Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search hijack


  • This topic is locked This topic is locked
8 replies to this topic

#1 WD40.5

WD40.5

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 14 August 2012 - 03:31 PM

Having some difficulty tracking down what appears to be a variant of the TDSS rootkit. The problem is you do a search using google and you get a set of results that look normal. But when you click on the links, you may or may not go where the link points. Something is hijacking the browser and redirecting the links. If you view the link destination in the status bar, there's no indication that a hijack is about to happen. The link looks OK until you click on it.

This seems to have started about the time the FunMoods toolbar showed up on my system a few weeks ago. I'm pretty sure I've finally eradicated all traces of FunMoods, but the google hijacking problem remains. It strikes at random making it that much harder to track down. I've run AVG, SuperSpyware, TDSSKiller, aswMBR, ESET, and MBAM with no hits.

I've attached several log files from DDS and Mini Tool Box.

Thanks in advance.

Attached Files


Edited by WD40.5, 14 August 2012 - 03:39 PM.


BC AdBot (Login to Remove)

 


#2 WD40.5

WD40.5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 15 August 2012 - 12:18 PM

Some additional info:

I noticed that I had 2 copiers of iexplore.exe running in the task manager. I've read that it's normal for that to happen with IE8. The deal is that I didn't have iexplore open. When you kill them off, they start right back up again. On a whim, I got a copy of Process Explorer to view hidden processes. It seems the 2 copies of iexplore are running under a copy of svchost which in turn was launched by services.exe. I killed off the parent svchost process and all copies of iexplore and Viola! No more redirects on Google searches. Links seem to be loading faster as well (though that may be subjective).

It's curious that killing off the unwanted copies of iexplore seems to have (temporarily) fixed the redirect problem. However, the redirect problem tends to strike at random, so it may be dumb luck that I'm not seeing any redirects. I'll keep testing and watching the task manager.

edit:
The redirect issue seems to be resolved for now on both Firefox and IE. Also, starting IE causes 2 copies of iexplore to appear on in the task manager as expected. But they go away when you close the IE. It's looking like services.exe is infected.

Edited by WD40.5, 15 August 2012 - 01:07 PM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:16 AM

Posted 19 August 2012 - 08:26 AM

I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

p.s. The Microsoft site is down presently and the Recovery Console may not install. Ignore the remarks from ComboFix.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
===

Please post the logs and let me know if the problem persists.

#4 WD40.5

WD40.5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 19 August 2012 - 09:48 AM

