[Solved] Google redirection and possible GBPlugin virus

houston10s · Jul 24, 2010

I have copied and pasted logs below as requested in the 1st 6 steps. I have attached the 2 dds files because of length. Thank you for your help.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4344

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2010 1:21:35 PM
mbam-log-2010-07-24 (13-21-35).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 236134
Time elapsed: 46 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byudexok (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hdfhexbn (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsmjyamk (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byudexok (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hdfhexbn (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsmjyamk (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\sak\Local Settings\Temp\44.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.

-----------------------------------------------------------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-24 20:44:07
Windows 5.1.2600 Service Pack 3
Running: hbg2fc1u.exe; Driver: C:\DOCUME~1\sak\LOCALS~1\Temp\pgldqpow.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x9B6D18BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0x9B6D183B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x9B6D18E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0x9B6D184F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0x9B6D187B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x9B6D190F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0x9B6D1827]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x9B6D18CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0x9B6D1865]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0x9B6D1891]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x9B6D18A7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x9B6D1925]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x9B6D18F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device -> \Driver\iastor \Device\Harddisk0\DR0 8A0D9EC5

---- Services - GMER 1.0.15 ----

Service C:\Program Files\GbPlugin\GbpSv.exe (*** hidden *** ) [AUTO] GbpSv <-- ROOTKIT !!!

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Broni · Jul 25, 2010

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

houston10s · Jul 25, 2010

tdsskiller executed with issues

I placed tdsskiller.ext directly on the desktop.

I copied the exact text you sent including quotes to the run command and pressed ok. It immediately gave me an illegal argument error, -v is not legal. I ran the command without the -v and a box came up asking report or scan. I clicked report. If I need to run it again doing something differently let me know and I will do so. Contents of the tdsskiller.txt are presented below:

2010/07/25 00:09:08.0468 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/07/25 00:09:08.0468 ================================================================================
2010/07/25 00:09:08.0468 SystemInfo:
2010/07/25 00:09:08.0468
2010/07/25 00:09:08.0468 OS Version: 5.1.2600 ServicePack: 3.0
2010/07/25 00:09:08.0468 Product type: Workstation
2010/07/25 00:09:08.0468 ComputerName: COMPUTERROOM
2010/07/25 00:09:08.0468 UserName: sak
2010/07/25 00:09:08.0468 Windows directory: C:\WINDOWS
2010/07/25 00:09:08.0468 System windows directory: C:\WINDOWS
2010/07/25 00:09:08.0468 Processor architecture: Intel x86
2010/07/25 00:09:08.0468 Number of processors: 2
2010/07/25 00:09:08.0468 Page size: 0x1000
2010/07/25 00:09:08.0468 Boot type: Normal boot
2010/07/25 00:09:08.0468 ================================================================================
2010/07/25 00:09:08.0875 Initialize success

Broni · Jul 25, 2010

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

houston10s · Jul 25, 2010

Combobox.txt attached

Thank you for your help.

I downloaded a new combobox.exe directly to the desktop as instructed.

In normal mode, just after the 9th stage the computer blue screened. Tried this twice.

I then ran combo box as instructed in safe mode. The resulting text file is attached.

If you tell me to drop a script on top of the desktop combobox, should I do this in normal or safe mode?

Broni · Jul 25, 2010

Let's clarify something.
Did you actually install GbPlugin?
Is it listed in Add\Remove?
If it is, please, uninstall it.

houston10s · Jul 25, 2010

I mistyped earlier. Meant to say combofix not combobox.

I have not installed GBPlugin and it is not listed in add/remove programs.

What's the next step?

Thanks

Broni · Jul 25, 2010

Are you familiar with corp.draka.com?

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::

Folder::
c:\program files\GbPlugin

Driver::
UnknownUnknown GbpSv
GbpSv

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399003}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

houston10s · Jul 25, 2010

corp.draka.com was a previous employer. Not virus related.

Attached is the combofix.txt as per your request after applying script.

Thank you!!!

Broni · Jul 25, 2010

You're welcome

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
RenV::
c:\program files\CtrlInstaller\CtrlInstaller .exe
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

houston10s · Jul 25, 2010

Completed running script and have attached combofix.txt

Please advise.

Broni · Jul 25, 2010

Good

Double checking...

Delete your GMER file, download fresh one and post new log.
Do the very same with Combofix.

houston10s · Jul 25, 2010

Downloaded new gmer and combofix.

Combofix blue screened on normal windows and first run of safe mode.

Combofix ran on 2nd try in safe mode.

Attached gmer log file and combofix text file.

Please advise.

Broni · Jul 25, 2010

We eliminate one culprit, but from GMER log I can see, something is still lurking.

Try to run TDSSKiller once more. You still should have it on your desktop.

houston10s · Jul 25, 2010

tdsskiller text file attached.

Looks like it found something this time. I did not click on cure.

Please advise

Broni · Jul 25, 2010

Is there a reason, you're running your computer from safe mode?
Please, restart in normal mode and re-run TDSSKiller.

houston10s · Jul 25, 2010

Ran in safe mode before because combofix was blue screening in normal windows mode.

When I rebooted, tdsskiller reported that it would fix the one object found.

Ran tdsskiller again in normal windows mode. Attached tdsskiller text file.

Again, the -v arguement reports that it is illegal. Ran it without the -v

Please advise...

Broni · Jul 25, 2010

Delete your GMER file, download fresh one and post new log.

houston10s · Jul 25, 2010

Fresh gmer.log attached.

Please advise.

Broni · Jul 25, 2010

Wonderful

How is your computer doing at the moment?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

TechSpot

[Solved] Google redirection and possible GBPlugin virus

houston10s Newcomer, in training

Attached Files:

DDS.txt

Attach.txt

Broni Malware Annihilator

houston10s Newcomer, in training

Broni Malware Annihilator

houston10s Newcomer, in training

Attached Files:

ComboFix.txt

Broni Malware Annihilator

houston10s Newcomer, in training

Broni Malware Annihilator

houston10s Newcomer, in training

Attached Files:

ComboFix.txt

Broni Malware Annihilator

houston10s Newcomer, in training

Attached Files:

ComboFix.txt

Broni Malware Annihilator

houston10s Newcomer, in training

Attached Files:

gmer.log

ComboFix.txt

Broni Malware Annihilator

houston10s Newcomer, in training

Attached Files:

TDSSKiller.txt

Broni Malware Annihilator

houston10s Newcomer, in training

Attached Files:

TDSSKiller.txt

Broni Malware Annihilator

houston10s Newcomer, in training

Attached Files:

gmer.log

Broni Malware Annihilator