Jump to content

malwarebytes, firefox etc wont run, google redirect active, cant update some


Recommended Posts

I read all the topics before posting this topic,

I have installed Avira AV and at first it found few trojans which were deleted. Then I installed Malware bytes , didnt update, but fast scan found few trojans too which were deleted.

I thought that this was an end of my problems and went to sleep.

The followin dy all went back to the old problems, MB wont run, Alvira cant update, Firefox can not reinstall or run, most of the other malware progs can not download or update.

I can run Hijackthis ,Avira Antivirus, Hauri AV and Avira Antirootkit Tool

Full Avira Antivirus scan is not detecting anything while Avira Antirootkit Tool has detected 2 results:

Avira AntiRootkit Tool (1.1.0.1)

================================================================================

========================

- Scan started Monday, 18 January 2010 - 12:33:00 PM

================================================================================

========================

--------------------------------------------------------------------------------------------------------

Configuration:

--------------------------------------------------------------------------------------------------------

- [X] Scan files

- [X] Scan registry

- [X] Scan processes

- [ ] Fast scan

- Working disk total size : 298.08 GB

- Working disk free size : 164.90 GB (55 %)

--------------------------------------------------------------------------------------------------------

Results:

Hidden value : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 -> midi9

Value data length mismatch (20 <> 0): HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows -> appinit_dlls

--------------------------------------------------------------------------------------------------------

Files: 0/169544

Registry items: 2/540945

Processes: 0/36

Scan time: 00:08:50

--------------------------------------------------------------------------------------------------------

Active processes:

- yfnamefd.exe (PID 2788) (Avira AntiRootkit Tool)

- System (PID 4)

- smss.exe (PID 672)

- csrss.exe (PID 720)

- winlogon.exe (PID 744)

- services.exe (PID 796)

- lsass.exe (PID 808)

- WinDomainlogon.exe (PID 928)

- svchost.exe (PID 1032)

- svchost.exe (PID 1140)

- svchost.exe (PID 1236)

- svchost.exe (PID 1364)

- svchost.exe (PID 1436)

- spoolsv.exe (PID 1620)

- sched.exe (PID 1668)

- GoogleUpdate.exe (PID 1960)

- explorer.exe (PID 168)

- avgnt.exe (PID 424)

- ctfmon.exe (PID 444)

- TeaTimer.exe (PID 456)

- avguard.exe (PID 1060)

- HFACSvc.exe (PID 1196)

- hpcsvc.exe (PID 1216)

- hsvcmod.exe (PID 1292)

- svchost.exe (PID 1380)

- vrscan.exe (PID 1496)

- vrfwsvc.exe (PID 1448)

- wscntfy.exe (PID 2336)

- alg.exe (PID 2704)

- vrfwsock.exe (PID 2740)

- iexplore.exe (PID 1376)

- iexplore.exe (PID 536)

- msnmsgr.exe (PID 3860)

- iexplore.exe (PID 472)

- msimn.exe (PID 2500)

- avirarkd.exe (PID 2436)

================================================================================

========================

- Scan finished Monday, 18 January 2010 - 12:41:51 PM

================================================================================

========================

and this is Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:22:12 PM, on 18/01/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Hauri\ViRobot Desktop 5.5\AccessControl\HFACSvc.exe

C:\Program Files\Hauri\ViRobot Desktop 5.5\hpcsvc.exe

C:\Program Files\Hauri\Common\hsvcmod.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Hauri\Common\Base\vrscan.exe

C:\Program Files\Hauri\ViRobot Desktop 5.5\PCFirewall\vrfwsvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Hauri\ViRobot Desktop 5.5\PCFirewall\vrfwsock.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL

O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab

O16 - DPF: {447F8438-8124-4369-905B-A249E13CBBFC} (LgbContent Control) - http://pickles.liveglobalbid.com/install/new/lgbkc.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1189214322546

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherA...iomanagerwt.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: winmm.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: ViRobot for WinNT Folder Protect (HFACSVC) - hauri - C:\Program Files\Hauri\ViRobot Desktop 5.5\AccessControl\HFACSvc.exe

O23 - Service: ViRobot Communication Service (hpcsvc) - HAURI - C:\Program Files\Hauri\ViRobot Desktop 5.5\hpcsvc.exe

O23 - Service: Hauri Common Service (hsvcmod) - HAURI Inc. - C:\Program Files\Hauri\Common\hsvcmod.exe

O23 - Service: ViRobot Common Scan Service - HAURI Inc. - C:\Program Files\Hauri\Common\Base\vrscan.exe

O23 - Service: Hauri Firewall (vrfwsvc) - Hauri inc. - C:\Program Files\Hauri\ViRobot Desktop 5.5\PCFirewall\vrfwsvc.exe

O23 - Service: ViRobot Desktop Monitoring (vrmonsvc) - Hauri, Inc. - C:\Program Files\Hauri\Common\Base\vrmonsvc.exe

O23 - Service: ViRobot Repairing Service (vrrepair) - Hauri, Inc. - C:\Program Files\Hauri\Common\Base\vrrepair.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 8567 bytes

Link to post
Share on other sites

  • Staff

Hi,

You're dealing with one of these daonol/gumblar variants.