ComboFix 12-08-18.03 - Matthew 08/19/2012 9:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1569 [GMT -5:00]
Running from: c:\documents and settings\Matthew\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\40699234ec295afa.fb
c:\windows\system32\Cache\53d0aa765a81196f.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\8050608ba23eb876.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\bf6210f28364201d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
----- File Replicators -----
.
c:\program files\Git\bin\git.exe
c:\program files\Git\libexec\git-core\git-add.exe
c:\program files\Git\libexec\git-core\git-annotate.exe
c:\program files\Git\libexec\git-core\git-apply.exe
c:\program files\Git\libexec\git-core\git-archive.exe
c:\program files\Git\libexec\git-core\git-bisect--helper.exe
c:\program files\Git\libexec\git-core\git-blame.exe
c:\program files\Git\libexec\git-core\git-branch.exe
c:\program files\Git\libexec\git-core\git-bundle.exe
c:\program files\Git\libexec\git-core\git-cat-file.exe
c:\program files\Git\libexec\git-core\git-check-attr.exe
c:\program files\Git\libexec\git-core\git-check-ref-format.exe
c:\program files\Git\libexec\git-core\git-checkout-index.exe
c:\program files\Git\libexec\git-core\git-checkout.exe
c:\program files\Git\libexec\git-core\git-cherry-pick.exe
c:\program files\Git\libexec\git-core\git-cherry.exe
c:\program files\Git\libexec\git-core\git-clean.exe
c:\program files\Git\libexec\git-core\git-clone.exe
c:\program files\Git\libexec\git-core\git-column.exe
c:\program files\Git\libexec\git-core\git-commit-tree.exe
c:\program files\Git\libexec\git-core\git-commit.exe
c:\program files\Git\libexec\git-core\git-config.exe
c:\program files\Git\libexec\git-core\git-count-objects.exe
c:\program files\Git\libexec\git-core\git-describe.exe
c:\program files\Git\libexec\git-core\git-diff-files.exe
c:\program files\Git\libexec\git-core\git-diff-index.exe
c:\program files\Git\libexec\git-core\git-diff-tree.exe
c:\program files\Git\libexec\git-core\git-diff.exe
c:\program files\Git\libexec\git-core\git-fast-export.exe
c:\program files\Git\libexec\git-core\git-fetch-pack.exe
c:\program files\Git\libexec\git-core\git-fetch.exe
c:\program files\Git\libexec\git-core\git-fmt-merge-msg.exe
c:\program files\Git\libexec\git-core\git-for-each-ref.exe
c:\program files\Git\libexec\git-core\git-format-patch.exe
c:\program files\Git\libexec\git-core\git-fsck-objects.exe
c:\program files\Git\libexec\git-core\git-fsck.exe
c:\program files\Git\libexec\git-core\git-gc.exe
c:\program files\Git\libexec\git-core\git-get-tar-commit-id.exe
c:\program files\Git\libexec\git-core\git-grep.exe
c:\program files\Git\libexec\git-core\git-hash-object.exe
c:\program files\Git\libexec\git-core\git-help.exe
c:\program files\Git\libexec\git-core\git-index-pack.exe
c:\program files\Git\libexec\git-core\git-init-db.exe
c:\program files\Git\libexec\git-core\git-init.exe
c:\program files\Git\libexec\git-core\git-log.exe
c:\program files\Git\libexec\git-core\git-ls-files.exe
c:\program files\Git\libexec\git-core\git-ls-remote.exe
c:\program files\Git\libexec\git-core\git-ls-tree.exe
c:\program files\Git\libexec\git-core\git-mailinfo.exe
c:\program files\Git\libexec\git-core\git-mailsplit.exe
c:\program files\Git\libexec\git-core\git-merge-base.exe
c:\program files\Git\libexec\git-core\git-merge-file.exe
c:\program files\Git\libexec\git-core\git-merge-index.exe
c:\program files\Git\libexec\git-core\git-merge-ours.exe
c:\program files\Git\libexec\git-core\git-merge-recursive.exe
c:\program files\Git\libexec\git-core\git-merge-subtree.exe
c:\program files\Git\libexec\git-core\git-merge-tree.exe
c:\program files\Git\libexec\git-core\git-merge.exe
c:\program files\Git\libexec\git-core\git-mktag.exe
c:\program files\Git\libexec\git-core\git-mktree.exe
c:\program files\Git\libexec\git-core\git-mv.exe
c:\program files\Git\libexec\git-core\git-name-rev.exe
c:\program files\Git\libexec\git-core\git-notes.exe
c:\program files\Git\libexec\git-core\git-pack-objects.exe
c:\program files\Git\libexec\git-core\git-pack-redundant.exe
c:\program files\Git\libexec\git-core\git-pack-refs.exe
