Jump to content

Google Redirect Virus by PP


Recommended Posts

I have a Google Redirect Virus. My Regedit.exe terminates after 10 seconds. My CMD.exe will not launch at all. I am running WinXP Pro with the latest JAVA and Norton Security 2009. Below are my MalwareBytes log and HiJackThis log. Thank you, for your help in analyzing these logs.

Malwarebytes' Anti-Malware 1.34

Database version: 1749

Windows 5.1.2600 Service Pack 3

3/24/2009 12:07:46 PM

mbam-log-2009-03-24 (12-07-46).txt

Scan type: Full Scan (C:\|)

Objects scanned: 162665

Time elapsed: 52 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:16:51 PM, on 3/24/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\ICQ6.5\ICQ.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.a...mp;bm=ho_search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [iCQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://ilearning.oracle.com

O15 - Trusted Zone: http://www.solutionbeacon.com

O15 - Trusted Zone: http://sbllc3.solutionbeacon.net

O15 - Trusted Zone: http://vis11510.solutionbeacon.net

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132712965957

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PJCAQYIGUL - Sysinternals - www.sysinternals.com - C:\DOCUME~1\KIM\LOCALS~1\Temp\PJCAQYIGUL.exe

O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

O24 - Desktop Component 1: Desktop Uninstall - C:\WINDOWS\warnhp.html

--

End of file - 9664 bytes

Link to post
Share on other sites

welcome to malwarebytes forum

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:

  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.

If you can do these things, everything should go smoothly.

  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Installed Programs

Please could you give me a list of the programs that are installed.

  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.

Click on save list button and specify where you would like to save this file.

When you press Save button a notepad will open with the contents of that file.

Simply copy and paste the contents of that notepad into your next post.

I'm presently looking over your log and hope not to be too long.

Will be back with you as soon as I can.

Thanks dan

Link to post
Share on other sites

Dan,

Thank you, for your assistance. I have two Users on my PC. The one I usually use is an Admin User. There is also a Guest user that is not currently enabled. Here are the programs on the PC from HiJackThis.

Regards,

Kim

Adobe Atmosphere Player for Acrobat and Adobe Reader

Adobe Flash Player 10 ActiveX

Adobe Photoshop Album 2.0 Starter Edition

Adobe Reader 7.1.0

ALPS Touch Pad Driver

Apple Mobile Device Support

Apple Software Update

Bonjour

Broadcom Advanced Control Suite

Broadcom ASF Management Applications

Browser Mouse

Business Contact Manager for Outlook 2003

Compatibility Pack for the 2007 Office system

Conexant D480 MDC V.9x Modem

Costco Photo Organizer

Critical Update for Windows Media Player 11 (KB959772)

Dell ResourceCD

Dell Solution Center

Dell TrueMobile 1300 WLAN Mini-PCI Card

Digital Line Detect

DVDSentry

Easy CD Creator 5 Basic

Family Tree Maker 9.0

Google Earth

Google Updater

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

ICQ6.5

InterActual Player

InterVideo WinDVD

iPod for Windows 2006-01-10

iTunes

Java 6 Update 12

Logitech Desktop Messenger

Logitech Gaming Software

Logitech MouseWare 9.78

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0

Microsoft Age of Empires II

Microsoft Age of Empires II: The Conquerors Expansion

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Data Access Components KB870669

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Professional Edition 2003

Microsoft Picture It! Express 9

Microsoft Picture It! Library 9

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

MobileMe Control Panel

Modem Helper

Monopoly - SpongeBob SquarePants Edition

MSN

MSN Encarta Plus Support Files

MSN Messenger 6.1

NetWaiting

News PlugIn

Norton Internet Security

NVIDIA Windows 2000/XP Display Drivers

Oracle JInitiator 1.1.8.16

Oracle JInitiator 1.3.1.18

Punch! Professional Home Design - Platinum

Quicken 2004

QuickSet

QuickTime

RealPlayer

Safari

Scooby-Doo, Case File #1 The Glowing Bug Man

Security Update for CAPICOM (KB931906)

Security Update for CAPICOM (KB931906)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Slingbox Platform SDK 1.2.5.26

