Jump to content

Google Hijack/redirect


Marco
 Share

Recommended Posts

So Ive been attacked my some kind of virus that redirects my search results to spyware sites, I think Ive removed it but my computer is really slow and internet browsing is a pain

Here's what ive done in chronologic order:

-Scanned with ESET Nod32, removed 2 trojans

-USED ATF-Cleaner

-Scanned with AVG internet security, removed 3 trojans

-Removed wdmaud.sys from "c:/windows/system32" folder (this made it possible to do searches again)

-Scanned with Malwarebtye's Anti-Malware (first with database 1617 because of internet connecting issues and later with 1653)

-Updated Java

Link to post
Share on other sites

Welcome to Malwarebytes Marco,

Some infection settings still showing in this view, so let's get more details and see what still needs to be addressed there.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download RSIT (random's system information tool) from here to your desktop, then click on the RSIT.exe to start the scan.

If necessary allow it to locate or download a copy of HijackThis as needed.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can break logs into parts and use separate posts here when replying and posting the log files, if needed.

----------------------------

Also let's follow up on that file you indicate removing.

@ECHO OFFif exist Regsearch1.txt del /q Regsearch1.txtregedit /e Regsearch1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32"Notepad Regsearch1.txt

Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text (inside the Code box) into the open text box, then save this to your desktop as "cfgcheck.bat"

Be sure to include the "" quotes in the name. Then click on cfgcheck.bat. When the scan completes a textbox will open - copy/paste those contents back here please.

Link to post
Share on other sites

Here is the RSIT log

Logfile of random's system information tool 1.05 (written by random/random)

Run by Victor at 2009-01-15 11:49:00

Microsoft Windows XP Home Edition Service Pack 2

System drive C: has 8 GB (3%) free of 238 GB

Total RAM: 2047 MB (77% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:49:03, on 2009/01/15

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\TBPanel.exe

C:\Program\Java\jre6\bin\jusched.exe

C:\Program\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\DAEMON Tools Lite\daemon.exe

C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe

C:\Program\Microsoft IntelliPoint\dpupdchk.exe

c:\Program\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program\Bonjour\mDNSResponder.exe

C:\Program\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program\Java\jre6\bin\jqs.exe

C:\Program\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PSIService.exe

c:\Program\Delade filer\Protexis\License Service\PsiService_2.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe

C:\Program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Victor\Skrivbord\RSIT.exe

C:\Program\Trend Micro\HijackThis\Victor.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L?kar

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live inloggningshj?pen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot

O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [egui] "C:\Program\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJ

Link to post
Share on other sites

info.txt logfile of random's system information tool 1.05 2009-01-15 11:49:04

======Uninstall list======

-->C:\Program\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL

-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL

-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL

-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL

-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL

-->C:\WINDOWS\UNRecode.exe /UNINSTALL

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-041D-0000-0000000FF1CE} /uninstall {E6B1E9D4-FBDC-44B2-B825-246D1B466C5B}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-041D-0000-0000000FF1CE} /uninstall {E6B1E9D4-FBDC-44B2-B825-246D1B466C5B}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-041D-0000-0000000FF1CE} /uninstall {E6B1E9D4-FBDC-44B2-B825-246D1B466C5B}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-041D-0000-0000000FF1CE} /uninstall {E6B1E9D4-FBDC-44B2-B825-246D1B466C5B}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-041D-0000-0000000FF1CE} /uninstall {E6B1E9D4-FBDC-44B2-B825-246D1B466C5B}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-041D-0000-0000000FF1CE} /uninstall {E6B1E9D4-FBDC-44B2-B825-246D1B466C5B}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0407-0000-0000000FF1CE} /uninstall {2AB528A5-BB1B-4EBE-8E51-AD0C4CD33CA9}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040B-0000-0000000FF1CE} /uninstall {F14C929B-E0E6-4EB5-8BFD-FC71AAC7D39C}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-041D-0000-0000000FF1CE} /uninstall {A8626CEF-CB0A-4BC2-8F51-210A43B6158D}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-041D-0000-0000000FF1CE} /uninstall {E6B1E9D4-FBDC-44B2-B825-246D1B466C5B}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-041D-0000-0000000FF1CE} /uninstall {C41B2E34-C30E-4989-8A9D-6B0805B33EC1}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-041D-0000-0000000FF1CE} /uninstall {E6B1E9D4-FBDC-44B2-B825-246D1B466C5B}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00BA-041D-0000-0000000FF1CE} /uninstall {E6B1E9D4-FBDC-44B2-B825-246D1B466C5B}

Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}

Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}

Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}

Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}

Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}

Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}

Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}

Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}

Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}

Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}

Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}

Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}

Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}

Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}

Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}

Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}

Adobe Illustrator CS3-->C:\Program\Delade filer\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe

Adobe Illustrator CS3-->MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}

Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}

Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}

Adobe Photoshop CS3-->C:\Program\Delade filer\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe

Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}

Adobe Reader 9 - Svenska-->MsiExec.exe /I{AC76BA86-7AD7-1053-7B44-A90000000001}

Adobe Setup-->MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}

Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}

Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log

Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}

Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}

Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}

Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}

Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}

Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}

Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}

Bonniers Trafikskola 2004-->C:\Program\HOMEEN~1\BONNIE~1\UNWISE.EXE C:\Program\HOMEEN~1\BONNIE~1\INSTALL.LOG

Canon iP5200-->C:\WINDOWS\system32\CNMCP79.exe "-PRINTERNAMECanon iP5200" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP5200 Installer\Inst2\cnmis.dll" "-RCDLLcnmi041d.dll"

Combined Community Codec Pack 2008-01-24-->"C:\Program\Combined Community Codec Pack\unins000.exe"

Corel Painter X-->C:\Program\Corel\Corel Painter X\MSILauncher {05D60953-9012-44DF-A1A6-9DD97AD6580A} C:\DOCUME~1\Victor\LOKALA~1\Temp\PainterX.log

Corel Painter X-->MsiExec.exe /I{05D60953-9012-44DF-A1A6-9DD97AD6580A}

CorelDRAW Graphics Suite X4 - Capture-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF012}

CorelDRAW Graphics Suite X4 - Content-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF016}

CorelDRAW Graphics Suite X4 - Draw-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF013}

CorelDRAW Graphics Suite X4 - Filters-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF017}

CorelDRAW Graphics Suite X4 - FontNav-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF019}

CorelDRAW Graphics SUite X4 - ICA-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF010}

CorelDRAW Graphics Suite X4 - IPM-->MsiExec.exe /I{9D0798D0-AF6C-4E62-94B1-AEBF1A43E00A}

CorelDRAW Graphics Suite X4 - Lang EN-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF100}

CorelDRAW Graphics Suite X4 - PP-->MsiExec.exe /I{7F05E704-30A6-421A-97A7-8EEB1C7FF014}

CorelDRAW Graphics Suite X4 - VBA-->MsiExec.exe /I{BF439B41-0252-48DE-8B8B-0430CB26A181}

CorelDRAW Graphics Suite X4-->MsiExec.exe /I{44A27085-0616-4181-A0C3-81C7ECA17F73}

CorelDRAW® Graphics Suite X4 - Windows Shell Extension-->c:\Program\Delade filer\Corel\Shared\Shell Extension\Uninst.exe

CorelDRAW® Graphics Suite X4 - Windows Shell Extension-->MsiExec.exe /X{CE2DA11A-917F-4CF5-AB55-755EC115DD10}

CorelDRAW® Graphics Suite X4-->c:\Program\Corel\CorelDRAW Graphics Suite X4\Setup\SetupARP.exe /arp

EPSON Scan-->C:\Program\epson\escndv\setup\setup.exe /r

ESET NOD32 Antivirus-->MsiExec.exe /I{4EAE8F8E-0C2E-4814-9A04-635AFB9050AA}

Europa Universalis III-->RunDll32 C:\Program\DELADE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{59C80C5E-8C92-40FF-B910-2BB5C7281F61}\setup.exe" -l0x9

EXPERTool-->RunDll32 Setupapi.dll,InstallHinfSection TB.Remove 4 TBNT4.inf

Fraps (remove only)-->"C:\Fraps\uninstall.exe"

Gigabyte Raid Configurer-->RunDll32 C:\Program\DELADE~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\SETUP.EXE" -l0x9 -removeonly

Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}

Hamachi 1.0.2.3-->C:\Program\Hamachi\uninstall.exe

High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"

HijackThis 2.0.2-->"C:\Program\Trend Micro\HijackThis\HijackThis.exe" /uninstall

Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"

