Jump to content

Google redirect, rootkill problems, major infection


Recommended Posts

Thank you for your time and help!

Somehow my kids managed to pick up/download some viruses. We have been getting redirected from search engines (on IE, Firefox and Opera) and sometimes the computer crashes during web activity into the blue screen - crash/memory dump. The browsers can be used as long as you type in the address and not use the search engines.

Yesterday I ran ccleaner, mbam and avast boot time scan several times till things seemed clean. Windows update has not been able to for a couple of weeks so I went to the internet site and manually updated it, hoping that would fix the web but it doesn't. The avast indicates a red screen sometimes that something has been blocked that's trying to take it to a malicious site.

I tried combofix first thing this morning but it didn't fix it. So then I followed the directions from the pinned note on this forum. So here's my logs, except GMER crash, both regular and in safe mode.

Thanks for your help!

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6862

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19048

6/15/2011 10:33:24 AM

mbam-log-2011-06-15 (10-33-24).txt

Scan type: Quick scan

Objects scanned: 181415

Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_2011-06-12.02) - NTFSx86

Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_21

Run by Lisa at 10:46:05 on 2011-06-15

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\bcmwltry.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\Dwm.exe

C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe

C:\Program Files\iWin Games\iWinTrusted.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Users\Lisa\Documents\My Received Files\taxes\Messenger Detect\mdsrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Windows\PEV.exe

C:\Windows\explorer.exe

C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Alwil Software\Avast5\AvastUI.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\Lisa\Desktop\dds.scr

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\svchost.exe -k Akamai

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k hpdevmgmt

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\System32\svchost.exe -k netsvcs

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://yahoo.com/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll

mURLSearchHooks: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVDV.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVDV.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Dogpile Bundle Toolbar BHO: {bfe4b5cb-63f7-4a51-9266-6167655d5b4f} - c:\program files\dogpile bundle toolbar\Toolbar.dll

BHO: Search-Results Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVDV.dll

TB: Search-Results Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Dogpile Bundle Toolbar: {c80bdeb2-8735-44c6-bd55-a1ccd555667a} - c:\program files\dogpile bundle toolbar\Toolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [sansaDispatch] c:\users\lisa\appdata\roaming\sandisk\sansa updater\SansaDispatch.exe

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [Exetender] "c:\program files\free ride games\GPlayer.exe" /runonstartup

mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun

mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [TaskTray]

mRun: [QuickFinder Scheduler] c:\corel\office7\shared\qfinder7\QFSCHED.EXE

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\killit\mbam.exe" /runcleanupscript

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe

dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe" /runonstartup

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

dPolicies-explorer: HideSCAHealth = 1 (0x1)

IE: Free YouTube Download - c:\users\lisa\appdata\roaming\dvdvideosoftiehelpers\youtubedownload.htm

IE: Free YouTube to Mp3 Converter - c:\users\lisa\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

LSP: c:\windows\system32\wpclsp.dll

Trusted Zone: intuit.com\ttlc

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Cooking%20Dash/Images/stg_drm.ocx

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab

DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP25-10481/event/ieatgpc1.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.254.254

TCP: Interfaces\{8DF03F3B-4F2A-4729-BF70-7DCAC805BD42} : DhcpNameServer = 192.168.254.254

Notify: igfxcui - igfxdev.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\lisa\appdata\roaming\mozilla\firefox\profiles\72uom3ac.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Search-Results

FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP

FF - prefs.js: keyword.URL - hxxp://websearch.search-results.com/redirect?client=ff&src=kw&tb=GET-SRS&o=16705&locale=en_US&apn_uid=1B927FC6-72DE-48D1-8910-6D6909A19BB3&apn_ptnrs=2R&apn_sauid=4BE45738-023D-4B1A-B1FC-7E0FD8A50997&apn_dtid=get006YYUS&q=

.

---- FIREFOX POLICIES ----

user_pref(security.warn_viewing_mixed,false);

user_pref(security.warn_viewing_mixed.show_once,false);

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

user_pref(security.warn_submit_insecure,false);

FF - user.js: security.warn_submit_insecure.show_once - false

FF - user.js: network.http.accept-encoding -

.

============= SERVICES / DRIVERS ===============

.