If you are having any websites, please take your websites offline as this variants gathers ftp passwords and other passwords in order to gain access to your ftp and infect your webpages with the same infection you are dealing with.

Are you familiar with the registry? We won't use regular regedit here as 1.) It won't run anyway and 2) They key/value we are looking for is hidden, so regular regedit won't show.

Please do the following instead:

* Download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Let's see if gmer sees this + the extra values.

If not, then we'll use gmer to gather the data anyway (using its own registry editor). But that's for afterwards.

Link to post
Share on other sites

Hi, thanks for your reply :-)

I tried to run Gmer 3 times , it crashed each time, somewhere after 4-5 minutes into the scan, and the PC got restarted.

I'm familiar with regedit and can follow instuctions :)

I forgot to mention that I could not remove those two instances from my first post:

Hidden value : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 -> midi9

Value data length mismatch (20 <> 0): HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows -> appinit_dlls

to add to all this, a new thing developed, something is firing a TR/Spy.Gen2 as soon as Windows load up , and it keeps repeating each time AV program blocks it and sends it into quarantine.

Virus or unwanted program 'TR/Spy.Gen2 [trojan]'

detected in file 'C:\Documents and Settings\IBM\Local Settings\temp\cldjtqy.tmp.

Action performed: Move file to quarantine

Link to post
Share on other sites

  • Staff

Hi,

It's that what I needed to know:

detected in file 'C:\Documents and Settings\IBM\Local Settings\temp\cldjtqy.tmp

That's the data that should be present under the midi9 value.

Even though Avira says it has moved it to quarantine, the file will recreate immediately again. You'll notice, when you navigate to the following folder:

C:\Documents and Settings\IBM\Local Settings\temp, you should see the cldjtqy.tmp in there.

Try to delete it manually (rightclick > delete) and you'll see that it will get recreated immediately again since it's loaded in memory.

To deal with it, since you have HijackThis installed,

* Open hijackthis, click 'config' (bottom right)

Choose the tab 'misc Tools' on top.

Choose 'delete a file on reboot'

In the field, copy and paste next:

C:\Documents and Settings\IBM\Local Settings\temp\cldjtqy.tmp

(or navigate to the file via there)

Click open.

Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok

Then reboot.

After reboot, verify if the file is gone.

If the file is gone, do next...

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32]

"midi9"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"LoadAppInit_DLLs"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Reboot once again and let me know how things are now. (Tools should run again etc)

Edit - Extra instruction..

I see BITS and Automatic updates are also damaged here (registry).

To fix this, Please download and run WUS_Fix.exe: http://users.telenet.be/marcvn/tools/WUS_Fix.exe

This should restore the default registry settings related with BITS and Automatic updates.

Link to post
Share on other sites

Hi,

everything worked out exactly as instructed by you, Thank you very much.

I can now install and run Malwarebytes and all the other programs and updates without problems. YEAY

One peculiar thing happened thou, when I ran Malwarebytes quick scan for the first time, after updates, as it was going thru the specific folder( as shown bellow,) Avira AV popped its warning window with a new virus detected, in the same folder where Malwarebytes was scanning in that second:

Virus or unwanted program 'TR/Spy.Gen2 [trojan]'

detected in file 'C:\RECYCLER\S-1-5-21-1343024091-1715567821-725345543-1003\Dc39.tmp.

Action performed: Move file to quarantine

Since then, there was no more warnings, everything is running smoothly, I flushed System Restore, ran full AV scan and full Malwarebytes scan, cleaned up the registry, and I think that you have done it :) .

Again, thank you very much and may God bless you.

Cheers

Link to post
Share on other sites

  • Staff

Good to hear.

As I already said before, please change all your passwords, especially FTP, mail and social media passwords, because this variants steals them.

Also, since in 80% of the cases, this one gets installed via a malicious PDF, please make sure your PDFreader is up to date.

It's also a good idea to use Firefox as a browser in combination with the Noscript extension to prevent this and other exploits in the future. :)

Also...

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Also, since in 80% of the cases, this one gets installed via a malicious PDF, please make sure your PDFreader is up to date.

---------------------------------------------------------------------------------------------------------

Thanks for pointing that out , I now remember that at first it started with having problems with Acrobat and opening PDF files :-)

Thanks for all your advices.

Cheers

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.