SlingPlayer

SpongeBob SquarePants - Nighty Nightmare

Symantec Network Driver Update

The Game of Life - SpongeBob SquarePants Edition

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

WexTech AnswerWorks

Windows Genuine Advantage v1.3.0254.0

Windows Installer Clean Up

Windows Media Format 11 runtime

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player 11

Windows XP Service Pack 3

Yahoo! Browser Services

Yahoo! Install Manager

Yahoo! Internet Mail

Yahoo! Messenger

Link to post
Share on other sites

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O15 - Trusted Zone: http://ilearning.oracle.com

O15 - Trusted Zone: http://www.solutionbeacon.com

O15 - Trusted Zone: http://sbllc3.solutionbeacon.net

O15 - Trusted Zone: http://vis11510.solutionbeacon.net

O24 - Desktop Component 1: Desktop Uninstall - C:\WINDOWS\warnhp.html

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit

  • Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
    If you're already running inside Windows you can enable it the following way.
  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  • Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  • The tab is called BOOT on Vista. Then choose Boot log

RootRepeal - Rootkit Detector

  • Please download the following tool: RootRepeal - Rootkit Detector
  • Direct download link is here: RootRepeal.rar
  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  • Extract the program file to a new folder such as C:\RootRepeal
  • Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the same location where you ran it from, such as C:\RootRepeal
  • Save it as your_name_rootrepeal.txt - where your_name is your forum name
  • This makes it more easy to track who the log belongs to.
  • Then open that log and select all and copy/paste it back on your next reply please.
  • Quit the RootRepeal program.

Post the logs

Link to post
Share on other sites

Here is the RootRepeal log.

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/03/24 17:46

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF4949000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7D7D000 Size: 8192 File Visible: No

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEBB4A000 Size: 45056 File Visible: No

Status: -

Name: SYMEFA.SYS

Image Path: SYMEFA.SYS

Address: 0xF76D1000 Size: 323584 File Visible: No

Status: -

SSDT

-------------------

#: 012 Function Name: NtAlertResumeThread

Status: Hooked by "<unknown>" at address 0x87545fd0

#: 013 Function Name: NtAlertThread

Status: Hooked by "<unknown>" at address 0x87552050

#: 017 Function Name: NtAllocateVirtualMemory

Status: Hooked by "<unknown>" at address 0x87538d40

#: 019 Function Name: NtAssignProcessToJobObject

Status: Hooked by "<unknown>" at address 0x8751a0c8

#: 031 Function Name: NtConnectPort

Status: Hooked by "<unknown>" at address 0x874f5320

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf4c3f040

#: 043 Function Name: NtCreateMutant

Status: Hooked by "<unknown>" at address 0x87603b90

#: 052 Function Name: NtCreateSymbolicLinkObject

Status: Hooked by "<unknown>" at address 0x874fb858

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0x87746de8

#: 057 Function Name: NtDebugActiveProcess

Status: Hooked by "<unknown>" at address 0x8751db70

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf4c3f2c0

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf4c3f820

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "<unknown>" at address 0x873be0d0

#: 083 Function Name: NtFreeVirtualMemory

Status: Hooked by "<unknown>" at address 0x875edcc0

#: 089 Function Name: NtImpersonateAnonymousToken

Status: Hooked by "<unknown>" at address 0x87534540

#: 091 Function Name: NtImpersonateThread

Status: Hooked by "<unknown>" at address 0x8753b2e0

#: 097 Function Name: NtLoadDriver

Status: Hooked by "<unknown>" at address 0x874ee4f0

#: 108 Function Name: NtMapViewOfSection

Status: Hooked by "<unknown>" at address 0x8750c608

#: 114 Function Name: NtOpenEvent

Status: Hooked by "<unknown>" at address 0x874f7338

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0x873de3b8

#: 123 Function Name: NtOpenProcessToken

Status: Hooked by "<unknown>" at address 0x8760ce98

#: 125 Function Name: NtOpenSection

Status: Hooked by "<unknown>" at address 0x87521948

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0x874860d0

#: 137 Function Name: NtProtectVirtualMemory

Status: Hooked by "<unknown>" at address 0x874e1ee8

#: 206 Function Name: NtResumeThread

Status: Hooked by "<unknown>" at address 0x8764c790

#: 213 Function Name: NtSetContextThread

Status: Hooked by "<unknown>" at address 0x875e91d0

#: 228 Function Name: NtSetInformationProcess

Status: Hooked by "<unknown>" at address 0x872d69c0

#: 240 Function Name: NtSetSystemInformation

Status: Hooked by "<unknown>" at address 0x87521210

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf4c3fa70

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "<unknown>" at address 0x875219a8

