Jump to content

Recommended Posts

Hi there

My father's laptop has been used an an expired virus scanner / firewall. I have managed (I think) to remove most of the nasties, but I am unable to remove whatever is causing Internet Explorer Google searches to redirect to pages ranging from ebay to porn sites.

I have run MBAM, Spybot etc and no luck.

I have followed the instructions on here regarding logs, but I am unable to run the GMER Rootkit Scanner. Whenever I try it freezes up the laptop. From what I have read this is likely to be caused by the malware?

=====

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5233

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

02/12/2010 16:41:23

mbam-log-2010-12-02 (16-41-23).txt

Scan type: Quick scan

Objects scanned: 162929

Time elapsed: 48 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

=====

DDS (Ver_10-11-27.01) - NTFSx86

Run by Barrie Wills at 17:22:16.68 on 02/12/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.555 [GMT 0:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\TODDSrv.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

C:\WINDOWS\system32\TCtrlIOHook.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\system32\TDispVol.exe

C:\WINDOWS\system32\ZoomingHook.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Documents and Settings\Barrie Wills\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Barrie Wills\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Barrie Wills\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Barrie Wills\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Barrie Wills\Desktop\Defogger.exe

C:\Documents and Settings\Barrie Wills\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\barrie wills\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe

mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP

mRun: [sVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL

mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe

mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe

mRun: [TPSMain] TPSMain.exe

mRun: [TCtryIOHook] TCtrlIOHook.exe

mRun: [TFncKy] TFncKy.exe

mRun: [TDispVol] TDispVol.exe

mRun: [Zooming] ZoomingHook.exe

mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: igfxcui - igfxdev.dll

Notify: LMIinit - LMIinit.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-11-27 47640]

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]

R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]

S2 HitmanPro35CrusaderBoot;Hitman Pro 3.5 Crusader (Boot);"c:\documents and settings\barrie wills\local settings\temporary internet files\content.ie5\umtdhhoe\hitmanpro35[1].exe" /crusader:boot --> c:\documents and settings\barrie wills\local settings\temporary internet files\content.ie5\umtdhhoe\HitmanPro35[1].exe [?]

S3 Normandy;Normandy SR2; [x]

S3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\drivers\tpchoice.sys --> c:\windows\system32\drivers\TpChoice.sys [?]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"

=============== Created Last 30 ================

2010-12-02 15:45:49 709456 ----a-w- c:\windows\isRS-000.tmp

2010-12-02 15:27:29 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{7a79bb61-ff33-42eb-a558-3f27ffc14462}\mpengine.dll

2010-11-28 06:13:36 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-28 03:55:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-11-28 03:54:57 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-11-28 03:54:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-11-28 03:28:11 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-11-28 03:27:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-11-28 02:36:07 -------- d-sha-r- C:\cmdcons

2010-11-28 02:31:19 89088 ----a-w- c:\windows\MBR.exe

2010-11-28 02:31:19 256512 ----a-w- c:\windows\PEV.exe

2010-11-28 02:31:19 161792 ----a-w- c:\windows\SWREG.exe

2010-11-28 02:31:18 98816 ----a-w- c:\windows\sed.exe

2010-11-28 01:46:55 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2010-11-28 00:57:00 -------- d-----w- c:\docume~1\barrie~1\applic~1\Office Genuine Advantage

2010-11-27 23:21:22 -------- d-----w- c:\docume~1\barrie~1\locals~1\applic~1\LogMeIn

2010-11-27 23:21:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\LogMeIn

2010-11-27 23:21:18 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll

2010-11-27 23:21:18 29568 ----a-w- c:\windows\system32\LMIport.dll

2010-11-27 23:21:17 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2010-11-27 23:21:17 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys

2010-11-27 23:21:12 87424 ----a-w- c:\windows\system32\LMIinit.dll

2010-11-27 23:20:51 -------- d-----w- c:\program files\LogMeIn

2010-11-27 23:19:28 -------- d-----w- c:\docume~1\barrie~1\locals~1\applic~1\Deployment

2010-11-27 23:09:51 -------- d-----w- C:\efdf5e710571e2381d5aabb1320e2a27

2010-11-27 21:38:41 -------- d-----w- C:\169a52650f92429a8b3f6b957853c2

2010-11-27 21:30:11 96512 ----a-w- c:\windows\system32\drivers\oonjhjzt.sys

2010-11-27 21:04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-27 21:04:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-27 20:47:08 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-11-27 20:43:51 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-11-27 20:43:16 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-11-27 20:43:16 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll

2010-11-27 20:43:16 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-11-27 20:42:49 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-11-27 20:42:16 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-11-27 20:39:53 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

2010-11-27 20:36:44 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-11-27 20:33:47 293376 ------w- c:\windows\system32\browserchoice.exe

2010-11-27 19:33:17 -------- d-----w- c:\docume~1\barrie~1\applic~1\Malwarebytes

2010-11-27 19:33:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-27 19:33:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-11-27 19:01:26 -------- d-----w- c:\windows\system32\appmgmt

2010-11-10 12:49:36 135568 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2010-11-28 06:13:16 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-27 18:47:48 0 ----a-w- c:\windows\Jhoxuzixuq.bin

2010-09-18 12:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

============= FINISH: 17:24:50.43 ===============

Attach.zip

=====

Hope to hear from someone soon! Thank you in advance for your help with this.

Link to post
Share on other sites

Hello ,

And :lol: My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.

  • extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
      you can get a free one from here -
    http://www.7-zip.org/

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

  • 4 weeks later...

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.