R? Amazon Download Agent;Amazon Download Agent

R? ASPI;Advanced SCSI Programming Interface Driver

R? DrmRAudio;DrmRAudio

R? GamesAppService;GamesAppService

R? gupdate1ca79dffee828c0;Google Update Service (gupdate1ca79dffee828c0)

R? gupdatem;Google Update Service (gupdatem)

R? NeroRegInCDSrv;Nero Registry InCD Service

R? sy04bus;SANYO USB Composite Device SY04 driver (WDM)

R? WSDPrintDevice;WSD Print Support via UMB

S? AESTFilters;Andrea ST Filters Service

S? Akamai;Akamai NetSession Interface

S? aswFsBlk;aswFsBlk

S? aswMonFlt;aswMonFlt

S? aswSnx;aswSnx

S? aswSP;aswSP

S? avast! Antivirus;avast! Antivirus

S? IntcHdmiAddService;Intel® High Definition Audio HDMI Service

S? iWinTrusted;iWinTrusted

S? mdsrv;mdsrv

S? NPF;NetGroup Packet Filter Driver

S? WsAudio_DeviceS(1);WsAudio_DeviceS(1)

S? WsAudio_DeviceS(2);WsAudio_DeviceS(2)

S? WsAudio_DeviceS(3);WsAudio_DeviceS(3)

S? WsAudio_DeviceS(4);WsAudio_DeviceS(4)

S? WsAudio_DeviceS(5);WsAudio_DeviceS(5)

S? X4HSEx;X4HSEx

.

=============== Created Last 30 ================

.

2011-06-15 14:09:06 -------- d-sh--w- C:\$RECYCLE.BIN

2011-06-15 14:08:57 -------- d-----w- c:\users\lisa\appdata\local\temp

2011-06-14 21:37:40 -------- d-----w- c:\windows\system32\vi-VN

2011-06-14 21:37:40 -------- d-----w- c:\windows\system32\eu-ES

2011-06-14 21:37:40 -------- d-----w- c:\windows\system32\ca-ES

2011-06-14 21:31:06 -------- d-----w- c:\windows\system32\SPReview

2011-06-14 21:22:27 928768 ----a-w- c:\windows\system32\scavenge.dll

2011-06-14 21:22:18 57856 ----a-w- c:\windows\system32\compcln.exe

2011-06-14 21:20:59 413696 ----a-w- c:\windows\system32\imkr80.ime

2011-06-14 20:55:28 -------- d-----w- c:\users\lisa\appdata\local\Opera

2011-06-14 15:57:49 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-06-13 13:28:42 -------- d-----w- c:\users\lisa\appdata\roaming\Unity

2011-06-06 22:48:24 -------- d-----w- c:\programdata\gE10600NiNpG10600

2011-06-06 15:17:16 518144 ----a-w- c:\windows\SWREG.exe

2011-06-06 15:17:16 256512 ----a-w- c:\windows\PEV.exe

2011-06-06 15:17:16 208896 ----a-w- c:\windows\MBR.exe

2011-06-06 15:17:15 98816 ----a-w- c:\windows\sed.exe

2011-06-06 14:43:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-06-06 14:43:03 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-06-06 14:43:03 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-06-06 14:43:03 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll

2011-06-06 14:43:03 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-06-06 14:43:03 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

2011-06-06 14:43:03 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-06-06 14:43:03 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-06-06 14:43:03 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe

2011-06-06 14:43:03 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-06-05 20:25:41 -------- d-----w- c:\program files\Bonjour

2011-06-05 18:53:25 -------- d-----w- c:\program files\OverDrive Media Console

2011-06-04 18:53:10 -------- d-----w- c:\program files\Free YouTube Downloader

2011-06-03 06:16:13 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{7708ea40-0a07-4721-80d0-3cbab793e033}\mpengine.dll

2011-06-02 02:44:59 -------- d-----w- C:\tmp

2011-05-28 22:31:33 -------- d-----w- c:\users\lisa\appdata\roaming\ThreeDays2

2011-05-28 21:30:46 -------- d-----w- c:\users\lisa\appdata\roaming\WendigoStudios

2011-05-28 21:29:00 -------- d-----w- c:\users\lisa\appdata\roaming\Oberon Media

2011-05-28 21:28:32 -------- d-----w- c:\program files\common files\Oberon Media

2011-05-28 21:28:28 -------- d-----w- c:\programdata\Oberon Media

2011-05-28 21:26:19 -------- d-----w- c:\program files\The Timebuilders - Pyramid Rising

2011-05-28 21:24:01 -------- d-----w- c:\program files\Yahoo! Games

2011-05-28 21:24:01 -------- d-----w- c:\program files\Oberon Media

2011-05-19 19:30:26 -------- d-----w- c:\users\lisa\appdata\roaming\PCToolsFirewallPlus

2011-05-16 20:27:54 -------- d-----w- C:\killit

2011-05-16 19:56:55 172032 ----a-w- c:\windows\system32\igfxres.dll

.

==================== Find3M ====================

.

2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr

2011-05-10 11:59:44 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

.

============= FINISH: 10:48:05.14 ===============

ComboFix 11-06-14.03 - Lisa 06/15/2011 9:33.2.2 - x86

Microsoft

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I see the Ask Toolbar in your log.

I strongly recommend you remove Ask Toolbar from your computer because:

  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

You can read more about Ask.com here

To remove it:

Click Start-->Control Panel-->Programs and Features

Click on the program name AskBarDis and/or Ask Toolbar to highlight it

From the menu at the top, select Uninstall or Remove.

Please reboot the computer.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.