c:\program files\Git\libexec\git-core\git-patch-id.exe
c:\program files\Git\libexec\git-core\git-peek-remote.exe
c:\program files\Git\libexec\git-core\git-prune-packed.exe
c:\program files\Git\libexec\git-core\git-prune.exe
c:\program files\Git\libexec\git-core\git-push.exe
c:\program files\Git\libexec\git-core\git-read-tree.exe
c:\program files\Git\libexec\git-core\git-receive-pack.exe
c:\program files\Git\libexec\git-core\git-reflog.exe
c:\program files\Git\libexec\git-core\git-remote-ext.exe
c:\program files\Git\libexec\git-core\git-remote-fd.exe
c:\program files\Git\libexec\git-core\git-remote.exe
c:\program files\Git\libexec\git-core\git-replace.exe
c:\program files\Git\libexec\git-core\git-repo-config.exe
c:\program files\Git\libexec\git-core\git-rerere.exe
c:\program files\Git\libexec\git-core\git-reset.exe
c:\program files\Git\libexec\git-core\git-rev-list.exe
c:\program files\Git\libexec\git-core\git-rev-parse.exe
c:\program files\Git\libexec\git-core\git-revert.exe
c:\program files\Git\libexec\git-core\git-rm.exe
c:\program files\Git\libexec\git-core\git-send-pack.exe
c:\program files\Git\libexec\git-core\git-shortlog.exe
c:\program files\Git\libexec\git-core\git-show-branch.exe
c:\program files\Git\libexec\git-core\git-show-ref.exe
c:\program files\Git\libexec\git-core\git-show.exe
c:\program files\Git\libexec\git-core\git-stage.exe
c:\program files\Git\libexec\git-core\git-status.exe
c:\program files\Git\libexec\git-core\git-stripspace.exe
c:\program files\Git\libexec\git-core\git-symbolic-ref.exe
c:\program files\Git\libexec\git-core\git-tag.exe
c:\program files\Git\libexec\git-core\git-tar-tree.exe
c:\program files\Git\libexec\git-core\git-unpack-file.exe
c:\program files\Git\libexec\git-core\git-unpack-objects.exe
c:\program files\Git\libexec\git-core\git-update-index.exe
c:\program files\Git\libexec\git-core\git-update-ref.exe
c:\program files\Git\libexec\git-core\git-update-server-info.exe
c:\program files\Git\libexec\git-core\git-upload-archive.exe
c:\program files\Git\libexec\git-core\git-var.exe
c:\program files\Git\libexec\git-core\git-verify-pack.exe
c:\program files\Git\libexec\git-core\git-verify-tag.exe
c:\program files\Git\libexec\git-core\git-whatchanged.exe
c:\program files\Git\libexec\git-core\git-write-tree.exe
c:\program files\Git\libexec\git-core\git.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-19 to 2012-08-19 )))))))))))))))))))))))))))))))
.
.
2012-08-14 19:09 . 2012-08-14 19:09 -------- d-----w- c:\program files\Common Files\Java
2012-08-14 19:09 . 2012-08-14 19:09 -------- d-----w- c:\program files\Oracle
2012-08-14 19:08 . 2012-07-06 03:07 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-14 19:07 . 2012-08-14 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-08-14 02:56 . 2012-08-14 02:56 -------- d-----w- c:\program files\CCleaner
2012-08-14 00:50 . 2012-08-15 19:41 -------- d-----w- C:\virus
2012-08-13 19:31 . 2012-08-13 19:31 -------- d-----w- c:\documents and settings\Matthew\Application Data\Malwarebytes
2012-08-13 19:31 . 2012-08-13 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-08-13 19:31 . 2012-08-13 19:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-13 19:31 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-13 13:28 . 2012-06-22 20:34 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-08-13 13:28 . 2012-08-13 15:32 -------- d-----w- c:\program files\Common Files\PC Tools
2012-08-13 13:27 . 2012-08-13 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-08-13 13:27 . 2012-08-13 13:27 -------- d-----w- c:\documents and settings\Matthew\Application Data\TestApp
2012-07-25 18:32 . 2012-07-25 18:33 -------- d-----w- c:\program files\Makehuman
2012-07-25 15:01 . 2012-07-25 15:01 -------- d-----w- c:\documents and settings\Matthew\Local Settings\Application Data\Microsoft_Corporation
2012-07-25 08:49 . 2012-06-04 22:35 222448 ----a-w- c:\windows\system32\muweb.dll
2012-07-25 08:49 . 2012-06-02 20:18 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-07-25 01:43 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-07-23 02:25 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-07-23 02:20 . 2012-07-23 02:20 -------- d-sh--w- c:\documents and settings\Matthew\IECompatCache
