TechSpot

Undetectable Google hijack/redirect

By stoxwatcher
Nov 7, 2009
  1. Ok, very mad today/night. Most of my Google searches are being hijacked and redirected by an unknown virus/malware. I've done the following. Ran Malwarebytes, it picked up a few things and tells me they were deleted. I installed and ran a complete scan with Avira. That also deleted a few things. I then used Google again, with Firefox, as I have been using Firefox as my main browser. Still getting redirected to bullcrap sites and links. I'm also getting a page that immediately shrinks Firefox to a 1/4 page for some download "registry defender ". This is occuring with all three of my browsers, IE, Opera and Firefox. I also ran hijackthis, and I've yet to see an entry that is showing the redirect. I manually edited the registry to use microsoft as the search page. The malware keeps replicating itself and is next to impossible to find. I ran Trendmicro's free scan, it came back clean. I've changed my DNS address to another address, but the DNS was clean. I checked the non plug and play for that old tdsserv exploit, it was not there. I've also installed and ran unhackme, which prompted me to remove something during boot, which I did. There was also one thing that occurred, that has never happened before. A menu box popped up for WMD new hardware was found and needed to update. Only one thing, I did not install any new hardware. I, like an *****, let it update thinking it was connecting via Microsoft. I think this is how they got the trojan in. So this is something new and improved. I really could use some help here.
     
  2. kritius

    kritius TS Guru Posts: 2,084

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
     
  3. stoxwatcher

    stoxwatcher TS Rookie Topic Starter

    Results from combofix

    kritius, I think combofix finally got the rootkit trojan out and deleted it. kudos for that. It took an agonizing 20 minutes for combofix to find everything and I also went ballistic when I was seeing the "startup repair menu", YIKES!. Thankz a bunch. I had to shorten the log to 10,000 characters.






    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
    c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
    c:\$recycle.bin\S-1-5-21-2887468060-1512202398-357854717-500
    c:\windows\system32\404Fix.exe
    c:\windows\system32\dumphive.exe
    c:\windows\system32\IEDFix.C.exe
    c:\windows\system32\IEDFix.exe
    c:\windows\system32\o4Patch.exe
    c:\windows\system32\oem4.inf
    c:\windows\system32\Process.exe
    c:\windows\system32\SrchSTS.exe
    c:\windows\system32\VACFix.exe
    c:\windows\system32\VCCLSID.exe
    c:\windows\system32\WS2Fix.exe

    Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
    Restored copy from - Kitty ate it :p
    .


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]
    "UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [

    c:\users\ERIC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ActualDoc.lnk - c:\program files\Flexigen\ActualDoc\Bin\ActualDocAgent.exe [2006-6-5 1296384]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)





    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
    SetupExecute REG_MULTI_SZ \0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):b2,a7,f0,4b,14,52,ca,01

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2887468060-1512202398-357854717-1000]
    "EnableNotifications"=dword:00000001
    "EnableNotificationsRef"=dword:00000001

    R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [11/5/2009 14:41 28552]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 21:24 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 21:24 74480]
    R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/5/2007 06:17 77824]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/5/2009 14:51 108289]
    R3 Partizan;Partizan;c:\windows\System32\drivers\Partizan.sys [11/7/2009 01:50 34760]
    S2 gupdate1c9b66b2b5dc010;Google Update Service (gupdate1c9b66b2b5dc010);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 22:52 133104]
    S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2008 18:43 30192]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 21:24 740
    .



    Completion time: 2009-11-07 9:57
    ComboFix-quarantined-files.txt 2009-11-07 14:56

    Pre-Run: 228,492,288,000 bytes free
    Post-Run: 229,013,266,432 bytes free

    - - End Of File - - FF647AEC28FDBD71212CC4EA7E5AB5C3
     
  4. kritius

    kritius TS Guru Posts: 2,084

    Attach the log,

    I need to see it all. Not what you think is important.
     
  5. stoxwatcher

    stoxwatcher TS Rookie Topic Starter

    combofix log 1

    ComboFix 09-11-06.03 - ERIC 11/07/2009 13:04.3.2 - NTFSx86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1451 [GMT -5:00]
    Running from: c:\users\ERIC\Desktop\ComboFix.exe
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
    .

