Undetectable Google hijack/redirect

Status
Not open for further replies.

stoxwatcher

Posts: 11   +0
Ok, very mad today/night. Most of my Google searches are being hijacked and redirected by an unknown virus/malware. I've done the following. Ran Malwarebytes, it picked up a few things and tells me they were deleted. I installed and ran a complete scan with Avira. That also deleted a few things. I then used Google again, with Firefox, as I have been using Firefox as my main browser. Still getting redirected to bullcrap sites and links. I'm also getting a page that immediately shrinks Firefox to a 1/4 page for some download "registry defender ". This is occuring with all three of my browsers, IE, Opera and Firefox. I also ran hijackthis, and I've yet to see an entry that is showing the redirect. I manually edited the registry to use microsoft as the search page. The malware keeps replicating itself and is next to impossible to find. I ran Trendmicro's free scan, it came back clean. I've changed my DNS address to another address, but the DNS was clean. I checked the non plug and play for that old tdsserv exploit, it was not there. I've also installed and ran unhackme, which prompted me to remove something during boot, which I did. There was also one thing that occurred, that has never happened before. A menu box popped up for WMD new hardware was found and needed to update. Only one thing, I did not install any new hardware. I, like an *****, let it update thinking it was connecting via Microsoft. I think this is how they got the trojan in. So this is something new and improved. I really could use some help here.
 
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


[CENTER]
RC1.png
[/CENTER]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
 
Results from combofix

kritius, I think combofix finally got the rootkit trojan out and deleted it. kudos for that. It took an agonizing 20 minutes for combofix to find everything and I also went ballistic when I was seeing the "startup repair menu", YIKES!. Thankz a bunch. I had to shorten the log to 10,000 characters.






.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2887468060-1512202398-357854717-500
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\oem4.inf
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [

c:\users\ERIC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ActualDoc.lnk - c:\program files\Flexigen\ActualDoc\Bin\ActualDocAgent.exe [2006-6-5 1296384]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)





[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
SetupExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):b2,a7,f0,4b,14,52,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2887468060-1512202398-357854717-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [11/5/2009 14:41 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 21:24 74480]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/5/2007 06:17 77824]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/5/2009 14:51 108289]
R3 Partizan;Partizan;c:\windows\System32\drivers\Partizan.sys [11/7/2009 01:50 34760]
S2 gupdate1c9b66b2b5dc010;Google Update Service (gupdate1c9b66b2b5dc010);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 22:52 133104]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2008 18:43 30192]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 21:24 740
.



