Jump to content

I can't find this search redirector. What gives?


Recommended Posts

I'm an advanced computer user, but have been absolutely stumped by this nasty search redirector which I can not for the life of me get off my system. Maybe I'm missing something really obvious... Any help hugely appreciated.

Requested logs are attached.

Brief description of the problem:

I noticed that in both Firefox and IE my Google, Yahoo and Bing search results are being redirected. Typing URLs directly escapes the redirection problem. The redirect also is present in Safe Mode with Networking.

After I installed MBAM, it's seems to be successfully blocking all redirects with its firewall (usually 193.105.154.212, 193.105.135.219 or 94.102.52.182). MBAM popups and logfile show that even when neither IE or Firefox are open, the Windows process csrss.exe occasionally tries to connect to 193.105.x.x. However, this does not appear to be a rogue CSRSS.exe as I verified that it is indeed C:\Windows\System32\csrss.exe and that it checks out as legit both at virustotal.com and via sfc from the commandline.

Unfortunately, I have no good system restore points as anything older than June 1 has been overwritten.

System details:

* OS is Win7 64-bit (up-to-date according to Windows Update as of 4:55pm June 1)

* I am running Norton 360, fully up-to-date and ran a full system scan this afternoon (6/1). It founds a few cookies, but nothing else.

* I'm running several browsers: Firefox 5.0beta, 7.0a1-nightly and have IE9 installed (though don't use it much)

* I'm running Adobe Flash 10.3 (latest)

What I've done so far:

* I have browsed through all running processes and services with a fine tooth comb. Nothing obviously out of place to me.

* I've run a MalwareBytes scan, nothing found.

* I ran Norton Power Eraser rootkit scan -- nothing found.

* I ran catchme -- log only shows that it "detected NTDLL code modification" -- but my ntdll.dll file checks out with sfc and virustotal.com.

* I booted into Safe Mode w/ Networking -- The redirect problem is still there.

* I ran sfc on the comandline and all OS files checked out ok.

* I have deleted all temp files from the usual locations (used CCleaner).

* I've cleared my IE and Firefox caches (numerous times).

* I've uninstalled three copies of Java to be sure it's not a java exploit (JRE6u23, JRE6u25 and JDK6u25).

* Verified that no rogue proxies are in use.

* Ran defogger, then GMER, and DDS for the logs.

DDS log below:

.

DDS (Ver_2011-06-01.06) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by me at 17:18:12 on 2011-06-01

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4095.1565 [GMT -7:00]

.

AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\ccSvcHst.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\SysWOW64\CtHelper.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe -k defragsvc

C:\Users\me\Desktop\fqudr6ws.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

BHO: Virtual Storage Mount Notification: {5ff49fe8-b332-4cb9-b102-fb6951629e55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\IPS\IPSBHO.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - C:\Users\me\AppData\Roaming\LastPass\LPBar.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Users\me\AppData\Roaming\LastPass\LPBar.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coIEPlg.dll

TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File

uRun: [QuickenScheduledUpdates] C:\PROGRA~2\QUICKEN\bagent.exe

uRun: [DU Meter] C:\Program Files (x86)\DU Meter\DUMeter.exe

uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

mRun: [MCE Standby Tool] "C:\Program Files (x86)\MCE Standby Tool\mst.exe" engine

mRun: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL

mRun: [CTHelper] CTHELPER.EXE

mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [brMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun

mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

mRun: [PowerPanel Personal Edition User Interaction] C:\Program Files (x86)\CyberPower PowerPanel Personal Edition\pppeuser.exe

mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

mRun: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"

mRun: [RTSS] "C:\Program Files (x86)\RivaTuner\Tools\RTSS\RTSSWrapper.exe" /s

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

dRun: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1

StartupFolder: C:\Users\me\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\JUNGLE~1.LNK - C:\Program Files (x86)\Jungle Disk Desktop\JungleDiskMonitor.exe

StartupFolder: C:\Users\me\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RUNULT~1.LNK - C:\Program Files\UltraVNC\vncviewer.exe