    2009-11-07 07:31 . 2009-11-07 07:31 -------- d-----w- c:\programdata\F-Secure
    2009-11-07 06:50 . 2009-11-07 06:50 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
    2009-11-07 06:50 . 2009-11-07 06:50 32480 ----a-w- c:\windows\system32\Partizan.exe
    2009-11-07 06:50 . 2009-11-07 06:50 2 --shatr- c:\windows\winstart.bat
    2009-11-07 06:50 . 2008-12-22 20:56 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
    2009-11-07 06:50 . 2009-11-07 06:50 4096 d-----w- c:\program files\UnHackMe
    2009-11-07 06:40 . 2009-11-07 06:40 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-11-07 06:40 . 2009-11-07 06:40 -------- d-----w- c:\program files\Java
    2009-11-07 06:13 . 2009-11-07 06:13 -------- d-----w- c:\users\ERIC\AppData\Local\temp
    2009-11-07 06:13 . 2009-11-07 06:13 -------- d-----w- c:\users\Public\AppData\Local\temp
    2009-11-07 06:13 . 2009-11-07 06:13 -------- d-----w- c:\users\Default\AppData\Local\temp
    2009-11-07 04:06 . 2009-11-07 04:06 117760 ----a-w- c:\users\ERIC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-11-07 04:06 . 2009-11-07 04:06 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2009-11-07 04:06 . 2009-11-07 04:06 4096 d-----w- c:\program files\SUPERAntiSpyware
    2009-11-07 04:06 . 2009-11-07 04:06 -------- d-----w- c:\users\ERIC\AppData\Roaming\SUPERAntiSpyware.com
    2009-11-07 04:05 . 2009-11-07 04:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-11-07 03:44 . 2009-11-07 03:44 4045527 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2009-11-06 15:03 . 2009-11-06 15:03 0 ----a-w- c:\users\ERIC\AppData\Roaming\GRETECH\GomPlayer\GrLauncherTempSetup.exe
    2009-11-06 01:47 . 2009-11-06 01:50 -------- d-----w- c:\users\ERIC\dwhelper
    2009-11-06 00:53 . 2009-11-06 02:07 -------- d-----w- c:\users\ERIC\AppData\Roaming\Audacity
    2009-11-06 00:53 . 2009-11-06 00:53 4096 d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
    2009-11-05 19:51 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2009-11-05 19:51 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2009-11-05 19:51 . 2009-11-05 19:51 -------- d-----w- c:\programdata\Avira
    2009-11-05 19:51 . 2009-11-05 19:51 -------- d-----w- c:\program files\Avira
    2009-11-05 19:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2009-11-05 19:41 . 2009-11-05 19:41 -------- d-----w- c:\program files\Panda Security
    2009-11-04 17:30 . 2009-11-04 18:31 4096 d-----w- C:\SafetyCenter
    2009-11-03 00:25 . 2009-11-03 00:25 -------- d-----w- c:\program files\Hasbro Interactive
    2009-10-21 05:58 . 2009-10-21 05:58 -------- d-----w- c:\windows\system32\ca-ES
    2009-10-21 05:58 . 2009-10-21 05:58 -------- d-----w- c:\windows\system32\eu-ES
    2009-10-21 05:58 . 2009-10-21 05:58 -------- d-----w- c:\windows\system32\vi-VN
    2009-10-21 05:28 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
    2009-10-21 05:28 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2(258).dll
    2009-10-21 05:28 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
    2009-10-21 05:28 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
    2009-10-21 05:28 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
    2009-10-21 05:27 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
    2009-10-21 05:27 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
    2009-10-21 05:27 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
    2009-10-21 05:26 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
    2009-10-21 05:26 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
    2009-10-21 04:56 . 2009-10-21 04:56 4096 d-----w- c:\windows\system32\EventProviders
    2009-10-20 04:20 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
    2009-10-20 04:20 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2009-10-20 04:20 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2009-10-14 18:16 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
    2009-10-14 18:07 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
    2009-10-14 18:07 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
    2009-10-14 18:07 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
    2009-10-12 01:41 . 2009-10-12 01:41 -------- d-----w- c:\program files\Coupons

