 2151128]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15232]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-4 1343400]
S4 ASTSRV;AST HighEnd Service;c:\windows\system32\ASTSRV.EXE [2010-10-21 57344]
.
=============== Created Last 30 ================
.
2011-06-01 19:16:24 65024 ---ha-w- c:\windows\system32\ASTSstUI.dll
2011-06-01 19:12:49 -------- d-----w- c:\users\enderst\appdata\roaming\Malwarebytes
2011-06-01 19:12:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-01 19:12:45 -------- d-----w- c:\programdata\Malwarebytes
2011-06-01 19:12:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-01 19:12:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-01 08:28:19 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-05-16 08:22:18 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-11 13:48:45 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 13:48:45 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
.
==================== Find3M ====================
.
2011-04-18 10:23:39 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 14:54:08.36 ===============

#3 enderst123

enderst123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 01 June 2011 - 07:08 PM

All of this is now posted in Virus, Trojan, Spyware, and Malware Removal Logs as per the instructions of Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help.

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 56,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:34 AM

Posted 07 June 2011 - 09:09 AM

New MRL topic at http://www.bleepingcomputer.com/forums/topic401169.html/page__p__2273045#entry2273045 .

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the logs you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on, the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Now that your log is posted and you are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Removal Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users