StartupFolder: C:\Users\me\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SpeedFan.lnk - C:\Program Files (x86)\SpeedFan\speedfan.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\JUNGLE~1.LNK - C:\Program Files (x86)\Jungle Disk Desktop\JungleDiskMonitor.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200

IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Users\me\AppData\Roaming\LastPass\LPBar.dll

LSP: mswsock.dll

LSP: C:\Program Files (x86)\VMware\VMware Workstation\vsocklib.dll

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{1D689BEC-A1B3-4F68-8E8E-1FFADFC6C5F5} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{2C9D5CC9-F5AE-420C-97A1-8E353346316E} : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{4D1FB86C-9F17-409F-B2BA-015BBFCFC42D} : NameServer = 155.64.230.30,155.64.230.31

TCP: Interfaces\{AE29D404-D0AD-4A6B-87BA-15E217FA23EB} : DhcpNameServer = 75.75.75.75 75.75.76.76

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll

STS: Virtual Storage Mount Notification: {5ff49fe8-b332-4cb9-b102-fb6951629e55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll

IFEO: taskmgr.exe - "C:\USERS\ME\DESKTOP\APPLICATIONS\PROCEXP.EXE"

BHO-X64: Virtual Storage Mount Notification: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll

BHO-X64: Virtual Storage Mount Notification - No File

BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coIEPlg.dll

BHO-X64: Symantec NCO BHO - No File

BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\IPS\IPSBHO.DLL

BHO-X64: Symantec Intrusion Prevention - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: LastPass Browser Helper Object: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Users\me\AppData\Roaming\LastPass\LPBar.dll

BHO-X64: LastPass Browser Helper Object - No File

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

TB-X64: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Users\me\AppData\Roaming\LastPass\LPBar.dll

TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\coIEPlg.dll

TB-X64: {724D43A0-0D85-11D4-9908-00400523E39A} - No File

mRun-x64: [CTxfiHlp] CTXFIHLP.EXE

mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

mRun-x64: [MCE Standby Tool] "C:\Program Files (x86)\MCE Standby Tool\mst.exe" engine

mRun-x64: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL

mRun-x64: [CTHelper] CTHELPER.EXE

mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [brMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

mRun-x64: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun

mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

mRun-x64: [PowerPanel Personal Edition User Interaction] C:\Program Files (x86)\CyberPower PowerPanel Personal Edition\pppeuser.exe

mRun-x64: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

mRun-x64: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"

mRun-x64: [RTSS] "C:\Program Files (x86)\RivaTuner\Tools\RTSS\RTSSWrapper.exe" /s

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

SSODL-X64: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll

STS-X64: Virtual Storage Mount Notification: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll

IFEO-X64: taskmgr.exe - "C:\USERS\ME\DESKTOP\APPLICATIONS\PROCEXP.EXE"

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\me\AppData\Roaming\Mozilla\Firefox\Profiles\8zytnpxy.Default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: C:\Users\me\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [?]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [?]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110518.001\BHDrvx64.sys [2011-5-19 1127032]

R1 cbfs3;cbfs3;\??\C:\Windows\system32\drivers\cbfs3.sys --> C:\Windows\system32\drivers\cbfs3.sys [?]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110531.001\IDSviA64.sys [2011-6-1 476792]

R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [?]

R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\N360x64\0501000.01D\SYMNETS.SYS --> C:\Windows\system32\Drivers\N360x64\0501000.01D\SYMNETS.SYS [?]

R1 vflt;Shrew Soft Lightweight Filter;C:\Windows\system32\DRIVERS\vfilter.sys --> C:\Windows\system32\DRIVERS\vfilter.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-6-1 366640]

R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\5.1.0.29\ccsvchst.exe [2011-5-9 130008]

R2 ntk_dtv;ntk_dtv;C:\Program Files (x86)\DirecTV\DirecTV\Kernel\DMP\ntk_dtv_64.sys [2009-9-17 82416]

R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-4-1 428640]

R3 COMMONFX.SYS;COMMONFX.SYS;C:\Windows\system32\drivers\COMMONFX.SYS --> C:\Windows\system32\drivers\COMMONFX.SYS [?]