#: 254 Function Name: NtSuspendThread

Status: Hooked by "<unknown>" at address 0x87552c50

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0x87606370

#: 258 Function Name: NtTerminateThread

Status: Hooked by "<unknown>" at address 0x87553248

#: 267 Function Name: NtUnmapViewOfSection

Status: Hooked by "<unknown>" at address 0x87605498

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "<unknown>" at address 0x87536c48

Link to post
Share on other sites

Go to Start>Run and highlight the contents of the box below then use CTRL+C to copy them and CTRL+V to paste them into the run dialogue box.

cmd /c copy C:\WINDOWS\system32\drivers\etc\hosts "%userprofile%\desktop\hosts.txt"

Click OK, notepad will then open with your host file. Copy and paste the whole Hosts file in your next reply.

-----------------------------

Download and run Combofix

This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

Please download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

----------------------------------------------

Post back:

Combofix report.

A new HijackThis log.

Host file text

Link to post
Share on other sites

Dan,

This morning I checked my Tools in System Configuration. All of the tools are launching including RegEdit and CMD.EXE. RegEdit is not closing after 10 seconds.

Norton Security is giving me an alert ever 10 seconds that it is blocking a security risk called Downloader. Downloader apparently downloads other trojans. I am concerned that shuting down my antivirus software will enable this stuff to infect my machine again. Can we download ComboFix to a clean machine, update it their and install it on this laptop without utilizing the internet connection on this laptop? I have a desktop machine that is not infected. Norton has identitfied this Downloader file as: C:\Windows\abfsxvo.ina . I don't see this file on my PC. It must be hidden. Perhaps we should address this Downloader before proceeding with ComboFix?

Link to post
Share on other sites

I found the HOSTS file. It was on the desktop. Here it is. I am still fighting this Downloader. The Norton Security technician found a problem with HOSTS yesterday and removed an entry at the bottom.

# Copyright © 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Link to post
Share on other sites

Norton Security identified an quaranteed Downloader and one other virus. It sent it for automatic analysis and after an hour removed it from the machine. It seemed to be persistent as it came back twice. I ran a Norton Full Scan. At this time everything looks normal. My System Tools all work and I am not experiencing any Google Search Redirects. I will download Combo Fix and post the results. I feel like I can use the internet connection now.

Link to post
Share on other sites

Here is the Combo Fix log.

ComboFix 09-03-23.01 - KIM 2009-03-25 12:16:14.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.641 [GMT -7:00]

Running from: c:\documents and settings\KIM\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\KIM\Application Data\Install.dat

c:\windows\IE4 Error Log.txt

c:\windows\system32\drivers\fad.sys

c:\windows\wiaserviv.log

.

((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))

.

2009-03-24 17:32 . 2009-03-24 17:50 <DIR> d-------- C:\RootRepeal

2009-03-24 12:16 . 2009-03-24 12:16 <DIR> d-------- c:\program files\Trend Micro

2009-03-24 11:07 . 2009-03-24 11:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-24 11:07 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys

2009-03-24 11:07 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

2009-03-23 17:13 . 2009-03-23 17:13 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\NIS

2009-03-23 17:13 . 2009-03-23 17:13 <DIR> d-------- c:\program files\Symantec

2009-03-23 17:13 . 2009-03-23 17:13 <DIR> d-------- c:\program files\Norton Internet Security

2009-03-23 17:13 . 2009-03-24 11:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec

2009-03-23 17:13 . 2009-03-23 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton

2009-03-23 17:13 . 2009-03-23 17:13 124,464 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS

2009-03-23 17:13 . 2009-03-23 17:13 60,808 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL

2009-03-23 17:13 . 2009-03-23 17:13 36,400 -ra------ c:\windows\SYSTEM32\DRIVERS\SymIM.sys

2009-03-23 17:13 . 2009-03-23 17:13 7,386 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.CAT

2009-03-23 17:13 . 2009-03-23 17:13 805 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.INF

2009-03-23 17:12 . 2009-03-23 17:12 <DIR> d-------- c:\program files\NortonInstaller

2009-03-23 17:12 . 2009-03-23 17:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-03-23 13:35 . 2009-03-23 13:35 <DIR> d-------- c:\program files\Windows Installer Clean Up

2009-03-23 11:26 . 2009-03-23 17:26 <DIR> d-------- c:\windows\LMI3.tmp

2009-03-21 16:15 . 2009-03-21 16:15 10,344 --a------ c:\windows\SYSTEM32\DRIVERS\symlcbrd.sys

2009-03-21 10:37 . 2009-03-21 10:37 <DIR> d-------- c:\program files\Windows Sidebar

2009-03-18 09:11 . 2009-03-18 09:11 <DIR> d-------- c:\program files\iTunes

2009-03-18 09:11 . 2009-03-18 09:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

2009-03-18 09:08 . 2009-03-18 09:08 <DIR> d-------- c:\program files\QuickTime

2009-03-16 11:10 . 2009-03-16 11:10 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll

2009-03-16 11:10 . 2009-03-16 11:10 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl

2009-03-15 12:26 . 2009-03-15 12:26 <DIR> d-------- c:\documents and settings\KIM\Application Data\Malwarebytes

2009-03-15 12:26 . 2009-03-15 12:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-13 07:43 . 2009-03-13 07:48 <DIR> d-------- c:\program files\ICQ6.5

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-24 19:43 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-03-24 18:26 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-24 00:38 --------- d-----w c:\program files\Bonjour

2009-03-23 20:35 --------- d-----w c:\program files\MSECache

2009-03-23 20:30 --------- d-----w c:\program files\Yahoo!

2009-03-23 20:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-21 17:03 --------- d-----w c:\program files\Design Science

2009-03-21 17:01 --------- d-----w c:\program files\Nick Arcade

2009-03-18 16:11 --------- d-----w c:\program files\iPod

2009-03-18 16:11 --------- d-----w c:\program files\Common Files\Apple

2009-03-18 16:00 --------- d-----w c:\program files\Safari

2009-03-16 21:04 --------- d--h--r c:\documents and settings\KIM\Application Data\yahoo!

2009-03-16 21:04 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!

2009-03-16 18:10 --------- d-----w c:\program files\Java

2009-03-13 22:49 --------- d-----w c:\program files\ICQ6Toolbar

2009-03-13 14:45 --------- d-----w c:\program files\ICQ6

2009-03-13 14:45 --------- d-----w c:\documents and settings\All Users\Application Data\ICQ

2009-02-27 14:54 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-09 11:13 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys

2009-02-09 11:13 1,846,784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys

2009-02-07 21:41 --------- d-----w c:\documents and settings\KIM\Application Data\Uniblue

2009-01-29 22:23 --------- d-----w c:\documents and settings\KIM\Application Data\GTek

2009-01-29 22:07 --------- d-----w c:\program files\Windows Live Safety Center

2009-01-29 04:43 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-17 05:35 3,594,752 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll

2008-08-04 22:26 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008080420080805\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-03-01 172792]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Logitech Utility"="Logi_MwX.Exe" [2003-06-30 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SRUUninstall"="c:\windows\System32\msiexec.exe" [2008-04-13 78848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-11-23 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux2"= c:\windows\system32\..\abfsxvo.lna

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

--a------ 2002-12-17 11:28 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

--a------ 2009-03-06 00:50 177472 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-13 17:12 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

--a------ 2003-01-31 10:27 364544 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]

--a------ 2002-07-17 09:18 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2009-03-12 20:56 342312 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2009-03-16 11:10 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bacstray]

--a------ 2003-05-14 17:37 98304 c:\windows\SYSTEM32\BacsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\SymEFA.sys [2009-03-23 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\BHDrvx86.sys [2009-03-23 258608]