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-11-07 14:35 . 2009-07-24 03:17 4096 d-----w- c:\users\ERIC\AppData\Roaming\vlc
    2009-11-07 06:10 . 2008-02-24 02:48 4096 d-----w- c:\program files\YahELite
    2009-11-07 03:44 . 2008-12-29 02:10 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-11-06 01:41 . 2009-04-03 22:07 4096 d-----w- c:\users\ERIC\AppData\Roaming\Winamp
    2009-11-05 21:16 . 2009-07-02 04:17 4096 d-----w- c:\program files\Opera
    2009-11-05 20:31 . 2009-08-14 04:00 4096 d-----w- c:\program files\Wise Registry Cleaner
    2009-11-05 20:31 . 2008-02-21 23:43 4096 d-----w- c:\program files\Google
    2009-11-05 19:37 . 2008-02-23 17:24 82896 ----a-w- c:\users\ERIC\AppData\Local\GDIPFONTCACHEV1.DAT
    2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Sidebar
    2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Journal
    2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Collaboration
    2009-10-21 05:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
    2009-10-21 05:58 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
    2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Photo Gallery
    2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Defender
    2009-10-21 05:57 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
    2009-10-12 19:32 . 2008-02-27 23:34 1356 ----a-w- c:\users\ERIC\AppData\Local\d3d9caps.dat
    2009-10-04 04:43 . 2009-10-04 04:43 4096 d-----w- c:\program files\Common Files\DVDVideoSoft
    2009-10-04 04:43 . 2009-10-04 04:43 -------- d-----w- c:\program files\DVDVideoSoft
    2009-09-10 19:54 . 2008-12-29 02:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-10 19:53 . 2008-12-29 02:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-09-04 11:41 . 2009-10-14 18:08 60928 ----a-w- c:\windows\system32\msasn1.dll
    2009-08-27 05:22 . 2009-10-14 18:08 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-08-27 05:17 . 2009-10-14 18:08 71680 ----a-w- c:\windows\system32\iesetup.dll
    2009-08-27 05:17 . 2009-10-14 18:08 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2009-08-27 03:42 . 2009-10-14 18:08 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2009-08-14 16:27 . 2009-09-09 06:14 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2009-08-14 15:53 . 2009-09-09 06:14 17920 ----a-w- c:\windows\system32\netevent.dll
    2009-08-14 13:49 . 2009-09-09 06:14 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
    2009-08-14 13:49 . 2009-09-09 06:14 17920 ----a-w- c:\windows\system32\ROUTE.EXE
    2009-08-14 13:49 . 2009-09-09 06:14 11264 ----a-w- c:\windows\system32\MRINFO.EXE
    2009-08-14 13:49 . 2009-09-09 06:14 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
    2009-08-14 13:49 . 2009-09-09 06:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
    2009-08-14 13:49 . 2009-09-09 06:14 19968 ----a-w- c:\windows\system32\ARP.EXE
    2009-08-14 13:49 . 2009-09-09 06:14 10240 ----a-w- c:\windows\system32\finger.exe
    2009-08-14 13:48 . 2009-09-09 06:14 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2009-08-14 13:48 . 2009-09-09 06:14 105984 ----a-w- c:\windows\system32\netiohlp.dll
    2009-11-05 19:38 . 2008-08-09 04:04 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2008-02-22 07:15 . 2008-02-22 07:02 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
     
  6. stoxwatcher

    stoxwatcher TS Rookie Topic Starter

    combofix log part 2

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19

    202240]
    "Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

    [2009-10-13 2000112]
    "UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19

    1008184]
    "Google Desktop Search"="c:\program files\Google\Google Desktop

    Search\GoogleDesktop.exe" [2009-11-05 30192]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-10

    -03 221184]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-

    Malware\mbam.exe" [2009-09-10 1312080]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-07

    149280]
    "RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE

    [1999-2-17 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explore

    r]
    "NoSMMyPictures"= 0 (0x0)
    "NoStartMenuMyMusic"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer

    ]
    "NoStartMenuMyGames"= 0 (0x0)
    "NoCommonGroups"= 0 (0x0)
    "NoSimpleStartMenu"= 0 (0x0)
    "NoDFSTab"= 0 (0x0)
    "NoFileAssociate"= 0 (0x0)
    "NoChangeAnimation"= 0 (0x0)
    "RestrictWelcomeCenter"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellEx

    ecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program

    files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows

    nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 20:21 548352 ----a-w- c:\program

    files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefen

    d]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start

    Menu^Programs^Startup^Digital Line Detect.lnk]
    backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):b2,a7,f0,4b,14,52,ca,01

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-

    2887468060-1512202398-357854717-1000]
    "EnableNotifications"=dword:00000001
    "EnableNotificationsRef"=dword:00000001

    R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [11/5/2009 14:41

    28552]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys

    [10/12/2009 21:24 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS

    [10/12/2009 21:24 74480]
    R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe

    [12/5/2007 06:17 77824]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program

    files\Avira\AntiVir Desktop\sched.exe [11/5/2009 14:51 108289]
    R3 Partizan;Partizan;c:\windows\System32\drivers\Partizan.sys [11/7/2009 01:50