R3 CTAUDFX.SYS;CTAUDFX.SYS;C:\Windows\system32\drivers\CTAUDFX.SYS --> C:\Windows\system32\drivers\CTAUDFX.SYS [?]

R3 CTSBLFX.SYS;CTSBLFX.SYS;C:\Windows\system32\drivers\CTSBLFX.SYS --> C:\Windows\system32\drivers\CTSBLFX.SYS [?]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-5-12 136824]

R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]

R3 LVUVC64;QuickCam Pro for Notebooks(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 mv2;mv2;C:\Windows\system32\DRIVERS\mv2.sys --> C:\Windows\system32\DRIVERS\mv2.sys [?]

R3 RivaTuner64;RivaTuner64;C:\Program Files (x86)\RivaTuner\RivaTuner64.sys [2009-8-22 19952]

R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]

S2 CLDTVHNService;CLDTVHNService;C:\Program Files (x86)\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe [2009-9-17 75048]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 DUMeterSvc;DU Meter Service;C:\Program Files (x86)\DU Meter\DUMeterSvc.exe [2010-2-27 1391136]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-9 136176]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-3-31 13336]

S2 JungleDiskService;JungleDiskService;C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-5-17 9761096]

S2 OpenSSHServer;Openssh SSHD;C:\Program Files (x86)\ICW\Bin\cygrunsrv.exe [2009-5-13 68096]

S2 uvnc_service;uvnc_service;C:\Program Files\UltraVNC\winvnc.exe [2009-12-23 1907656]

S2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-3-25 539248]

S3 BrSerIb;Brother MFC Serial Interface Driver(WDM);C:\Windows\system32\DRIVERS\BrSerIb.sys --> C:\Windows\system32\DRIVERS\BrSerIb.sys [?]

S3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);C:\Windows\system32\DRIVERS\BrUsbSIb.sys --> C:\Windows\system32\DRIVERS\BrUsbSIb.sys [?]

S3 COMMONFX;COMMONFX;C:\Windows\system32\drivers\COMMONFX.SYS --> C:\Windows\system32\drivers\COMMONFX.SYS [?]

S3 cpudrv64;cpudrv64;C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [2009-12-18 17864]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-12-26 79360]

S3 CTAUDFX;CTAUDFX;C:\Windows\system32\drivers\CTAUDFX.SYS --> C:\Windows\system32\drivers\CTAUDFX.SYS [?]

S3 CTERFXFX.SYS;CTERFXFX.SYS;C:\Windows\system32\drivers\CTERFXFX.SYS --> C:\Windows\system32\drivers\CTERFXFX.SYS [?]

S3 CTERFXFX;CTERFXFX;C:\Windows\system32\drivers\CTERFXFX.SYS --> C:\Windows\system32\drivers\CTERFXFX.SYS [?]

S3 ctgame;Game Port;C:\Windows\system32\DRIVERS\ctgame.sys --> C:\Windows\system32\DRIVERS\ctgame.sys [?]

S3 CTSBLFX;CTSBLFX;C:\Windows\system32\drivers\CTSBLFX.SYS --> C:\Windows\system32\drivers\CTSBLFX.SYS [?]

S3 dtpd;ShrewSoft DNS Proxy Daemon;C:\Program Files\ShrewSoft\VPN Client\dtpd.exe -service --> C:\Program Files\ShrewSoft\VPN Client\dtpd.exe -service [?]

S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2011-4-10 130976]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-9 136176]

S3 iked;ShrewSoft IKE Daemon;C:\Program Files\ShrewSoft\VPN Client\iked.exe -service --> C:\Program Files\ShrewSoft\VPN Client\iked.exe -service [?]

S3 ipsecd;ShrewSoft IPSEC Daemon;C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service --> C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service [?]

S3 ncplelhp;NCP Secure Client NDIS6 Driver;C:\Windows\system32\DRIVERS\ncplelhp.sys --> C:\Windows\system32\DRIVERS\ncplelhp.sys [?]

