Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Results often Redirect / Hijack, Frequently to Scour or Nixxie Answers.com


  • This topic is locked This topic is locked
23 replies to this topic

#1 AlaskaksalA

AlaskaksalA

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 29 October 2012 - 02:00 AM

Hello -

This is my first time here, and I feel lucky to have found such a generous and intelligent online community dedicated to the removal of these attacks on society!

For 2-3 months now, my homemade PC has been having redirect/hijack browser issues. I am normally quite diligent about my scanners, anti-virus, anti-malware, and anti-spyware programs, and I do not - at least knowingly - every download something that I don't know where it came from, so I honestly feel clueless as to where this could have come from. Which makes me worry that even if we can fix it, I'll somehow get it back, and of course a bit ashamed at the apparent gaping hole in my knowledge of online security. I greatly look forward to seeing what we can figure out, and how I can be safer in the future. Again, many many thanks in advance.

I use updated firefox almost exclusively, though my girlfriend shares the machine and uses chrome. I've talked to her about safe downloading and she doesn't download anything I don't approve, but I am less familiar with chrome overall. I would say about 1/3 of our google search results will hijack the page to a random site - sometimes legitimate and random, like Nordstrom shoes. Most of the time though, it takes us to the Scour homepage or this other Nixxie Answers-type deal. Often though, it will take us to a specific IP only with a relatively blank/blocked site that is trying to do load images or take other actions. These are sometimes accompanied by popups, despite my ad-blockers. In addition, sometimes I can just click 'back' on the browser or mouse one time, and reselect the link and get there normally. Others though, I can't click back fast enough to get out of the page reload and have to close the tab/browser and start over again to get cleanly to the page I'm looking for. So while that is annoying, I am aware that if it is a rootkit or other issue, it can cause much greater security threats to enter the system or attack my information so naturally I've been scared to do any banking etc. online at home.

I have followed many, many removal steps from legitimate sites and nothing has worked. This includes unchecking my proxy settings on all browsers, running just about every available free and legitimate removal tool, looking at my host lists and once it got to the point of browsing my registry and other lists for RANDOM.exe's, I knew I was probably in over my head and patience level. Sidenote - this is when I also realized there were many fake / bad grammar sites dedicated to Scour removal and figured there was enough of a conspiracy going on that it was hard to trust anyone/anything. Combofix kept coming up in my searches, and I have not run it, as I researched and found what was going on here and that this was a very respected site to come to for help and a powerful and secretive tool for rootkit removal that requires expert assistance. Again, thank you.

With that in mind, maybe a little winded, here are my logs (and as I run 64bit win7 I believe you don't need a GMER log...):