HP Photo and Imaging 2.0 - Scanners-->MsiExec.exe /I{6CC93102-135E-49E2-99A4-C431E671C12A}

In Nomine 3.1-->"C:\Program\Paradox Interactive\Europa Universalis III\unins001.exe"

Java 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}

Java 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}

jetAudio Plus VX-->C:\Program\InstallShield Installation Information\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}\setup.exe -runfromtemp -l0x001d -removeonly

JSLMC-->RunDll32 C:\Program\DELADE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{4EFFAFF3-F6DA-47AD-A338-B634260A773E}\setup.exe" -l0x9

LiveUpdate 3.0 (Symantec Corporation)-->"C:\Program\Symantec\LiveUpdate\LSETUP.EXE" /U

Malwarebytes' Anti-Malware-->"C:\Program\Malwarebytes' Anti-Malware\unins000.exe"

Manga Studio EX 3.0-->C:\WINDOWS\IsUninst.exe -f"C:\Program\e frontier\Manga Studio3 EX\MS_EX3.isu"

Marsu-Fix-->C:\WINDOWS\Marsu-Fix Uninstaller.exe

Messenger Plus! Live-->"C:\Program\Messenger Plus! Live\Uninstall.exe"

Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"

Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}

Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"

Microsoft Office Access MUI (Swedish) 2007-->MsiExec.exe /X{90120000-0015-041D-0000-0000000FF1CE}

Microsoft Office Enterprise 2007-->"C:\Program\Delade filer\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL

Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}

Microsoft Office Excel MUI (Swedish) 2007-->MsiExec.exe /X{90120000-0016-041D-0000-0000000FF1CE}

Microsoft Office Groove MUI (Swedish) 2007-->MsiExec.exe /X{90120000-00BA-041D-0000-0000000FF1CE}

Microsoft Office InfoPath MUI (Swedish) 2007-->MsiExec.exe /X{90120000-0044-041D-0000-0000000FF1CE}

Microsoft Office OneNote MUI (Swedish) 2007-->MsiExec.exe /X{90120000-00A1-041D-0000-0000000FF1CE}

Microsoft Office Outlook MUI (Swedish) 2007-->MsiExec.exe /X{90120000-001A-041D-0000-0000000FF1CE}

Microsoft Office PowerPoint MUI (Swedish) 2007-->MsiExec.exe /X{90120000-0018-041D-0000-0000000FF1CE}

Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}

Microsoft Office Proof (Finnish) 2007-->MsiExec.exe /X{90120000-001F-040B-0000-0000000FF1CE}

Microsoft Office Proof (German) 2007-->MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}

Microsoft Office Proof (Swedish) 2007-->MsiExec.exe /X{90120000-001F-041D-0000-0000000FF1CE}

Microsoft Office Proofing (Swedish) 2007-->MsiExec.exe /X{90120000-002C-041D-0000-0000000FF1CE}

Microsoft Office Publisher MUI (Swedish) 2007-->MsiExec.exe /X{90120000-0019-041D-0000-0000000FF1CE}

Microsoft Office Shared MUI (Swedish) 2007-->MsiExec.exe /X{90120000-006E-041D-0000-0000000FF1CE}

Microsoft Office Word MUI (Swedish) 2007-->MsiExec.exe /X{90120000-001B-041D-0000-0000000FF1CE}

Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

Mozilla Firefox (3.0.5)-->C:\Program\Mozilla Firefox\uninstall\helper.exe

MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}

MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}

MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}

Napoleon's Ambition 2.2-->"C:\Program\Paradox Interactive\Europa Universalis III\unins000.exe"

Nero 7 Ultra Edition-->MsiExec.exe /X{CF097717-F174-4144-954A-FBC4BF301053}

neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}

NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI

NVIDIA nTune-->C:\Program\DELADE~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1053

PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}

QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}

Real Alternative 1.7.5-->"C:\Program\Real Alternative\unins000.exe"

Realtek High Definition Audio Driver-->RunDll32 C:\Program\DELADE~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.EXE" -l0x1d -removeonly

S

Link to post
Share on other sites

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]

"midimapper"="midimap.dll"

"msacm.imaadpcm"="imaadp32.acm"

"msacm.msadpcm"="msadp32.acm"

"msacm.msg711"="msg711.acm"

"msacm.msgsm610"="msgsm32.acm"

"msacm.trspch"="tssoft32.acm"

"vidc.cvid"="iccvid.dll"

