Solved Fighting with Web search redirect, Internet latency

[ducker]

Was pretty sure I got something when I noticed I couldn't play WoW anymore. and then wife stated that google was sending her to random sites when she clicked on a link.

I believe I have some kinda crap running which I need to deal with immediately.

Always had Avira running. I tried putting on a few others to see if they could detect it - with no success.
I then pulled down ad-aware (which failed to properly run)
Then tried Spy Bot. That provided some slightly better results as it found some things, but I was still seeing the problem.

I've attached my mbam log and dds logs

mbam snagged a bunch of stuff which was great. I had some issues trying to get gmer running. seems like the few processes I left running would suck up all the CPU cycles and it wouldn't complete. I'll try running it again later. - just need to sleep now.

I'm guessing I should just format my whole hard drive, but I'm not sure how threatening this is. Right now, I'm rather mad and embarassed because I've never caught something like this in the past.

Thanks for any assistence you can provide. I'll also run the GMER and add that log to this thread.

-Mike

 

[Bobbye]

After you're well rested, please go find the other part of DDS. It's named Attach.txt. Leave that for us. Try GMER again, first without Devices checked and if that doesn't work, try running it in Safe Mode.

Please stop pulling random programs in in the hope that one will fix and fix the problem. That usually does more harm than good. Don't run any other cleaning program or scans while I'm helping you unless I instruct you to. Don't use a Registry cleaner or make any changes in the Registry.

Don't be mad. Don't be embarrassed. It happens. But it takes the right programs in the right order and help by someone who knows what to look for.

Stay away from the coupon printer It is guaranteed to put adware on the system and possibly spyware.
===============================================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
====================================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

======================================
Please include the following in your next reply:
Attach.txt from DDS
GMRE log if you were able to run it.
Combofix report
Eset online AV scan log.

 

[ducker]

Bobbye,


1 - GMER on first attempt rebooted itself somewhere in the process and then hung my PC. I then deselected Devices and it completed, but hung again when I attempted to save the files
(this process too easily over 2 hours)

2- the Eset online scan hung when I attempted to add the active X control. So I then accessed it through Firefox and downloaded the thin client to run the install. It came back clean, but I was unable to see anything to select to copy/create a log.

I've attached the attach.txt from the initial run of DDS and the combofix report.

I will be away from the PC all day while at work, but I will monitor this thread and check on the next steps for tonight.

Thank you,
Mike

 

[Bobbye]

Mike, did you just do a reinstall? And/or get a new mother bord?

 

[ducker]

Nope...
why? It looked rather clean.

My plan of attack was to make sure this drive is totally clean, and then I was going to put this drive as a slave, get a new master drive, do a fresh install of windows XP, and transfer over my media from the currently infected drive, and them format that drive.

I haven't been seeing any additional redirects since I ran mbam and It discovered the Trojans... it didn't even say the name of the virus. Previously I was seeing redirects off of both Google and yahoo search results.

hey, where's the comment from you telling me to remove my bt.exe stuff too (I'm a huge DMB fan, and nothing beats a band that allows their concerts to be recorded by fans and shared by those recording it within 24hrs of the concert!) That being said, I was going to keep all things BT client based on a completely different PC - but I'm guessing that's only as good as the other firewalls on the other PCs off of that router.

 

[Bobbye]

So you wanted my help to clean a drive to use as a slave.

Do you know what this is for?
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
As for BitTorrent:
P2P or 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Bit Torrent for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

 

[ducker]

I was seeking your help to clean the drive, it wasn't until over the weekend in which I identified a new hard drive that I can swap around with these.

I have no idea what

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

is.

Why did you think I did a fresh/clean install? I'm still not sure as far as why you think I did that?
I haven't installed any other applications other then the ones you mentioned in your post.

 

[ducker]

just had this pop up from Avira --

Virus or unwanted program 'TR/Trash.Gen [trojan]'
detected in file 'C:\System Volume Information\_restore{6F2D8E47-B9F6-41DC-BAB6-77D5567D44C9}\RP4\A0000566.dll.
Action performed: Deny access

thought I was clean? no?? hm...

 

[Bobbye]

System Volume is where the system restore points are help. This is not malware active in the system and will be removed when I have you drop the old restore points when clean. The only danger is if you do a System Restore and happen to choose a date that was infected. This is why I tell users not to use this feature while we're cleaning.


Custom CFScript
Please note that the driver file below is on the D Drive.

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
d:\ntglm7x.sys
Folder::

Registry::

Driver::
SetupNTGLM7X
FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================

did you just do a reinstall? And/or get a new mother bord?

Why did you think I did a fresh/clean install? I'm still not sure as far as why you think I did that?