DDS (Ver_2012-10-19.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.6.2
Run by Cyber X at 23:36:17 on 2012-10-28
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.6142.4267 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Windows\SysWOW64\XSrvSetup.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\RNX-180UBE\11n USB Wireless LAN Utility\RtlService.exe
C:\Program Files (x86)\RNX-180UBE\11n USB Wireless LAN Utility\RtWlan.exe
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Logitech\G930\G930.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Logitech\SetPointG\SetPointII.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Epson Stylus NX430(Network)] C:\Windows\System32\spool\DRIVERS\x64\3\E_IATIHBA.EXE /FU "C:\Users\CYBERX~1\AppData\Local\Temp\E_S6092.tmp" /EF "HKCU"
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [Logitech G930] C:\Program Files (x86)\Logitech\G930\G930.exe
mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{cbe9467e-aecd-41ca-83db-ddb5b3aa8bbf} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{E1FD57D6-F951-42A9-B79A-3F51AF39937F} : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
x64-Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Cyber X\AppData\Roaming\Mozilla\Firefox\Profiles\gu69o7je.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Users\Cyber X\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-9-21 61792]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2012-9-21 225120]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2012-10-5 111456]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-9-14 40800]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2012-9-13 151904]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-10-2 185696]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-9-21 200032]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2012-10-2 5783672]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2012-10-2 193568]
R2 JMB36X;JMB36X;C:\Windows\SysWOW64\XSrvSetup.exe [2010-12-7 72280]
R2 Realtek11nSU;Realtek11nSU;C:\Program Files (x86)\RNX-180UBE\11n USB Wireless LAN Utility\RtlService.exe [2010-12-7 40960]
R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [2012-1-18 450848]
R2 WinRing0_1_2_0;WinRing0_1_2_0;C:\Users\Cyber X\AppData\Local\Microsoft\Windows Sidebar\Gadgets\IntelCoreSeries24 (2).gadget\WinRing0x64.sys [2010-12-7 14544]
R3 LADF_BakerCOnly;BakerC Filter Driver;C:\Windows\System32\drivers\ladfBakerCamd64.sys [2011-3-18 410184]
R3 LADF_BakerROnly;BakerR Filter Driver;C:\Windows\System32\drivers\ladfBakerRamd64.sys [2011-3-18 335688]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\System32\drivers\LGBusEnum.sys [2009-11-23 22408]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\System32\drivers\LGVirHid.sys [2009-11-23 16008]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-1-18 351136]
R3 LVUVC64;Logitech Webcam Pro 9000(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-1-18 4865568]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-4-26 83080]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-4-26 184968]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2010-12-7 155752]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-12-7 347680]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\System32\drivers\RTL8192su.sys [2010-11-25 694888]
R3 rtlss;Service for enabling selective suspend to RTL device;C:\Windows\System32\drivers\rtlss.sys [2010-6-21 27240]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-10-4 1153368]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-25 115168]
S3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2012-3-30 24176]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2011-5-17 20992]
S3 ssmirrdr;ssmirrdr;C:\Windows\System32\drivers\ssmirrdr.sys [2011-3-14 10112]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-5-17 59392]
S3 WatAdminSvc;WatAdminSvc;C:\Windows\System32\Wat\WatAdminSvc.exe --> C:\Windows\System32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-10-14 21:12:56 -------- d-----w- C:\ProgramData\HitmanPro
2012-10-05 10:26:22 111456 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2012-10-02 10:30:38 185696 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
.
==================== Find3M ====================
.
2012-10-23 03:16:14 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-23 03:16:14 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-09-30 02:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-21 10:46:04 200032 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
2012-09-21 10:46:00 225120 ----a-w- C:\Windows\System32\drivers\avgloga.sys
2012-09-21 10:45:50 61792 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-09-14 10:05:18 40800 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
2012-09-13 10:11:18 151904 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll
2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-08-22 18:12:50 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-08-21 21:55:31 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-21 21:55:31 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-08-21 21:55:31 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-08-21 21:01:00 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe
2012-08-20 18:48:44 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-08-20 18:48:44 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-08-20 18:48:44 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-08-20 18:48:43 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-08-20 18:48:37 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-08-20 18:48:35 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2012-08-20 18:46:22 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-08-20 17:40:21 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-08-20 17:38:44 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2012-08-20 17:38:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-08-20 17:37:19 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-08-20 17:37:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-08-20 15:38:21 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-08-20 15:38:20 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-08-20 15:33:28 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-08-15 03:47:20 88064 ----a-w- C:\Windows\System32\E_IBCBHBA.DLL
2012-08-15 03:47:20 118784 ----a-w- C:\Windows\System32\E_ILMHBA.DLL
2012-08-11 00:56:03 715776 ----a-w- C:\Windows\System32\kerberos.dll
2012-08-10 23:56:14 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll
2012-08-02 17:58:52 574464 ----a-w- C:\Windows\System32\d3d10level9.dll
2012-08-02 16:57:20 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2010-05-21 15:59:50 3095040 ----a-w- C:\Program Files (x86)\openofficeorg32.msi
2010-05-21 15:58:20 460088 ----a-w- C:\Program Files (x86)\setup.exe
.
============= FINISH: 23:36:25.30 ===============


Thank you, thank you, thank you for your help. I built this machine myself 2 years ago this month, though my friend got it up and running with software and protection programs. I have never had a visible security issue until after this summer, which didn't coincide with any specific site visit or download that I can think of.

Please let me know if I missed anything or you need anymore help understanding the issue.

Take care!

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:38 AM

Posted 29 October 2012 - 09:46 AM

Please run the following:


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 AlaskaksalA

AlaskaksalA
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 29 October 2012 - 12:53 PM

Wow, thank you so much for the overnight response! I feel quite lucky.

I will be able to run these and post around 9pm tonight, just for reference.

And I wanted to double-check about the 2nd step - even though I have backed up my data, this repair operation will not intentionally wipe the system - correct? Is its main focus to produce the logs or is it doing some deep cleaning/work as well? Just didn't know if I should expect any major changes/deletions to the system post-run.

Thank you!

