Solved Google redirection and possible GBPlugin virus

[houston10s]

I have copied and pasted logs below as requested in the 1st 6 steps. I have attached the 2 dds files because of length. Thank you for your help.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4344

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2010 1:21:35 PM
mbam-log-2010-07-24 (13-21-35).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 236134
Time elapsed: 46 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byudexok (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hdfhexbn (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsmjyamk (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byudexok (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hdfhexbn (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsmjyamk (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\sak\Local Settings\Temp\44.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.

-----------------------------------------------------------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-24 20:44:07
Windows 5.1.2600 Service Pack 3
Running: hbg2fc1u.exe; Driver: C:\DOCUME~1\sak\LOCALS~1\Temp\pgldqpow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x9B6D18BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0x9B6D183B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x9B6D18E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0x9B6D184F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0x9B6D187B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x9B6D190F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0x9B6D1827]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x9B6D18CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0x9B6D1865]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0x9B6D1891]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x9B6D18A7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x9B6D1925]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x9B6D18F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device -> \Driver\iastor \Device\Harddisk0\DR0 8A0D9EC5

---- Services - GMER 1.0.15 ----

Service C:\Program Files\GbPlugin\GbpSv.exe (*** hidden *** ) [AUTO] GbpSv <-- ROOTKIT !!!

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

 

[Broni]

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

 

[houston10s]

tdsskiller executed with issues

I placed tdsskiller.ext directly on the desktop.

I copied the exact text you sent including quotes to the run command and pressed ok. It immediately gave me an illegal argument error, -v is not legal. I ran the command without the -v and a box came up asking report or scan. I clicked report. If I need to run it again doing something differently let me know and I will do so. Contents of the tdsskiller.txt are presented below:


2010/07/25 00:09:08.0468 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/07/25 00:09:08.0468 ================================================================================
2010/07/25 00:09:08.0468 SystemInfo:
2010/07/25 00:09:08.0468
2010/07/25 00:09:08.0468 OS Version: 5.1.2600 ServicePack: 3.0
2010/07/25 00:09:08.0468 Product type: Workstation
2010/07/25 00:09:08.0468 ComputerName: COMPUTERROOM
2010/07/25 00:09:08.0468 UserName: sak
2010/07/25 00:09:08.0468 Windows directory: C:\WINDOWS
2010/07/25 00:09:08.0468 System windows directory: C:\WINDOWS
2010/07/25 00:09:08.0468 Processor architecture: Intel x86
2010/07/25 00:09:08.0468 Number of processors: 2
2010/07/25 00:09:08.0468 Page size: 0x1000
2010/07/25 00:09:08.0468 Boot type: Normal boot
2010/07/25 00:09:08.0468 ================================================================================
2010/07/25 00:09:08.0875 Initialize success

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[houston10s]

Combobox.txt attached

Thank you for your help.

I downloaded a new combobox.exe directly to the desktop as instructed.

In normal mode, just after the 9th stage the computer blue screened. Tried this twice.

I then ran combo box as instructed in safe mode. The resulting text file is attached.

If you tell me to drop a script on top of the desktop combobox, should I do this in normal or safe mode?

 

[Broni]

Let's clarify something.
Did you actually install GbPlugin?
Is it listed in Add\Remove?
If it is, please, uninstall it.

 

[houston10s]

I mistyped earlier. Meant to say combofix not combobox.

I have not installed GBPlugin and it is not listed in add/remove programs.

What's the next step?

Thanks

 

[Broni]

Are you familiar with corp.draka.com?


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

Folder::
c:\program files\GbPlugin

Driver::
UnknownUnknown GbpSv
GbpSv

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399003}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[houston10s]

Corp.draka.com was a previous employer. Not virus related.

Attached is the combofix.txt as per your request after applying script.

Thank you!!!

 

[Broni]

You're welcome

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

RenV::
c:\program files\CtrlInstaller\CtrlInstaller .exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[houston10s]

Completed running script and have attached combofix.txt

Please advise.

 

[Broni]

Good

Double checking...

Delete your GMER file, download fresh one and post new log.
Do the very same with Combofix.

 

[houston10s]

Downloaded new gmer and combofix.

Combofix blue screened on normal windows and first run of safe mode.

Combofix ran on 2nd try in safe mode.

Attached gmer log file and combofix text file.

Please advise.

 

[Broni]

We eliminate one culprit, but from GMER log I can see, something is still lurking.

Try to run TDSSKiller once more. You still should have it on your desktop.

 

[houston10s]

Tdsskiller text file attached.

Looks like it found something this time. I did not click on cure.

Please advise

 

[Broni]

Is there a reason, you're running your computer from safe mode?
Please, restart in normal mode and re-run TDSSKiller.

 

[houston10s]

Ran in safe mode before because combofix was blue screening in normal windows mode.

When I rebooted, tdsskiller reported that it would fix the one object found.

Ran tdsskiller again in normal windows mode. Attached tdsskiller text file.

Again, the -v arguement reports that it is illegal. Ran it without the -v

Please advise...

 

[Broni]

Delete your GMER file, download fresh one and post new log.

 

[houston10s]

Fresh gmer.log attached.

Please advise.

 

[Broni]

Wonderful

How is your computer doing at the moment?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[houston10s]

Computer is running fine. The main issue was google links being redirected. I haven't checked to see if they are or not since we have been troubleshooting.

Couldn't copy and paste because of size limitations.

Attached otl.txt and extras.txt.

Please advise.

 

[Broni]

Cool

Update your Java version here: http://www.java.com/en/download/installed.jsp
During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others (if offered).

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

=========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
  O2 - BHO: (GbIehObj Class) - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\PROGRA~1\GBPLUGIN\gbieh.dll File not found
  O2 - BHO: (GbIehObj Class) - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Program Files\GbPlugin\gbiehcef.dll File not found
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab (Reg Error: Key error.)
  O28 - HKLM ShellExecuteHooks: {E37CB5F0-51F5-4395-A808-5FA49E399F83} - C:\PROGRA~1\GBPLUGIN\gbieh.dll File not found
  [2010/07/25 10:40:22 | 000,000,000 | ---D | C] -- C:\2nd-ComboFix
  [2010/07/25 10:23:10 | 000,000,000 | ---D | C] -- C:\1st-ComboFix
  [2010/07/25 00:04:04 | 001,170,256 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\sak\Desktop\TDSSKiller.exe
  [2010/05/16 11:34:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sak\Local Settings\Application Data\wdiuyvftd
  [2010/05/14 10:56:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sak\Local Settings\Application Data\nvadprivn
  [2010/05/13 10:42:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sak\Local Settings\Application Data\jtwtjtuct
  [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[houston10s]

Updated to newest java.

Removed old java versions with javaRa.

Ran otl with custom and produced new text log. Attached text log.

Rebooted. Ran otl quickscan. Attached text log.

Please advise.

 

[Broni]

Great job

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


3. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[houston10s]

Ran security check and posted checkup text log.

Ran TFC.

Could not run Kaspersky. Web site said the online antivirus scan is being upgraded and revised. Not available at this time.

I checked the google links and they all seem to be working well so far.

Thank you so much for you time, knowledge, and patience. It is most appreciated.

Have a great rest of the evening.