There are only 3 days of System Restore points.
The only Installed Programs are======================

BitTorrent
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2005 Redistributable
Move Media Player
Spybot - Search & Destroy
Steam
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Genuine Advantage Validation Tool (KB892130)

Component Name: NTGLM7X.SYS
NTGLM7X: MSI Live Update, from Micro-Star Int'l Co.,Ltd., is an application designed to update drivers and a host of utilities.
Extensive entries on 2010-05-12 05:22 from c:\documents and settings\All Users\Application Data\DivX
No other drivers except Avira and the one above that is being removed

 

[ducker]

1 -

Custom CFScript
Please note that the driver file below is on the D Drive.

Should I leave that as drive d:? if you didn't point it out I would have by default switched it to c: as that is where the file will be.
2 -

BitTorrent
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2005 Redistributable
Move Media Player
Spybot - Search & Destroy
Steam
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Genuine Advantage Validation Tool (KB892130)

I have quite a few more applications installed.
WoW, Firefox, Diablo II, Starcraft II, FireFox, Adobe Dreamweaver, Adobe Photoshop...

Those are just the ones I can think of off the top of my head.

I will run the script tonight. Thanks Bobbye.

 

[Bobbye]

Please rerun DDS again and leave both parts of the new log. If you have more on the system, I didn't see them in the last log.

 

[ducker]

hold off on running the CFScript right now? (and if you DO want me to run it, should I change the file to state d: or c:?)

I will re-run the other logs and post them tonight.

Thank you.

 

[Bobbye]

Run Combofix now. Don't change the drive.

 

[ducker]

I've taken screen shots of my installed programs, as they don't appear to be showing up in that log as well. I have no idea why they wouldn't.

I think I've included everything you wanted.

Thanks Bobbye.

-Mike

 

[Bobbye]

Mike, if you look on the right column of the first image, under Size, you will notes most don't have any size listed. The second image, which just happens to be lower on the alphabet, also has some empty size entry. I'm thinking these programs might not be properly installed and therefore are not showing up under "Installed Programs."

The new logs shows the same group of just a few. Additionally, there is only one Service/Driver running and that;s for the AV. Normally there would be a long listing this section. So I'm thinking that the problems you're having are more system-related than malware-related.

Malwarebytes removed numerous malware entries. I'd like to do an onlie AV. Since there was a problem with Eset, use this:
Run Kaspersky Online Scanner in Internet Explorer

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
===========================================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\DUMP5c77.tmp

Folder::
DDS::
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

RegNull::
[HKEY_USERS\S-1-5-21-57989841-1965331169-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
[HKEY_USERS\S-1-5-21-57989841-1965331169-839522115-1004\Software\SecuROM\License information*]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY
*]

Registry::
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Reboot the computer. I'd also like you to try running GMER again. Close all other active Windows, email and running, open programs first.

I'd also like to know how much installed RAM you have.

 

[ducker]

2gb of ram.
The directions didn't tell me to close my other AV programs so I left Avira open.
I popped up at least 3 or 4 times while Kaspersky was running (I think specifically while it was looking through the restore files)

As soon as I can get to the other pieces I will add them to this update.

 

[ducker]

Closed everything and ran GMER - left all the check boxes on.

I completed - but when I attempted to copy the log in to a notepad window, I could not get any other applications to start. - or even the taskbar.

I was quickly on my way to work this morning so I'm not sure if I wrote all the information down correctly.
There were about 12 entries with a type of SSDT
and then one that was different.

.text
c:\windows\system32\Drivers\ati2mtag.sys
section is writable

I can run this again when I get home tonight, and if necessary, remove the check box from Devices, perhaps that would help it run cleaner.

Thanks for your help Bobbye.

-Mike

 

[Bobbye]

AV should be disabled for both Combofix and Kaspersky scans.

The GMER log is hard to read- best to get copy of the log. Did you follow this?

• Double click on downloaded .exe file on the desktop
• Select Rootkit tab> click Scan
• When scan is completed, click Save button, and save the results as gmer.log

This screenshot HERE will show you how the display will come up.[/list]

Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.
======================
You need to empty the Java cache:
Click on Control Panel> Java> Temporary internet files'> Settings> Delete. I don't keep any of the Java files.

I meant to ask you about this- you have a large number of downloads on 5/12/2010 using DivX. Most of them are uninstall.exe files for various media. The RunAsUser process is also being used there which can be used to run programs in the security context of any user-which can mean elevating privileges. this could be a matter of concern if it's related to malware.

 

[ducker]

Ok, I got gmer to complete.. Looked as if it contained the same output. I've attached the log.
(pc then hung after I saved the file - had to hard reboot)

I cleared out the Java Cache.

I don't know of any major downloads using DivX. I would most likely wipe them all out and delete them. As they do sound quite suspect. maybe I downloaded something that was suspect on that day, and it then proceeded to do a ton of damage then.

As always, thanks Bobbye.

-Mike

 

[Bobbye]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  ati2mtag.*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Go ahead and uninstall what you can of DivX and then when I set up the last script, I'll move any remaining entries for it along with anything else needing removing.

 

[ducker]

I don't see any places where I can uninstall DivX, from the program menu, or where I can remove the program from add/remove programs.

