Jump to content

Ran Malwarebytes successfully but still infected with Gumblar


Recommended Posts

Hiya,

My comp is infected with one of the Gumblar variants. I ran the full Malwarebytes scan and followed all of the instructions, removing a bunch of infected files and restarting. A second scan finds no bad files but Gumblar is still active in Firefox and IE. What should I try next?

Below and attached are the requested files. Thanks a million for your help with this!

Sara

DDS (Ver_09-12-01.01) - NTFSx86

Run by SM at 16:29:31.04 on Sat 01/23/2010

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703.204 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\sm56hlpr.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe

C:\PROGRA~1\SYMANT~1\DWHWIZRD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\SM\Desktop\Defogger.exe

C:\Documents and Settings\SM\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

BHO: 1 (0x1) - No File

BHO: Cole2k Media Toolbar Helper: {c672f4ab-780b-45c0-baec-91f455c86f8d} - c:\program files\cole2k media toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: Cole2k Media Toolbar: {2d2de234-ab9f-4345-9d17-94fa78ba37e3} - c:\program files\cole2k media toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [OpAgent] "c:\program files\scansoft\omnipage15.0\OpAgent.exe" /agent

uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [Aim6]

mRun: [WINDVDPatch] CTHELPER.EXE

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"

mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [sMSERIAL] sm56hlpr.exe

mRun: [VTTimer] VTTimer.exe

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [Opware15] "c:\program files\scansoft\omnipage15.0\Opware15.exe"

mRun: [OpScheduler] "c:\program files\scansoft\omnipage15.0\OpScheduler.exe"

mRun: [PDF3 Registry Controller] "c:\program files\scansoft\omnipage15.0\pdfconverter3\\RegistryController.exe"

mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?a5bd677ba2a342a7b3596b77d4ae9cbc

IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?a5bd677ba2a342a7b3596b77d4ae9cbc

IE: Open with Scansoft PDF Converter 3.0 - c:\program files\scansoft\omnipage15.0\pdfconverter3\IEShellExt.dll /100

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: NavLogon - c:\windows\system32\NavLogon.dll

Hosts: 67.196.132.52 www.google.com

Hosts: 67.196.132.52 www.google.de

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sm\applic~1\mozilla\firefox\profiles\8nc2shog.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]

R3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\drivers\webc3vid.sys [2006-2-27 166504]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-22 38224]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100122.007\naveng.sys [2010-1-22 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100122.007\navex15.sys [2010-1-22 1323568]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]

S3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2001-10-17 25434]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]

S3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;c:\windows\system32\drivers\sacmxp2.sys [2007-9-9 14336]

=============== Created Last 30 ================

2010-01-23 21:28:36 0 ----a-w- c:\documents and settings\sm\defogger_reenable

2010-01-22 23:21:38 0 d-----w- c:\docume~1\sm\applic~1\Malwarebytes

2010-01-22 23:21:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-22 23:21:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-22 23:21:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-22 23:21:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-04 00:46:57 0 d-----w- c:\windows\system32\XPSViewer

2010-01-04 00:45:33 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-01-04 00:45:33 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-01-04 00:45:33 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-01-04 00:45:33 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-01-04 00:45:33 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-01-04 00:45:33 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-01-04 00:45:33 117760 ------w- c:\windows\system32\prntvpt.dll

2010-01-04 00:45:32 0 d-----w- C:\089b83764155d567d9

2010-01-04 00:40:47 0 d-----w- c:\program files\MSXML 6.0

==================== Find3M ====================

2009-12-22 05:42:49 662016 ----a-w- c:\windows\system32\wininet.dll

2009-12-22 05:42:45 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 16:30:10.88 ===============

Malwarebytes' Anti-Malware 1.44

Database version: 3618

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

1/23/2010 9:45:58 AM

mbam-log-2010-01-23 (09-45-58).txt

Scan type: Full Scan (C:\|)

Objects scanned: 199607

Time elapsed: 1 hour(s), 12 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.zip

Link to post
Share on other sites

  • Staff

Hi,

What makes you think you're infected with Gumblar?

I rather see you're dealing with another searchengine Hijacker..

* Download: HostsXpert

Unzip hoster to an own folder, eg C:\HostsXpert

Start HostsExpert.exe, click 'Restore MS Hosts file' and click OK.

In case you get an error when you run HostsXpert and click the "Restore MS Hosts file", do the following..

Open Malwarebytes > More Tools tab > Fileassasin > Click Run Tool

Then an explorer Window will open.

Copy and paste next in the field under file name:

C:\WINDOWS\system32\drivers\etc\hosts

Then Click open next to it.

You should see this image:

fa.gif

Click yes there.

FileAssassin will then delete the hosts file.

To recreate it again (default hosts file), start Hostxpert again.

It will give a warning that the hosts file doesn't exist and Press OK to create hosts file.

Click OK there.

Let me know if that fixed the search redirects.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.