Yourdogsucks
Posts: 30 +0
I've been battling a mad virus for a while now. It redirects my browser and caused me all kinds of shame. The sad
part is that it bypassed supposedly "live protection" on my antivirus and antimalware - which just goes to prove
that the virii are being released by the same folks who make the antivirus to force consumers to purchase their
product.
But anyways.
I have wiped out mozilla and IE, and reinstalled, in safe mode, with intermittent scans of mbam, and no luck. I have
hunted down every noncritical process in msconfig and shut down every service I could find. This virus can still
redirect my browser in safe mode.
Also, I have done a repair install on windows, to no avail.
Where do I go next? I have no idea. Below are my logs as specified in the intro post. It's gotten to where I feel that this virus might even be so great that I could switch to a blank hard drive and it would still be there somehow.
I would love to hunt down the maker's of this virus and dispense some vigilante justice. Boy oh boy....
MBAM:
GMER:
Weird going's on here.
Attach:
part is that it bypassed supposedly "live protection" on my antivirus and antimalware - which just goes to prove
that the virii are being released by the same folks who make the antivirus to force consumers to purchase their
product.
But anyways.
I have wiped out mozilla and IE, and reinstalled, in safe mode, with intermittent scans of mbam, and no luck. I have
hunted down every noncritical process in msconfig and shut down every service I could find. This virus can still
redirect my browser in safe mode.
Also, I have done a repair install on windows, to no avail.
Where do I go next? I have no idea. Below are my logs as specified in the intro post. It's gotten to where I feel that this virus might even be so great that I could switch to a blank hard drive and it would still be there somehow.
I would love to hunt down the maker's of this virus and dispense some vigilante justice. Boy oh boy....
MBAM:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4591
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
9/10/2010 9:37:55 PM
mbam-log-2010-09-10 (21-37-55).txt
Scan type: Full scan (C:\|)
Objects scanned: 255739
Time elapsed: 35 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions)
-> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010) -> Quarantined and deleted successfully.
GMER:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-09-10 21:59:17
Windows 5.1.2600 Service Pack 3
Running: y30mcogb.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ugwoqfob.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8AA4FD00
Device -> \Driver\atapi \Device\Harddisk0\DR0 8AA6EEC5
---- Services - GMER 1.0.15 ----
Service (*** hidden *** ) [BOOT] kghps <-- ROOTKIT !!!
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Weird going's on here.
Attach:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/22/2010 1:41:20 PM
System Uptime: 9/10/2010 9:54:50 PM (1 hours ago)
Motherboard: Gigabyte Technology Co., Ltd. | | EP45-UD3R
Processor: Intel Pentium III Xeon processor | Socket 775 | 2999/333mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 932 GiB total, 831.555 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID:
Description: Audio Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&2A6EB68&0&0001
Manufacturer:
Name: Audio Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&2A6EB68&0&0001
Service:
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Deskjet F4500 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Deskjet F4500,192.168.1.112
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Deskjet F4500 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Deskjet F4500 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
==== System Restore Points ===================
No restore point in system.
==== Installed Programs ======================
µTorrent
32 Bit HP CIO Components Installer
7-Zip 4.65
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Advertising Center
Alien Breed: Impact
Altitude
Antivirus 2010
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Install Manager
ATI Catalyst Registration
AutoCAD 2010 - English
AutoCAD 2010 Language Pack - English
avast! Free Antivirus
Beat Hazard
Bonjour
BufferChm
CameraHelperMsi
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
ccc-core-static
ccc-utility
CCC Help English
Cisco Connect
Compact Wireless-G USB Adapter
Copy
Coupon Printer for Windows
CutePDF Writer 2.8
Demigod
Destinations
DeviceDiscovery
DJ_AIO_06_F4500_SW_MIN
DolbyFiles
EA Download Manager
EA Download Manager UI
Empire: Total War
erLT
F4500
Fraps
Gigabyte Raid Configurer
GPBaseService2
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 14.0
HP Deskjet F4500 All-in-One Driver Software 14.0 Rel. 6
HP Imaging Device Functions 14.0
HP Photo Creations
HP Smart Web Printing 4.60
HP Solution Center 14.0
HP Update
HPProductAssistant
HPSSupply
ImagXpress
Impulse
iTunes
iTunes Library Updater
Java Auto Updater
Java(TM) 6 Update 18
King's Bounty: Armored Princess
King's Bounty: The Legend
LG USB Modem driver
LightScribe System Software
LimeWire 5.5.8
Logitech Vid
Logitech Webcam Software
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Malwarebytes' Anti-Malware
MarketResearch
McAfee Security Scan Plus
Menu Templates - Starter Kit
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Xbox 360 Accessories 1.2
mIRC
Mobipocket Reader 6.2
Movie Templates - Starter Kit
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
MyCar-Monitor 4.2.0.7
Nero 9 Essentials
Nero BurnRights
Nero BurnRights Help
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero DiscSpeed
Nero DiscSpeed Help
Nero DriveSpeed
Nero DriveSpeed Help
Nero Express Help
Nero InfoTool
Nero InfoTool Help
Nero Installer
Nero Online Upgrade
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero Vision Help
NeroExpress
neroxml
Network
NVIDIA PhysX v8.10.29
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
REALTEK Wireless LAN Driver and Utility
Scan
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Shop for HP Supplies
SmartWebPrinting
SolutionCenter
StarCraft
StarCraft II
Status
Steam
Supreme Commander 2
System Requirements Lab
The Battle for Middle-earth (tm) II
The Lord of the Rings FREE Trial
The Lord of the Rings, The Rise of the Witch-king
The Settlers 7: Paths to a Kingdom
Toolbox
TrayApp
Tropico 3 - Steam Special Edition
Tropico 3: Absolute Power
Ubisoft Game Launcher
UE3Redist
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.0.5
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
X-COM: Apocalypse
X-COM: Enforcer
X-COM: Interceptor
X-COM: Terror from the Deep
X-COM: UFO Defense
Xbox 360 Controller for Windows
XfireXO Toolbar
XML Paper Specification Shared Components Pack 1.0
==== Event Viewer Messages From Past Week ========
9/8/2010 5:28:30 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/8/2010 5:26:44 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s)
failed to load: Fips intelppm
9/8/2010 5:26:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with
arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/6/2010 9:24:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error:
%%2147942402
9/6/2010 8:24:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error:
%%2147942402
9/6/2010 7:24:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error:
%%2147942402
9/6/2010 6:24:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error:
%%2147942402
9/6/2010 5:24:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error:
%%2147942402
9/6/2010 4:24:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error:
%%2147942402
9/6/2010 3:24:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error:
%%2147942402
9/6/2010 2:58:29 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated
unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.
9/6/2010 2:08:03 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected
system file rundll32.exe. This file was restored to the original version to maintain system stability. The file
version of the system file is 5.1.2600.5512.
9/6/2010 10:24:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error:
%%2147942402
9/4/2010 2:01:03 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS)
service terminated with the following error: Access is denied.
9/3/2010 6:44:12 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a
page file on the boot partition and that is large enough to contain all physical memory.
9/3/2010 6:44:12 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
9/3/2010 6:43:50 PM, error: Service Control Manager [7023] - The Network Security service terminated with the
following error: The specified module could not be found.
9/10/2010 9:56:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s)
failed to load: Aavmker4 aswSP aswTdi Fips intelppm
9/10/2010 9:47:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with
arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
9/10/2010 9:40:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s)
failed to load: Fips intelppm ohci1394
9/10/2010 9:02:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {9B1F122C-2982-4E91-AA8B-E071D54F2A4D}
9/10/2010 8:59:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
==== End Of File ===========================