Jump to content

SERP Clicks redirected - MBAM won't run or install


Recommended Posts

I'll start by saying Thank You for any help I can get - it's very much appreciated.

My machine has a subtle virus - that manifests itself by redirecting my clicks coming from a google search results page to random pages serving ads.

I've previously used MBAM on this computer, so I started it up to run it again, but as soon as I do, it gets mysteriously shutdown. This happened repeatedly. I tried to reinstall MBAM and no luck, as the install process gets terminated before it completes.

I began to suspect it was the virus, so I found this forum, and started here, as this seems to match my symptoms most closely:

http://forums.malwarebytes.org/index.php?showtopic=12709

So I performed the following actions:

1. Downloaded and run RootRepeal

The only *.sys file that showed up was "liwbema.sys" It didn't follow any of the TDL2 rootkit conventions so I left it along.

I then tried the following:

2. I tried to install Avira - again, no luck, the install process gets terminated.

3. I tried to install and run HijackThis - again, the install process gets terminated.

I then moved onto here:

http://forums.malwarebytes.org/index.php?showtopic=9573

4. I downloaded the Defogger and appeared to successfully run the tool - although I was never prompted to restart the machine. I did that myself.

5. I downloaded DDS and appeared to successfully run the tools - logs included/attached

6. I downloaded and attempted to run the GMER Rootkit Scanner as instructed, however the program never finishes. After the program has been running for approximately 5 minutes, a window pops up with the following message:

"This system is shutting down. This shutdown was initiatved by NT Authotiy\System. Windows must restart because the Remote Procedure Call (RPC) service terminated unexpectedly."

It first happened when my screensaver fired up, so I disabled the screensaver and re-ran it, however the problems persisted. I can't seem to manually find any process that might be doing this - but I'm not sure if it's a program I have running or the virus that is causing this shutdown.

Of note - when GMER Rootkit Scanner first starts running, it always identifies "liwbema.sys" as a "hidden file" and highlights it in red.

So now I'm stuck - I'm including the DDS logs as hopefully those help. I'd very much appreciate any help you could provide!

Thank you again in advance.

----------------------

DDS (Ver_09-12-01.01) - NTFSx86

Run by Administrator at 9:54:15.60 on Mon 02/08/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.195 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\WINDOWS\FixCamera.exe

C:\WINDOWS\tsnp2std.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [sonic RecordNow!]

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Windows Live Sync] "c:\program files\windows live\sync\WindowsLiveSync.exe" /background

uRun: [EPSON WorkForce 600] c:\windows\system32\spool\drivers\w32x86\3\e_fatieka.exe /fu "c:\windows\temp\E_S4B0.tmp" /EF "HKCU"

uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [storageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"

mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"

mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16

mRun: [bCWipeTM Startup] "c:\program files\jetico\bcwipe\BCWipeTM.exe" startup

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [FixCamera] c:\windows\FixCamera.exe

mRun: [tsnp2std] c:\windows\tsnp2std.exe

mRun: [snp2std] c:\windows\vsnp2std.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Lzoyepasuy] rundll32.exe "c:\windows\igafecufica.dll",Startup

StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\PowerReg Scheduler V3.exe

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\boincm~1.lnk - c:\program files\boinc\boincmgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104960186846

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\08wirbk5.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.bing.com

FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - HiddenExtension: XULRunner: {C479B7A4-326C-4535-976D-EFD7FE2BCC1E} - c:\documents and settings\administrator\local settings\application data\{C479B7A4-326C-4535-976D-EFD7FE2BCC1E}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]

S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [2005-7-28 88080]

=============== Created Last 30 ================

2010-02-08 14:44:33 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-02-07 15:27:01 0 ----a-w- c:\documents and settings\administrator\settings.dat

2010-02-07 14:54:58 0 d-----w- c:\docume~1\admini~1\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

==================== Find3M ====================

2010-02-08 14:54:36 792064 ----a-w- c:\windows\system32\drivers\liwbema.sys

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll

2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll

2008-10-27 23:44:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102720081028\index.dat

============= FINISH: 9:56:06.64 ===============

Attach.zip

Link to post
Share on other sites

:)

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.