"vidc.I420"="msh263.drv"

"vidc.iv31"="ir32_32.dll"

"vidc.iv32"="ir32_32.dll"

"vidc.iv41"="ir41_32.ax"

"vidc.iyuv"="iyuv_32.dll"

"vidc.mrle"="msrle32.dll"

"vidc.msvc"="msvidc32.dll"

"vidc.uyvy"="msyuv.dll"

"vidc.yuy2"="msyuv.dll"

"vidc.yvu9"="tsbyuv.dll"

"vidc.yvyu"="msyuv.dll"

"wavemapper"="msacm32.drv"

"msacm.msg723"="msg723.acm"

"vidc.M263"="msh263.drv"

"vidc.M261"="msh261.drv"

"msacm.msaudio1"="msaud32.acm"

"msacm.sl_anet"="sl_anet.acm"

"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"

"vidc.iv50"="ir50_32.dll"

"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"

"wave"="wdmaud.drv"

"midi"="wdmaud.drv"

"mixer"="wdmaud.drv"

"aux"="wdmaud.drv"

"VIDC.FPS1"="frapsvid.dll"

"vidc.ffds"="C:\\Program\\COMBIN~1\\Filters\\FFDShow\\ff_vfw.dll"

"msacm.siren"="sirenacm.dll"

"aux2"="wdmaud.sys"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]

"wave"="rdpsnd.dll"

"mixer"="rdpsnd.dll"

"MaxBandwidth"=dword:000056b9

"wavemapper"="msacm32.drv"

"EnableMP3Codec"=dword:00000001

"midimapper"="midimap.dll"

Link to post
Share on other sites

Mostly malware remnants in these views. You do have CiD's Messenger Plus! Live installed. This is the installer for it's Lop adware - what it calls a "sponsor". This also maintains it's own independent net access with CiD's servers. Although I don't see the adware portion active here, as we are removing malware and it's sources I will need you to uninstall Messenger Plus! Live through Add/Remove Programs as part of that. Should you wish to reinstall an adware vendor's products after we are through here that of course is your choice.

Let's do some corrections then some repair scanning after.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Go to Start - Run, type firewall.cpl (and Enter). Click the Exceptions tab. If the following item(s) is present on that list click to hilight it, and select "Delete", and OK to close the Windows Firewall display. Browsers shouldn't need firewall exceptions.

Firefox

---------------------------

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]"aux2"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"mgxfebsq"=-

Open Notepad (Start - Run, type Notepad then press OK), and copy the text inside the box above and paste it into the open Notepad textbox.

Save this to your desktop as "fixer.reg"

Be sure to include the "" quotes in the name.

Then right click fixer.reg, select Merge, and allow it to merge the new information with the Registry.

----------------------

Download SDFix.exe and save it to your desktop.

=============================

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

In Safe Mode, click the C:\SDFix.exe folder and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.

Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.

=========

SDFix may pick up what we might want to see, but after the reboot also Download gmer.zip from here. Once downloaded, doubleclick on gmer.zip and unzip the file to its own folder.

When you have done this, doubleclick on Gmer.exe to run it.

Under the Rootkit/Malware tab look at the righthand side (under Files) and uncheck all drives with the exception of your C drive and then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

If Gmer indicates after running it's own initial scan it located malware activity, go ahead and agree to it running a scan then (instead of the steps above).

Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Post back the SDFix report.txt and the Gmer log please.

Link to post
Share on other sites

GMER log:

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-15 15:22:41

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT spea.sys ZwCreateKey [0xF74D70E0]

SSDT spea.sys ZwEnumerateKey [0xF74F5CA2]

SSDT spea.sys ZwEnumerateValueKey [0xF74F6030]

SSDT spea.sys ZwOpenKey [0xF74D70C0]

SSDT spea.sys ZwQueryKey [0xF74F6108]

SSDT spea.sys ZwQueryValueKey [0xF74F5F88]

SSDT spea.sys ZwSetValueKey [0xF74F619A]

INT 0x62 ? 89C13BF8

INT 0x63 ? 89986BF8

INT 0x63 ? 89986BF8

INT 0x73 ? 89BA4F00

INT 0x82 ? 89C13BF8

INT 0x83 ? 89986BF8

INT 0x84 ? 89986BF8

INT 0xA4 ? 89986BF8

INT 0xB4 ? 89C13BF8

INT 0xB4 ? 89C13BF8

INT 0xB4 ? 89986BF8

INT 0xB4 ? 89C13BF8

---- Kernel code sections - GMER 1.0.14 ----

? spea.sys Det g

Link to post
Share on other sites

Good - only Eset and Daemon Tools functions being picked up by Gmer. I do have to be upfront with you Marco - the system has all the obvious indications of torrent use to steal expensive software, and then of course the nasty infection that comes with that. Just one of the softwares showing costs a few thousand kroners most likely, and other than it being stealing what is someone else's property, the only people who gain from these activities are here (and always appreciate the support they receive).