S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8187.sys --> C:\Windows\system32\DRIVERS\RTL8187.sys [?]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 Synergy+ Server;Synergy+ Server;C:\Program Files (x86)\Synergy+\bin\synergys.exe [2010-6-12 781824]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 vnet;Shrew Soft Virtual Adapter;C:\Windows\system32\DRIVERS\virtualnet.sys --> C:\Windows\system32\DRIVERS\virtualnet.sys [?]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);C:\Windows\system32\drivers\ymidusbx64.sys --> C:\Windows\system32\drivers\ymidusbx64.sys [?]

.

=============== Created Last 30 ================

.

2011-06-01 22:12:01 8718160 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7E62C924-E62A-4161-BC29-BD5794F988F8}\mpengine.dll

2011-06-01 19:59:47 -------- d-----w- C:\Program Files (x86)\Sophos

2011-06-01 08:58:20 -------- d-----w- C:\Users\me\AppData\Roaming\Malwarebytes

2011-06-01 08:58:16 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-06-01 08:58:16 -------- d-----w- C:\ProgramData\Malwarebytes

2011-06-01 08:58:13 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-06-01 08:58:13 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-06-01 08:05:26 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy

2011-05-30 23:04:48 -------- d-----w- C:\ProgramData\Skype Extras

2011-05-30 23:04:39 -------- d-----r- C:\Program Files (x86)\Skype

2011-05-27 17:37:36 521448 ----a-w- C:\Windows\System32\deployJava1.dll

2011-05-25 19:15:37 321424 ----a-w- C:\Windows\System32\drivers\cbfs3.sys

2011-05-25 19:04:31 -------- d-----w- C:\Program Files\Jungle Disk Desktop

2011-05-25 16:22:42 27520 ----a-w- C:\Windows\System32\drivers\Diskdump.sys

2011-05-24 19:24:11 -------- d-----w- C:\Launchy

2011-05-24 09:33:58 142336 ----a-w- C:\Windows\System32\poqexec.exe

2011-05-24 09:33:58 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe

2011-05-23 17:22:18 142296 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll

2011-05-22 07:27:18 -------- d-----w- C:\Fraps

2011-05-17 10:13:45 87040 ----a-w- C:\Windows\System32\pdfcmnnt.dll

2011-05-17 10:13:44 23552 ----a-w- C:\Windows\SysWow64\MSMPIDE.DLL

2011-05-17 10:13:44 -------- d-----w- C:\Program Files (x86)\PDFCreator

2011-05-17 04:37:27 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll

2011-05-17 04:34:57 -------- d-----w- C:\Program Files (x86)\SystemRequirementsLab

2011-05-17 04:11:27 81008 ----a-w- C:\Windows\System32\drivers\vmci.sys

2011-05-17 04:11:25 68720 ----a-w- C:\Windows\System32\drivers\vmx86.sys

2011-05-17 04:10:55 404080 ----a-w- C:\Windows\SysWow64\vmnat.exe

2011-05-17 04:10:55 334448 ----a-w- C:\Windows\SysWow64\vmnetdhcp.exe

2011-05-17 04:10:55 30320 ----a-w- C:\Windows\System32\drivers\vmnetuserif.sys

2011-05-17 04:10:52 968816 ----a-w- C:\Windows\System32\vnetlib64.dll

2011-05-17 04:10:48 31856 ----a-w- C:\Windows\System32\drivers\VMkbd.sys

2011-05-17 04:10:47 38512 ----a-w- C:\Windows\System32\drivers\hcmon.sys

2011-05-17 04:10:35 -------- d-----w- C:\Program Files (x86)\Common Files\VMware

2011-05-17 04:10:17 -------- d-----w- C:\Program Files (x86)\VMware

2011-05-16 22:58:49 679936 ------w- C:\Windows\SysWow64\Nort5704.scr

2011-05-16 22:58:49 -------- d-----w- C:\ProgramData\Screentime

2011-05-16 22:58:40 -------- d-----w- C:\Users\me\AppData\Local\Screentime

2011-05-16 21:34:11 -------- d-----w- C:\Users\me\.unlimitedftp

2011-05-13 21:15:27 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-05-11 21:47:38 71680 ----a-w- C:\Windows\System32\frapsv64.dll