2012-07-23 02:05 . 2012-07-02 17:49 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-07-23 02:05 . 2012-07-02 17:49 629760 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-07-23 02:05 . 2012-07-02 17:49 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-07-23 02:05 . 2012-07-02 17:49 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-07-23 02:05 . 2012-07-02 17:49 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-07-23 02:05 . 2012-07-02 17:49 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-07-23 02:05 . 2012-07-02 17:49 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-07-23 02:02 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-07-23 01:59 . 2010-03-30 17:24 317440 -c----w- c:\windows\system32\dllcache\mp4sdecd.dll
2012-07-23 01:54 . 2012-05-04 12:32 2026496 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2012-07-23 01:51 . 2012-06-02 20:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-07-23 01:47 . 2012-07-23 01:48 -------- dc-h--w- c:\windows\ie8
2012-07-23 01:34 . 2001-08-17 17:10 69692 -c--a-w- c:\windows\system32\dllcache\el575nd5.sys
2012-07-23 01:33 . 2001-08-18 03:36 24064 -c--a-w- c:\windows\system32\dllcache\devldr32.exe
2012-07-23 01:32 . 2008-04-14 05:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2012-07-23 01:31 . 2001-08-17 17:19 36992 -c--a-w- c:\windows\system32\dllcache\aztw2320.sys
2012-07-23 01:30 . 2001-08-17 19:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2012-07-22 21:19 . 2008-08-21 12:00 44544 -c--a-w- c:\windows\system32\dllcache\nsepm.dll
2012-07-22 21:18 . 2008-08-21 12:00 7168 -c--a-w- c:\windows\system32\dllcache\f3ahvoas.dll
2012-07-22 21:17 . 2003-03-24 21:52 20540 -c--a-w- c:\windows\system32\dllcache\admin.dll
2012-07-22 21:01 . 2008-08-21 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-07-22 21:01 . 2008-08-21 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-07-22 21:01 . 2008-08-21 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-07-22 21:01 . 2008-08-21 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2012-07-22 21:00 . 2008-08-21 12:00 16535 ----a-r- c:\windows\SETEB.tmp
2012-07-22 21:00 . 2008-08-21 12:00 1088840 ----a-r- c:\windows\SETDF.tmp
2012-07-22 21:00 . 2008-08-21 12:00 1296251 ----a-r- c:\windows\SETDC.tmp
2012-07-22 18:09 . 2012-07-22 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-07-22 17:38 . 2012-07-22 17:38 -------- d-----w- c:\documents and settings\Matthew\Application Data\Windows Search
2012-07-22 17:32 . 2012-07-22 17:32 -------- d-----w- c:\program files\Enigma Software Group
2012-07-22 17:31 . 2012-08-14 23:33 -------- d-----w- c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-07-22 17:31 . 2012-08-13 13:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-07-22 16:25 . 2012-07-22 16:25 -------- d-----w- c:\windows\system32\winrm
2012-07-22 16:25 . 2012-07-22 16:25 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-07-22 16:24 . 2012-07-22 16:24 -------- d-----w- c:\documents and settings\Matthew\Local Settings\Application Data\Identities
2012-07-22 16:24 . 2012-07-22 16:24 -------- d-----w- c:\documents and settings\Matthew\Application Data\Windows Desktop Search
2012-07-22 16:23 . 2012-08-14 04:19 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-07-22 16:23 . 2012-07-22 16:59 -------- d-----w- c:\program files\Windows Desktop Search
2012-07-22 16:22 . 2012-07-22 16:22 -------- d-----w- c:\program files\Windows Media Connect 2
2012-07-22 16:21 . 2006-10-19 02:47 276992 ------w- c:\windows\system32\audiodev.dll
2012-07-22 16:20 . 2012-07-22 16:21 -------- d-----w- c:\windows\system32\drivers\UMDF
2012-07-22 16:20 . 2012-07-22 16:20 -------- d-----w- c:\windows\system32\LogFiles
2012-07-22 14:53 . 2012-07-22 14:53 -------- d-----w- c:\documents and settings\TEMP
2012-07-22 14:52 . 2012-07-22 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2012-07-22 14:50 . 2012-07-22 14:50 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-07-22 14:49 . 2012-07-22 14:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2012-07-22 05:27 . 2012-07-22 14:52 -------- d-----w- c:\program files\QuickTime