No outright malware files or settings showing in these views at this point, but it does sound like you are still "sharing" your internet with something not yet seen.

It will be slow going, but make sure your security software is disabled, then go here and run the Kaspersky online scan, and post back the log it creates.

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top if needed to allow this). Once the Database download is completed, under Scan in the left column click My Computer to start the scan. This may take a very long time, so allow the scan to run and perhaps find something else to do.

When the scan completes click View Scan Report. Then click Save Report As, and using the dropdown box save the report as "Files of Type: -> Text file (.txt)" to a location where you can find it again. Use any name you wish for the log.

Then locate that log and copy/paste those contents back here please.

The scan requires a good bit of database downloading and can take quite a while to complete.

Link to post
Share on other sites

I'm running the scan now and I'd like to thank you for adressing where the problem might originate from. I bought the computer for my family to use but it seems I'll have to restrict those pesky childrens use of it.

Ive removed the inappropriate torrent program you mentioned and I'm running the online scan now. The online scan has already found 3 threats so I guess its not yet clean, will the online scanner however be able to remove the threats it finds? Anyhow it seems it'll take a quite some time, I'll report back when it finishes in a couple hours orso (4% has taken an hour)

The trojan detected so far is called trojan-proxy.win32.agent.aab, how serious is it?

Link to post
Share on other sites

Thursday, January 15, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Thursday, January 15, 2009 17:08:29

Records in database: 1626673

Scan settings

Scan using the following database extended

Scan archives yes

Scan mail databases yes

Scan area My Computer

A:\

C:\

D:\

E:\

Scan statistics

Files scanned 70223

Threat name 4

Infected objects 5

Suspicious objects 0

Duration of the scan 01:28:29

File name Threat name Threats count

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1340591C Infected: Trojan-Proxy.Win32.Agent.aab 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1340591C.exe Infected: Trojan-Proxy.Win32.Agent.aab 1

C:\RECYCLER\S-1-5-21-1708537768-2049760794-725345543-500\Dc1\acad_2k9.iso Infected: Trojan-Dropper.Win32.KGen.ghg 1

C:\RECYCLER\S-1-5-21-1708537768-2049760794-725345543-500\Dc1\acad_2k9.iso Infected: Backdoor.Win32.Bifrose.aido 1

C:\WINDOWS\system32\IEDFix.C.exe Infected: Hoax.Win32.Renos.fdh 1

The selected area was scanned.

Link to post
Share on other sites

A deleted, malware embedded (as usual) ISO copy of a cracked Autocad 2009 - currently selling for around 42,000 Swedish Krona. Someone there is a thief Marco, and other than potentially facing criminal charges should downloads like these be monitored such as those of the recording industries are (if my software sells for that much I surely would have my methods of knowing this), someone there has a serious problem with the concept of honesty. Why not do a web search right now using the following:

4EAE8F8E-0C2E-4814-9A04-635AFB9050AA

The same Esset product code on someone else's system. Esset, CS3 - I do not sense that much of the software in use there is actually legal copies Marco, so will be closing out this request now.

To be safe delete the C:\RECYCLER folder - it will recreate on next use or next reboot. Then you need to run a Norton uninstaller (here), as it's folders and files still remain. The other IEDFix.C.exe file Kaspersky located in the scan is from SmitFraudFix, which I assume you ran there, and is also not malicious - just Kaspersky misidentifying again one of the program files that we use in the forums for repairs.

You can also at this time delete the files/folders of the tools we used. Kaspersky uninstalls through Add/Remove Programs, and to uninstall Gmer just navigate to and click the C:\WINDOWS\gmer_uninstall.cmd file.

Then reset the System Restore so malware will not be returned through that means. Be well.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.