Completion time: 2009-11-07 9:57
ComboFix-quarantined-files.txt 2009-11-07 14:56

Pre-Run: 228,492,288,000 bytes free
Post-Run: 229,013,266,432 bytes free

- - End Of File - - FF647AEC28FDBD71212CC4EA7E5AB5C3
 
combofix log 1

ComboFix 09-11-06.03 - ERIC 11/07/2009 13:04.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1451 [GMT -5:00]
Running from: c:\users\ERIC\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-07 07:31 . 2009-11-07 07:31 -------- d-----w- c:\programdata\F-Secure
2009-11-07 06:50 . 2009-11-07 06:50 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-11-07 06:50 . 2009-11-07 06:50 32480 ----a-w- c:\windows\system32\Partizan.exe
2009-11-07 06:50 . 2009-11-07 06:50 2 --shatr- c:\windows\winstart.bat
2009-11-07 06:50 . 2008-12-22 20:56 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-11-07 06:50 . 2009-11-07 06:50 4096 d-----w- c:\program files\UnHackMe
2009-11-07 06:40 . 2009-11-07 06:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-07 06:40 . 2009-11-07 06:40 -------- d-----w- c:\program files\Java
2009-11-07 06:13 . 2009-11-07 06:13 -------- d-----w- c:\users\ERIC\AppData\Local\temp
2009-11-07 06:13 . 2009-11-07 06:13 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-07 06:13 . 2009-11-07 06:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-07 04:06 . 2009-11-07 04:06 117760 ----a-w- c:\users\ERIC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-07 04:06 . 2009-11-07 04:06 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-07 04:06 . 2009-11-07 04:06 4096 d-----w- c:\program files\SUPERAntiSpyware
2009-11-07 04:06 . 2009-11-07 04:06 -------- d-----w- c:\users\ERIC\AppData\Roaming\SUPERAntiSpyware.com
2009-11-07 04:05 . 2009-11-07 04:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-07 03:44 . 2009-11-07 03:44 4045527 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-06 15:03 . 2009-11-06 15:03 0 ----a-w- c:\users\ERIC\AppData\Roaming\GRETECH\GomPlayer\GrLauncherTempSetup.exe
2009-11-06 01:47 . 2009-11-06 01:50 -------- d-----w- c:\users\ERIC\dwhelper
2009-11-06 00:53 . 2009-11-06 02:07 -------- d-----w- c:\users\ERIC\AppData\Roaming\Audacity
2009-11-06 00:53 . 2009-11-06 00:53 4096 d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2009-11-05 19:51 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-05 19:51 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-05 19:51 . 2009-11-05 19:51 -------- d-----w- c:\programdata\Avira
2009-11-05 19:51 . 2009-11-05 19:51 -------- d-----w- c:\program files\Avira
2009-11-05 19:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-05 19:41 . 2009-11-05 19:41 -------- d-----w- c:\program files\Panda Security
2009-11-04 17:30 . 2009-11-04 18:31 4096 d-----w- C:\SafetyCenter
2009-11-03 00:25 . 2009-11-03 00:25 -------- d-----w- c:\program files\Hasbro Interactive
2009-10-21 05:58 . 2009-10-21 05:58 -------- d-----w- c:\windows\system32\ca-ES
2009-10-21 05:58 . 2009-10-21 05:58 -------- d-----w- c:\windows\system32\eu-ES
2009-10-21 05:58 . 2009-10-21 05:58 -------- d-----w- c:\windows\system32\vi-VN
2009-10-21 05:28 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-21 05:28 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2(258).dll
2009-10-21 05:28 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-21 05:28 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-21 05:28 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-21 05:27 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-21 05:27 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-21 05:27 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-21 05:26 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-21 05:26 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-21 04:56 . 2009-10-21 04:56 4096 d-----w- c:\windows\system32\EventProviders
2009-10-20 04:20 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
2009-10-20 04:20 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-10-20 04:20 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-10-14 18:16 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-14 18:07 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-14 18:07 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 18:07 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-12 01:41 . 2009-10-12 01:41 -------- d-----w- c:\program files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 14:35 . 2009-07-24 03:17 4096 d-----w- c:\users\ERIC\AppData\Roaming\vlc
2009-11-07 06:10 . 2008-02-24 02:48 4096 d-----w- c:\program files\YahELite
2009-11-07 03:44 . 2008-12-29 02:10 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 01:41 . 2009-04-03 22:07 4096 d-----w- c:\users\ERIC\AppData\Roaming\Winamp
2009-11-05 21:16 . 2009-07-02 04:17 4096 d-----w- c:\program files\Opera
2009-11-05 20:31 . 2009-08-14 04:00 4096 d-----w- c:\program files\Wise Registry Cleaner
2009-11-05 20:31 . 2008-02-21 23:43 4096 d-----w- c:\program files\Google
2009-11-05 19:37 . 2008-02-23 17:24 82896 ----a-w- c:\users\ERIC\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Sidebar
2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Journal
2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Collaboration
2009-10-21 05:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-10-21 05:58 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Photo Gallery
2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Defender
2009-10-21 05:57 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-12 19:32 . 2008-02-27 23:34 1356 ----a-w- c:\users\ERIC\AppData\Local\d3d9caps.dat
2009-10-04 04:43 . 2009-10-04 04:43 4096 d-----w- c:\program files\Common Files\DVDVideoSoft
2009-10-04 04:43 . 2009-10-04 04:43 -------- d-----w- c:\program files\DVDVideoSoft
2009-09-10 19:54 . 2008-12-29 02:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-12-29 02:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 11:41 . 2009-10-14 18:08 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-27 05:22 . 2009-10-14 18:08 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 18:08 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-14 18:08 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-14 18:08 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-14 16:27 . 2009-09-09 06:14 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 06:14 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 06:14 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 06:14 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 06:14 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 06:14 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 06:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 06:14 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 06:14 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 06:14 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 06:14 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-11-05 19:38 . 2008-08-09 04:04 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-02-22 07:15 . 2008-02-22 07:02 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
 
combofix log part 2

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19

202240]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

[2009-10-13 2000112]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19

1008184]
"Google Desktop Search"="c:\program files\Google\Google Desktop

Search\GoogleDesktop.exe" [2009-11-05 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-10