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:38 AM

Posted 29 October 2012 - 04:31 PM

the 2nd part is a diagnostic tool and only produces a log,(unless I give you a script to fix any bad entries I find) it's a way of examining your system outside of Windows being loaded which should show any hidden nasties

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 AlaskaksalA

AlaskaksalA
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 30 October 2012 - 01:27 AM

Hello -

I got halfway through before something else came up that I had to take care of. I've attached the first log but will have to get back to the 2nd step tomorrow evening. Sorry for the delay, and thank you again for your help.

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:38 AM

Posted 30 October 2012 - 05:15 PM

ok, no problem

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 AlaskaksalA

AlaskaksalA
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 31 October 2012 - 06:29 AM

2nd step complete, log attached. Previous step's log re-attached.

Should be able to perform next steps Thursday evening. Thank you!

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:38 AM

Posted 31 October 2012 - 04:34 PM

Please run the following

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 AlaskaksalA

AlaskaksalA
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 02 November 2012 - 02:08 AM

ComboFix file attached.

Program ran very smoothly and did not initiate reboot. Rebooted after reading log anyway, re-enabled protections.

Thank you!

Sidenote - noticeable improvement in browser speed. No redirects seen thus far...

Attached Files



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:38 AM

Posted 02 November 2012 - 04:41 PM

Please run the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 AlaskaksalA

AlaskaksalA
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 02 November 2012 - 05:16 PM

Sounds good, I'll be able to get to this in a few hours.

Curiosity attack - Of course I'll perform these steps either way, was just wondering if you saw specific infections that persisted within the system through previous steps or if this is mostly part of a standard finish-cleaning procedure?

Thank you!

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:38 AM

Posted 02 November 2012 - 08:29 PM

combofix deleted a couple of trojan files, I always sweep for leftovers using an antimalware product and an online scan in case there are any left overs.

There are sometimes infected files that don't show up in every log so we use a variety of product to make sure we find everything left on the machine.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 AlaskaksalA

AlaskaksalA
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 03 November 2012 - 02:57 AM

Malwarebytes Log:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.03.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Cyber X :: CYBERX [administrator]

11/3/2012 12:54:02 AM
mbam-log-2012-11-03 (00-54-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200986
Time elapsed: 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#14 AlaskaksalA

AlaskaksalA
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 03 November 2012 - 02:05 PM

ESET Scan results:

C:\Users\Cyber X\AppData\Local\Google\Chrome\User Data\Default\Default\aadddhdcdedbgfdjgedidbdadedjgggg\background.html Win32/BHO.OEI trojan
C:\Users\Cyber X\AppData\Local\Google\Chrome\User Data\Default\Default\aadddhdcdedbgfdjgedidbdadedjgggg\ContentScript.js Win32/BHO.OEI trojan
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\1cfbde4a-7ab22cfa multiple threats
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\4b4d120a-4b815f5b a variant of Java/Exploit.CVE-2012-4681.AQ trojan
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\77c346ce-7d684c96 a variant of Java/Exploit.CVE-2012-4681.AK trojan
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\52afd316-69caf167 a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\4bbb1157-5cdbf2b8 a variant of Java/Exploit.CVE-2012-4681.AQ trojan
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\170f55e-5f65d754 multiple threats
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\781c6064-43c124a8 multiple threats
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\14c6ceaa-546d416b a variant of Java/Exploit.CVE-2012-4681.AK trojan
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\432058b8-28f4a6e4 multiple threats
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\5b0baa7e-32b3c9cd Java/Agent.EX trojan
H:\Solidworks 2011 SP4 x64\Solidworks 2011 SP4 x64.iso a variant of Win32/HackTool.Patcher.T application

Thanks!

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:38 AM

Posted 03 November 2012 - 02:20 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\Cyber X\AppData\Local\Google\Chrome\User Data\Default\Default\aadddhdcdedbgfdjgedidbdadedjgggg\background.html 
C:\Users\Cyber X\AppData\Local\Google\Chrome\User Data\Default\Default\aadddhdcdedbgfdjgedidbdadedjgggg\ContentScript.js 
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\1cfbde4a-7ab22cfa 
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\4b4d120a-4b815f5b 
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\77c346ce-7d684c96 
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\52afd316-69caf167 
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\4bbb1157-5cdbf2b8 
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\170f55e-5f65d754 
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\781c6064-43c124a8 
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\14c6ceaa-546d416b 
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\432058b8-28f4a6e4 
C:\Users\Cyber X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\5b0baa7e-32b3c9cd 
H:\Solidworks 2011 SP4 x64\Solidworks 2011 SP4 x64.iso 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users