2012-07-22 05:23 . 2012-07-22 14:44 -------- d-----w- c:\program files\Microsoft Silverlight
2012-07-22 05:15 . 2012-07-22 05:15 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-07-22 05:15 . 2012-07-22 05:15 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-07-22 05:15 . 2012-07-22 05:15 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-07-22 05:15 . 2012-07-22 05:15 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-31 13:33 . 2012-04-10 15:13 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-31 13:33 . 2012-04-10 15:13 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-25 14:43 . 2012-06-21 16:50 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2012-07-25 14:43 . 2012-06-21 16:49 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2012-07-06 13:58 . 2008-08-21 12:00 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-06 03:06 . 2012-06-01 19:25 772544 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-07-06 03:06 . 2012-04-10 05:28 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-04 14:05 . 2012-04-10 01:31 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2008-08-21 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2008-08-21 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2008-08-21 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2008-08-21 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2008-08-21 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-06-05 15:50 . 2008-08-21 12:00 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2008-08-21 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 22:35 . 2012-04-10 01:33 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-04 04:32 . 2008-08-21 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19 . 2009-08-07 00:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2012-04-10 01:33 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2012-04-10 01:33 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2012-04-10 01:33 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2012-04-10 01:33 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2008-08-21 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2009-08-07 00:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2012-04-10 01:33 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2012-04-10 01:33 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2008-08-21 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-07-22 05:15 . 2012-04-10 04:46 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\whammy@satx.rr.com\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\whammy@satx.rr.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\whammy@satx.rr.com\\source sdk base 2007\\hl2.exe"=
"c:\\Quake2\\quake2.exe"=
"c:\\Program Files\\Steam\\steamapps\\whammy@satx.rr.com\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/13/2012 2:31 PM 655944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/13/2012 2:31 PM 22344]
S0 rmvxtw;rmvxtw;c:\windows\system32\drivers\gkuwfed.sys --> c:\windows\system32\drivers\gkuwfed.sys [?]
S1 MpKsld85b2ac9;MpKsld85b2ac9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A0CC6E7-080F-410C-9C41-0A086A71B04C}\MpKsld85b2ac9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A0CC6E7-080F-410C-9C41-0A086A71B04C}\MpKsld85b2ac9.sys [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/22/2012 12:15 AM 113120]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: Interfaces\{5EBB59DD-9C8F-4E8C-B7CF-B0F0FAD5736C}: NameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Matthew\Application Data\Mozilla\Firefox\Profiles\qzx1mnfi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-19 09:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-436374069-1604221776-1644491937-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2012-08-19 09:34:09
ComboFix-quarantined-files.txt 2012-08-19 14:34
.
Pre-Run: 189,133,815,808 bytes free
Post-Run: 189,361,623,040 bytes free
.
- - End Of File - - BCED72EBB28F61C6E863AB746E5A71F6