R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\NIS\1005000.087\cchpx86.sys [2009-03-23 482352]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090318.001\IDSXpx86.sys [2009-03-23 276344]

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-03-23 115560]

R2 SlingAgentService;SlingAgent Service;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2008-12-10 88576]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-24 101936]

R3 GTICARD;GTICARD;c:\windows\SYSTEM32\DRIVERS\gticard.sys [2003-02-14 59328]

S3 PJCAQYIGUL;PJCAQYIGUL;c:\docume~1\KIM\LOCALS~1\Temp\PJCAQYIGUL.exe --> c:\docume~1\KIM\LOCALS~1\Temp\PJCAQYIGUL.exe [?]

.

Contents of the 'Scheduled Tasks' folder

2009-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-25 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 11:42]

2009-03-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - KIM.job

- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe []

2009-03-19 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job

- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-01-14 c:\windows\Tasks\Uniblue SpeedUpMyPC.job

- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2009-03-25 c:\windows\Tasks\User_Feed_Synchronization-{31ED02FE-DA3E-42A1-999D-45581CFEAB6C}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]

.

- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe

HKU-Default-Run-Symantec NetDriver Warning - c:\progra~1\SYMNET~1\SNDWarn.exe

MSConfigStartUp-IPInSightMonitor 01 - c:\program files\Verizon Online\Visual IP InSight\IPMon32.exe

MSConfigStartUp-WindoFix - c:\program files\WindoFix\WindoFix.exe

MSConfigStartUp-bascstray - BascsTray.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

Trusted Zone: microsoft.com\www

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.5.0.135\CoIEPlg.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-25 12:17:52

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3104674408-723263351-3612406668-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

Completion time: 2009-03-25 12:20:13

ComboFix-quarantined-files.txt 2009-03-25 19:19:27

Pre-Run: 18,457,833,472 bytes free

Post-Run: 18,726,563,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

204 --- E O F --- 2009-03-15 03:37:57

Link to post
Share on other sites

Here is the HiJack log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:25:09 PM, on 3/25/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\basfipm.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKCU\..\Run: [iCQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132712965957

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PJCAQYIGUL - Unknown owner - C:\DOCUME~1\KIM\LOCALS~1\Temp\PJCAQYIGUL.exe (file missing)

O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--

End of file - 8209 bytes

Link to post
Share on other sites

Here is the HOSTS file.

# Copyright © 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Link to post
Share on other sites

Submit a File For Analysis

We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti

Copy/paste the the following file path into the window

c:\windows\system32\..\abfsxvo.lna

Click Submit/Send File

Please post back, to let me know the results.

If Jotti is too busy please try Virustotal

post the results please.

Link to post
Share on other sites

Here is the message I received from Jotti.

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.

Is this the full path?: c:\windows\system32\..\abfsxvo.lna

FYI, this is the file Norton identified as the Downloader. It was quarantined.

Link to post
Share on other sites

That's fine, at least we were after the same file

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as

All Files and name it FixServices.bat. Please save it on your desktop.

@echo off

sc stop PJCAQYIGUL

sc delete PJCAQYIGUL

exit

Double click FixServices.bat. A window will open and close. This is normal.

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

O23 - Service: PJCAQYIGUL - Unknown owner - (file missing) C:\DOCUME~1\KIM\LOCALS~1\Temp\PJCAQYIGUL.exe

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit

And just to make sure, as you have said it's been quarantined:

Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.

  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
:files C:\DOCUME~1\KIM\LOCALS~1\Temp\PJCAQYIGUL.exec:\windows\system32\..\abfsxvo.lna:reg[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux2"=-
  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

Post otmoveit3 report and a fresh HJT log

Link to post
Share on other sites

I will get to that in the morning.

It appears this bad boy copied a piece of the firewall, cloned it and then put it about the original program in the search path. My Norton product was becoming increasingly unstable as updates were applied to the original program but the cloned bad boy was the one actually running. Before I reinstalled Norton, I was getting errors on ccSvcHst, which I determined was a Norton program. Is that the way you see it?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.