 

[ducker]

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:40 on 29/05/2010 by Kipper (Administrator - Elevation successful)

========== filefind ==========

Searching for "ati2mtag.*"
C:\ATI\SUPPORT\8-6_xp32_dd_ccc_wdm_enu_64783\Driver\XP_INF\B_64997\ati2mtag.sy_ --a--- 2138598 bytes [06:20 03/06/2008] [06:20 03/06/2008] 261C20D1802E17EF6C13045E8B0703A3
C:\ATI\SUPPORT\8-7_xp32_dd_65993\XP_INF\B_66369\ati2mtag.sy_ --a--- 2266234 bytes [06:33 04/07/2008] [06:33 04/07/2008] 2ED15520A0EAFD1C837127DCE3A9DD83
C:\ATI\SUPPORT\8-9_xp32_dd_ccc_wdm_enu_68898\Driver\XP_INF\B_68405\ati2mtag.sy_ --a--- 2303086 bytes [04:52 21/08/2008] [04:52 21/08/2008] 6D058D53621C83C524A710CFBEBFEB8B
C:\WINDOWS\ServicePackFiles\i386\ati2mtag.sys ------ 701440 bytes [05:29 04/08/2004] [05:29 04/08/2004] 8759322FFC1A50569C1E5528EE8026B7
C:\WINDOWS\system32\dllcache\ati2mtag.sys --a--c 3299840 bytes [17:12 08/01/2007] [04:52 21/08/2008] C06659FF381423D6CB19A91C2A2F80AD
C:\WINDOWS\system32\drivers\ati2mtag.sys --a--- 3299840 bytes [17:12 08/01/2007] [04:52 21/08/2008] C06659FF381423D6CB19A91C2A2F80AD
C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\ati2mtag.sys --a--- 1921536 bytes [23:27 06/07/2008] [17:12 08/01/2007] 8A7AC68FBEABCCA05E5811157F52853E
C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\ati2mtag.sys --a--- 3100160 bytes [23:27 06/07/2008] [06:20 03/06/2008] B70ECB6BD20E13F0CE3C0BC95F5C3A9A
C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\ati2mtag.sys --a--- 3230720 bytes [01:15 11/09/2008] [06:33 04/07/2008] 3B23691E9EEF04DE3364D9271371BBDE

-=End Of File=-

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::

Folder::
c:\program files\DivX
c:\documents and settings\All Users\Application Data\DivX
Registry::

Driver::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\ati2mtag.sys | C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
File moved. DivX removed.

Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Checking for bad entries, then removing the cleaning tools. Do any problem remain? (except the latency- that's not my department)

 

[ducker]

Bobbye,
I've attached the two logs.

CF blew away all of my video drivers. I will need to download new ones I suppose.
I knew we thought those ATI processes may have been suspect.

All my install programs still appear to be suspect, as they aren't showing up correctly. I fear I may have a reinstall looming ahead of me regardless

Thank you,
Mike

 

[Bobbye]

My Post 18:

I meant to ask you about this- you have a large number of downloads on 5/12/2010 using DivX. Most of them are uninstall.exe files for various media. The RunAsUser process is also being used there which can be used to run programs in the security context of any user-which can mean elevating privileges. this could be a matter of concern if it's related to malware.

Your Post #19:

I don't know of any major downloads using DivX. I would most likely wipe them all out and delete them. As they do sound quite suspect. maybe I downloaded something that was suspect on that day, and it then proceeded to do a ton of damage then.

Your Post#21:

I don't see any places where I can uninstall DivX, from the program menu, or where I can remove the program from add/remove programs.

My Post #23:

Part of the code I wrote:

KillAll::
File::
Folder::
c:\program files\DivX
c:\documents and settings\All Users\Application Data\DivX

Your Post #24:

CF blew away all of my video drivers. I will need to download new ones I suppose.
I knew we thought those ATI processes may have been suspect.

=========================================
I can restore these for you as follows:

Custom Script
* [1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad and copy/paste the text in the code below into it:

DeQuarantine::
C:\Qoobox\Quarantine\c:\program files\DivX
C:\Qoobox\Quarantine\c:\documents and settings\All Users\Application Data\DivX
C:\Qoobox\Quarantine\c:\program files\DivX\DivX Plus Player\DivX Plus Player
C:\Qoobox\Quarantine\c:\program files\DivX\DivX Control Panel\DivXControlPanelLauncher
C:\Qoobox\Quarantine\c:\program files\DivX\DivX Converter\DivX Converter
C:\Qoobox\Quarantine\c:\program files\DivX\DivX To Go\DivXToGoLauncher
C:\Qoobox\Quarantine\c:\program files\DivX\DivX Transcode Engine\
C:\Qoobox\Quarantine\c:\program files\DivX\DivX Update\DivXUpdate.
C:\Qoobox\Quarantine\c:\program files\DivX\DivX Transcode Engine\DivXEngine.

Quit::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce this log: Dequarantine log.txt