#5 WD40.5

WD40.5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 19 August 2012 - 09:51 AM

Results of screen317's Security Check version 0.99.46
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AVG Anti-Virus Free Edition 2012
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
JavaFX 2.1.1
Java™ 7 Update 5
Java version out of Date!
Adobe Flash Player 11.3.300.268
Mozilla Firefox (14.0.1)
Mozilla Thunderbird (14.0.)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````



# AdwCleaner v1.801 - Logfile created 08/19/2012 at 09:42:46
# Updated 14/08/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Matthew - WINDOZE
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Matthew\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\All Users\Application Data\blekko toolbars

***** [Registry] *****

Key Found : HKCU\Software\IGearSettings
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\esrv.EXE

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Matthew\Application Data\Mozilla\Firefox\Profiles\qzx1mnfi.default\prefs.js

[OK] File is clean.

Profile name : default
File : C:\Documents and Settings\Diane\Application Data\Mozilla\Firefox\Profiles\yg7t5i0l.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2240 octets] - [19/08/2012 09:42:46]

########## EOF - C:\AdwCleaner[R1].txt - [2368 octets] ##########

---------------------------------------------------------------------------------------

I jumped the gun and went ahead and ran Delete on AdwCleaner. Here is the log from that:

# AdwCleaner v1.801 - Logfile created 08/19/2012 at 09:43:51
# Updated 14/08/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Matthew - WINDOZE
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Matthew\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\blekko toolbars

***** [Registry] *****

Key Deleted : HKCU\Software\IGearSettings
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Matthew\Application Data\Mozilla\Firefox\Profiles\qzx1mnfi.default\prefs.js

[OK] File is clean.

Profile name : default
File : C:\Documents and Settings\Diane\Application Data\Mozilla\Firefox\Profiles\yg7t5i0l.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2369 octets] - [19/08/2012 09:42:46]
AdwCleaner[S1].txt - [2334 octets] - [19/08/2012 09:43:51]

########## EOF - C:\AdwCleaner[S1].txt - [2462 octets] ##########

#6 WD40.5

WD40.5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 19 August 2012 - 10:03 AM

BTW: I think I found the offending malware that was causing the problem. The 2 copies of iexplore showing up in the task manager was the clue. The offending program was hiding in a phony directory called "Apple":

C:\Documents and Settings\Matthew\Local Settings\Application Data\Apple\acmvrems.dll

The .dll is likely a random letter name, but the folder apparently is named to mimic the "Apple Computer" folder which exists if you have QuickTime or iTunes installed.

The clue is the double iexplore showing up in the task manager when you don't have any browsers open. You need a copy of ProcessExplorer to see the full task tree that the task manager isn't showing. The tip off is that the two copies of iexplore are running under the services.exe parent instead of explorer.exe parent (the desktop). In my case, the programs were showing up in the ProcessExplorer as:

services.exe --> svchost.exe ---> iexplore.exe

If you killed off the svhost.exe, the 2 copies of iexplore would die with it and the browser suddenly started to work normally.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:16 AM

Posted 19 August 2012 - 12:49 PM

BTW: I think I found the offending malware that was causing the problem. The 2 copies of iexplore showing up in the task manager was the clue. The offending program was hiding in a phony directory called "Apple":


You are correct. I did identify it in your DDS log. I was going to remove all traces with ComboFix. I do not see any at the moment.

uRun: [Apple] Rundll32.exe "c:\documents and settings\matthew\local settings\application data\apple\acmvrems.dll",EditHhCtrlScript

Delete this folder in bold if still present.
c:\documents and settings\matthew\local settings\application data\apple\

As far as I am concerned this is not a folder created by an Apple products.

===

Please let me know what problem persists.

#8 WD40.5

WD40.5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 19 August 2012 - 01:13 PM

I had already deleted the folder and the registry keys pointing to it. There has been no problems since. I saw that ComboFix and the other scans you mentioned found additional garbage I wasn't aware of.

I believe that the system is now clean. I'm going to wait a few days to be sure and then delete all the tools to finish cleaning up. I think we can mark this incidence as closed unless something pops up.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:16 AM

Posted 19 August 2012 - 01:35 PM

When all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users