    34760]
    S2 gupdate1c9b66b2b5dc010;Google Update Service

    (gupdate1c9b66b2b5dc010);c:\program files\Google\Update\GoogleUpdate.exe

    [4/5/2009 22:52 133104]
    S3 GoogleDesktopManager-093009-130223;Google Desktop Manager

    5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

    [2/21/2008 18:43 30192]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009

    21:24 7408]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MBR
    *Deregistered* - mbr
    *Deregistered* - PROCEXP113
    .
    Contents of the 'Scheduled Tasks' folder

    2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 03:52]

    2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 03:52]

    2009-11-05 c:\windows\Tasks\Wise Registry Cleaner 4.job
    - c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-08-14

    21:45]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: {7245DEAA-8917-4D48-8AD1-71CE34C402B5} = 208.67.222.222,208.67.222.220
    FF - ProfilePath -

    c:\users\ERIC\AppData\Roaming\Mozilla\Firefox\Profiles\kbtwiwys.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.kitco.com/
    FF - component: c:\program files\Mozilla

    Firefox\components\GoogleDesktopMozilla.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed

    -80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows

    Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref

    ("security.ssl3.rsa_seed_sha", true);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

    http://www.gmer.net
    Rootkit scan 2009-11-07 01:13
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-

    BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2009-11-07 1:15
    ComboFix-quarantined-files.txt 2009-11-07 06:15
    ComboFix2.txt 2009-11-07 14:57

    Pre-Run: 229,217,439,744 bytes free
    Post-Run: 229,180,481,536 bytes free

    - - End Of File - - 0A9DCB4C66A42925CBC86B5A2631F3D3
     
  7. kritius

    kritius TS Guru Posts: 2,084

    Please download Malwarebytes' Anti-Malware from Here.

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
     
  8. stoxwatcher

    stoxwatcher TS Rookie Topic Starter

    Mbam logs

    Malwarebytes' Anti-Malware 1.41
    Database version: 3118
    Windows 6.0.6002 Service Pack 2

    11/7/2009 2:33:30 PM
    mbam-log-2009-11-07 (14-33-30).txt

    Scan type: Quick Scan
    Objects scanned: 91195
    Time elapsed: 4 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\SafetyCenter\sound.wav (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    ------------------------------------------------------------
    Malwarebytes' Anti-Malware 1.41
    Database version: 3118
    Windows 6.0.6002 Service Pack 2

    11/7/2009 11:42:15 PM
    mbam-log-2009-11-07 (23-42-15).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 234429
    Time elapsed: 53 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  9. kritius

    kritius TS Guru Posts: 2,084

    Post a fresh HijackThis log
     
  10. stoxwatcher

    stoxwatcher TS Rookie Topic Starter

    hijack this log

    Logfile of HijackThis v1.99.1
    Scan saved at 9:28:12 AM, on 11/9/2009
    Platform: Unknown Windows (WinNT 6.00.1906 SP2)
    MSIE: Internet Explorer v8.00 (8.00.6001.18828)

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Eraser\Eraser.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\UnHackMe\hackmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\ERIC\AppData\Local\temp\Temp1_hijackthis.zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
    O11 - Options group: [INTERNATIONAL] International
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7245DEAA-8917-4D48-8AD1-71CE34C402B5}: NameServer = 208.67.222.222,208.67.222.220
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: Google Update Service (gupdate1c9b66b2b5dc010) (gupdate1c9b66b2b5dc010) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
     
  11. kritius

    kritius TS Guru Posts: 2,084

    Actually,

    Thats a really really outdated version.

    Use this instead.

    DDS by sUBs
    Please download DDS by sUBs from HERE or HERE and save it to your Desktop.

    Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

    • Double click on dds to run it.
    • When done, DDS.txt will open.
    • You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
    • When done, Attach.txt will open.
    • Please copy and paste the contents of DDS.txt and attach Attach.txt in your next reply.
     
  12. stoxwatcher

    stoxwatcher TS Rookie Topic Starter

    Files

    That version of hijackthis was d/l directly from Trendmicro's site.
     
  13. kritius

    kritius TS Guru Posts: 2,084

    That looks fine.

    How are things now?

    Also could you show me the download link for HijackThis that you use?
     
  14. stoxwatcher

    stoxwatcher TS Rookie Topic Starter

  15. kritius

    kritius TS Guru Posts: 2,084

    I would also use Malwarebytes anti malware.

    Go to start and run and type Combofix /Uninstall

    • Download OTC to your desktop and run it
    • Click Yes to beginning the Cleanup process and remove these components, including this application.
    • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...