-03 221184]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-

Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-07

149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE

[1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explore

r]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer

]
"NoStartMenuMyGames"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"RestrictWelcomeCenter"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellEx

ecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program

files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows

nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program

files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefen

d]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start

Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):b2,a7,f0,4b,14,52,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-

2887468060-1512202398-357854717-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [11/5/2009 14:41

28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys

[10/12/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS

[10/12/2009 21:24 74480]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe

[12/5/2007 06:17 77824]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program

files\Avira\AntiVir Desktop\sched.exe [11/5/2009 14:51 108289]
R3 Partizan;Partizan;c:\windows\System32\drivers\Partizan.sys [11/7/2009 01:50

34760]
S2 gupdate1c9b66b2b5dc010;Google Update Service

(gupdate1c9b66b2b5dc010);c:\program files\Google\Update\GoogleUpdate.exe

[4/5/2009 22:52 133104]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager

5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[2/21/2008 18:43 30192]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009

21:24 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 03:52]

2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 03:52]

2009-11-05 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-08-14

21:45]
.
.
------- Supplementary Scan -------
.
TCP: {7245DEAA-8917-4D48-8AD1-71CE34C402B5} = 208.67.222.222,208.67.222.220
FF - ProfilePath -

c:\users\ERIC\AppData\Roaming\Mozilla\Firefox\Profiles\kbtwiwys.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.kitco.com/
FF - component: c:\program files\Mozilla

Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed

-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows

Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref

("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

http://www.gmer.net
Rootkit scan 2009-11-07 01:13
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-

BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-11-07 1:15
ComboFix-quarantined-files.txt 2009-11-07 06:15
ComboFix2.txt 2009-11-07 14:57

Pre-Run: 229,217,439,744 bytes free
Post-Run: 229,180,481,536 bytes free

- - End Of File - - 0A9DCB4C66A42925CBC86B5A2631F3D3
 
Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
 
Mbam logs

Malwarebytes' Anti-Malware 1.41
Database version: 3118
Windows 6.0.6002 Service Pack 2

11/7/2009 2:33:30 PM
mbam-log-2009-11-07 (14-33-30).txt

Scan type: Quick Scan
Objects scanned: 91195
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\SafetyCenter\sound.wav (Trojan.FakeAlert) -> Quarantined and deleted successfully.
------------------------------------------------------------
Malwarebytes' Anti-Malware 1.41
Database version: 3118
Windows 6.0.6002 Service Pack 2

11/7/2009 11:42:15 PM
mbam-log-2009-11-07 (23-42-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 234429
Time elapsed: 53 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 9:28:12 AM, on 11/9/2009
Platform: Unknown Windows (WinNT 6.00.1906 SP2)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Eraser\Eraser.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\ERIC\AppData\Local\temp\Temp1_hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7245DEAA-8917-4D48-8AD1-71CE34C402B5}: NameServer = 208.67.222.222,208.67.222.220
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9b66b2b5dc010) (gupdate1c9b66b2b5dc010) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
 
Actually,

Thats a really really outdated version.

Use this instead.

DDS by sUBs
Please download DDS by sUBs from HERE or HERE and save it to your Desktop.

Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

  • Double click on dds to run it.
  • When done, DDS.txt will open.
  • You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
  • When done, Attach.txt will open.
  • Please copy and paste the contents of DDS.txt and attach Attach.txt in your next reply.
 
That looks fine.

How are things now?

Also could you show me the download link for HijackThis that you use?
 
I would also use Malwarebytes anti malware.

Go to start and run and type Combofix /Uninstall

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
 
Status
Not open for further replies.
Back