2011-05-11 21:47:36 65536 ----a-w- C:\Windows\SysWow64\frapsvid.dll

2011-05-11 16:20:13 5562240 ----a-w- C:\Windows\System32\ntoskrnl.exe

2011-05-11 16:20:13 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2011-05-11 16:20:13 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2011-05-11 16:20:03 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys

2011-05-11 16:20:03 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys

2011-05-11 16:20:03 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys

2011-05-11 16:20:03 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys

2011-05-11 16:20:03 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys

2011-05-11 16:20:03 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys

2011-05-09 22:15:36 912504 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\symefa64.sys

2011-05-09 22:15:36 744568 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\srtsp64.sys

2011-05-09 22:15:36 450680 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\symds64.sys

2011-05-09 22:15:36 40568 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\srtspx64.sys

2011-05-09 22:15:36 382584 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\symnets.sys

2011-05-09 22:15:36 171128 ----a-r- C:\Windows\System32\drivers\N360x64\0501000.01D\ironx64.sys

2011-05-09 22:15:33 -------- d-----w- C:\Windows\System32\drivers\N360x64\0501000.01D

2011-05-07 22:40:34 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation

2011-05-07 22:26:03 6279784 ----a-w- C:\Windows\System32\nvwgf2umx.dll

2011-05-07 22:26:02 1592936 ----a-w- C:\Windows\System32\nvapi64.dll

2011-05-07 22:26:02 1296488 ----a-w- C:\Windows\SysWow64\nvapi.dll

2011-05-07 21:30:50 -------- d-----w- C:\ProgramData\Futuremark

2011-05-07 21:27:43 -------- d-----w- C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP

2011-05-07 20:47:15 -------- d-----w- C:\Windows\DEA314C409294250BC9298E4C105F28D.TMP

2011-05-07 16:46:08 -------- d-----w- C:\Program Files (x86)\MultiLive

2011-05-07 07:42:02 107832 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe

2011-05-07 07:41:52 66872 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe

2011-05-07 07:41:52 -------- d-----w- C:\Users\me\AppData\Local\PunkBuster

2011-05-06 21:57:03 -------- d-----w- C:\mess

2011-05-06 21:55:29 -------- d-----w- C:\wattsup

2011-05-05 16:31:14 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64\0400000.03B

2011-05-05 16:31:14 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64

2011-05-05 16:31:13 -------- d-----w- C:\Program Files (x86)\Norton Bootable Recovery Tool Wizard

2011-05-04 19:48:33 -------- d-----w- C:\Program Files\Common Files\Deterministic Networks

.

==================== Find3M ====================

.

2011-05-25 02:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe

2011-05-10 00:49:20 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS

2011-04-18 06:50:11 256 ----a-w- C:\Windows\SysWow64\pool.bin

2011-04-10 01:55:44 15453336 ----a-w- C:\Windows\SysWow64\xlive.dll

2011-04-10 01:55:42 13642904 ----a-w- C:\Windows\SysWow64\xlivefnt.dll

2011-04-08 06:19:36 797288 ----a-w- C:\Windows\System32\easyUpdatusAPIU64.dll

2011-04-08 06:19:36 61032 ----a-w- C:\Windows\System32\nvshext.dll

2011-04-08 05:14:00 1619048 ----a-w- C:\Windows\System32\nvdispco6420140.dll

2011-04-08 05:14:00 1404008 ----a-w- C:\Windows\System32\nvgenco642060.dll

2011-04-01 12:10:46 539232 ----a-w- C:\Windows\SysWow64\LVUI2RC.dll

2011-04-01 12:10:24 543328 ----a-w- C:\Windows\SysWow64\LVUI2.dll

2011-04-01 12:08:36 301664 ----a-w- C:\Windows\SysWow64\lvcodec2.dll

2011-04-01 12:07:54 4184672 ----a-w- C:\Windows\System32\drivers\lvuvc64.sys

2011-04-01 12:07:30 559712 ----a-w- C:\Windows\System32\LVUIRC64.dll

2011-04-01 12:07:08 767584 ----a-w- C:\Windows\System32\LVUI64.dll

2011-04-01 12:07:02 10877272 ----a-w- C:\Windows\SysWow64\LogiDPP.dll

2011-04-01 12:07:02 10877272 ----a-w- C:\Windows\System32\LogiDPP.dll

2011-04-01 12:07:02 102744 ----a-w- C:\Windows\SysWow64\LogiDPPApp.exe

2011-04-01 12:07:02 102744 ----a-w- C:\Windows\System32\LogiDPPApp.exe

2011-04-01 12:06:56 331608 ----a-w- C:\Windows\SysWow64\DevManagerCore.dll

2011-04-01 12:06:56 331608 ----a-w- C:\Windows\System32\DevManagerCore.dll

2011-04-01 12:06:22 341856 ----a-w- C:\Windows\System32\drivers\lvrs64.sys

2011-04-01 12:05:38 261728 ----a-w- C:\Windows\System32\lvco13251014.dll

2011-04-01 12:05:16 172128 ----a-w- C:\Windows\System32\lvcod64.dll

2011-04-01 11:56:20 39318 ----a-w- C:\Windows\System32\Repository.reg

2011-03-26 05:00:54 252528 ----a-w- C:\Windows\SysWow64\vmnc.dll

2011-03-26 03:04:58 56880 ----a-w- C:\Windows\System32\vmnetbridge.dll

2011-03-26 03:04:58 55344 ----a-w- C:\Windows\System32\vnetinst.dll

2011-03-26 03:04:58 45104 ----a-w- C:\Windows\System32\drivers\vmnetbridge.sys

2011-03-26 03:04:58 24112 ----a-w- C:\Windows\System32\drivers\vmnet.sys

2011-03-26 03:04:58 20016 ----a-w- C:\Windows\System32\drivers\vmnetadapter.sys

2011-03-12 12:08:49 1465344 ----a-w- C:\Windows\System32\XpsPrint.dll

2011-03-12 11:23:45 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll

2011-03-11 06:41:37 189824 ----a-w- C:\Windows\System32\drivers\storport.sys

2011-03-11 06:41:34 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys

2011-03-11 06:41:34 1659776 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2011-03-11 06:41:34 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys

2011-03-11 06:41:26 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys

2011-03-11 06:41:12 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys

2011-03-11 06:41:12 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys

2011-03-11 06:34:51 1359872 ----a-w- C:\Windows\System32\mfc42u.dll

2011-03-11 06:34:50 1395712 ----a-w- C:\Windows\System32\mfc42.dll

2011-03-11 06:33:29 2565632 ----a-w- C:\Windows\System32\esent.dll

2011-03-11 06:30:28 96768 ----a-w- C:\Windows\System32\fsutil.exe

2011-03-11 05:33:59 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll

2011-03-11 05:33:59 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll

2011-03-11 05:33:09 1699328 ----a-w- C:\Windows\SysWow64\esent.dll

2011-03-11 05:31:07 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe

2011-03-08 06:29:32 976896 ----a-w- C:\Windows\System32\inetcomm.dll

2011-03-08 05:28:29 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll

2011-03-04 19:51:50 306536 ----a-w- C:\Windows\System32\drivers\CVPNDRVA.sys

2011-03-04 06:19:28 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2011-03-04 06:19:27 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

.

============= FINISH: 17:18:36.80 ===============

Attach.zip

Link to post
Share on other sites

I believe I've found it with DrWeb CureIT:

It is a dll file called consrv.dll sitting in system32. I think it's loading via csrss.exe from the registry, but frankly not sure. The (possibly infected) csrss command line is as follows (emphasis mine):

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Anyone know what the csrss loader should read for Win7-64?

Link to post
Share on other sites

Yup, that was it! Computer's back to normal.

It appears to be a week old MAX++ variant that's specific to 64-bit Windows:

http://www.securelist.com/en/blog/493/MAX_sets_its_sights_on_x64_platforms

A final warning, if you don't get the csrss.exe loader line right, I suspect Windows will be hosed. After removing consrv.dll, make sure the line that loads csrss.exe from the registry looks like this BEFORE you reboot:

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems

Key: Windows

Type: REG_EXPAND_SZ

Value: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxs,4 ProfileControl=Off MaxRequestThreads=16

--Gordo

Link to post
Share on other sites

  • Staff

Great!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.