Welcome to the TechSpot OpenBoards. Please read the FAQ if you have any questions. Login to participate.
|
|||||||
Undetectable Google hijack/redirect
 |
|
|
|
Thread Tools |
|
#1
2 Weeks Ago
|
|||
|
|||
|
Undetectable Google hijack/redirect
Ok, very mad today/night. Most of my Google searches are being hijacked and redirected by an unknown virus/malware. I've done the following. Ran Malwarebytes, it picked up a few things and tells me they were deleted. I installed and ran a complete scan with Avira. That also deleted a few things. I then used Google again, with Firefox, as I have been using Firefox as my main browser. Still getting redirected to bullcrap sites and links. I'm also getting a page that immediately shrinks Firefox to a 1/4 page for some download "registry defender ". This is occuring with all three of my browsers, IE, Opera and Firefox. I also ran hijackthis, and I've yet to see an entry that is showing the redirect. I manually edited the registry to use microsoft as the search page. The malware keeps replicating itself and is next to impossible to find. I ran Trendmicro's free scan, it came back clean. I've changed my DNS address to another address, but the DNS was clean. I checked the non plug and play for that old tdsserv exploit, it was not there. I've also installed and ran unhackme, which prompted me to remove something during boot, which I did. There was also one thing that occurred, that has never happened before. A menu box popped up for WMD new hardware was found and needed to update. Only one thing, I did not install any new hardware. I, like an idiot, let it update thinking it was connecting via Microsoft. I think this is how they got the trojan in. So this is something new and improved. I really could use some help here.
Last edited by stoxwatcher; 2 Weeks Ago at 05:39 AM.. Reason: missed some key things 
|
|
#2
2 Weeks Ago
|
||||
|
||||
|
Download ComboFix from one of these locations:
Link 1 Link 2 * IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.  Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:  Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
|
|
|
#3
2 Weeks Ago
|
|||
|
|||
|
Results from combofix
kritius, I think combofix finally got the rootkit trojan out and deleted it. kudos for that. It took an agonizing 20 minutes for combofix to find everything and I also went ballistic when I was seeing the "startup repair menu", YIKES!. Thankz a bunch. I had to shorten the log to 10,000 characters.
. ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500 c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500 c:\$recycle.bin\S-1-5-21-2887468060-1512202398-357854717-500 c:\windows\system32\404Fix.exe c:\windows\system32\dumphive.exe c:\windows\system32\IEDFix.C.exe c:\windows\system32\IEDFix.exe c:\windows\system32\o4Patch.exe c:\windows\system32\oem4.inf c:\windows\system32\Process.exe c:\windows\system32\SrchSTS.exe c:\windows\system32\VACFix.exe c:\windows\system32\VCCLSID.exe c:\windows\system32\WS2Fix.exe Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected Restored copy from - Kitty ate it  . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] "Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112] "UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [ c:\users\ERIC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ActualDoc.lnk - c:\program files\Flexigen\ActualDoc\Bin\ActualDocAgent.exe [2006-6-5 1296384] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan SetupExecute REG_MULTI_SZ \0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end] @="Service" [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup backupExtension=.CommonStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "VistaSp2"=hex(b):b2,a7,f0,4b,14,52,ca,01 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2887468060-1512202398-357854717-1000] "EnableNotifications"=dword:00000001 "EnableNotificationsRef"=dword:00000001 R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [11/5/2009 14:41 28552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 21:24 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 21:24 74480] R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/5/2007 06:17 77824] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/5/2009 14:51 108289] R3 Partizan;Partizan;c:\windows\System32\drivers\Partizan.sys [11/7/2009 01:50 34760] S2 gupdate1c9b66b2b5dc010;Google Update Service (gupdate1c9b66b2b5dc010);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 22:52 133104] S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2008 18:43 30192] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 21:24 740 . Completion time: 2009-11-07 9:57 ComboFix-quarantined-files.txt 2009-11-07 14:56 Pre-Run: 228,492,288,000 bytes free Post-Run: 229,013,266,432 bytes free - - End Of File - - FF647AEC28FDBD71212CC4EA7E5AB5C3
|
|
#4
2 Weeks Ago
|
||||
|
||||
|
Attach the log,
I need to see it all. Not what you think is important.
|
|
#5
2 Weeks Ago
|
|||
|
|||
|
combofix log 1
ComboFix 09-11-06.03 - ERIC 11/07/2009 13:04.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1451 [GMT -5:00] Running from: c:\users\ERIC\Desktop\ComboFix.exe SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 ))))))))))))))))))))))))))))))) . 2009-11-07 07:31 . 2009-11-07 07:31 -------- d-----w- c:\programdata\F-Secure 2009-11-07 06:50 . 2009-11-07 06:50 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys 2009-11-07 06:50 . 2009-11-07 06:50 32480 ----a-w- c:\windows\system32\Partizan.exe 2009-11-07 06:50 . 2009-11-07 06:50 2 --shatr- c:\windows\winstart.bat 2009-11-07 06:50 . 2008-12-22 20:56 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys 2009-11-07 06:50 . 2009-11-07 06:50 4096 d-----w- c:\program files\UnHackMe 2009-11-07 06:40 . 2009-11-07 06:40 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-07 06:40 . 2009-11-07 06:40 -------- d-----w- c:\program files\Java 2009-11-07 06:13 . 2009-11-07 06:13 -------- d-----w- c:\users\ERIC\AppData\Local\temp 2009-11-07 06:13 . 2009-11-07 06:13 -------- d-----w- c:\users\Public\AppData\Local\temp 2009-11-07 06:13 . 2009-11-07 06:13 -------- d-----w- c:\users\Default\AppData\Local\temp 2009-11-07 04:06 . 2009-11-07 04:06 117760 ----a-w- c:\users\ERIC\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL 2009-11-07 04:06 . 2009-11-07 04:06 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2009-11-07 04:06 . 2009-11-07 04:06 4096 d-----w- c:\program files\SUPERAntiSpyware 2009-11-07 04:06 . 2009-11-07 04:06 -------- d-----w- c:\users\ERIC\AppData\Roaming\SUPERAntiSpyware.com 2009-11-07 04:05 . 2009-11-07 04:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-11-07 03:44 . 2009-11-07 03:44 4045527 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-11-06 15:03 . 2009-11-06 15:03 0 ----a-w- c:\users\ERIC\AppData\Roaming\GRETECH\GomPlayer\GrLauncherTempSetup.exe 2009-11-06 01:47 . 2009-11-06 01:50 -------- d-----w- c:\users\ERIC\dwhelper 2009-11-06 00:53 . 2009-11-06 02:07 -------- d-----w- c:\users\ERIC\AppData\Roaming\Audacity 2009-11-06 00:53 . 2009-11-06 00:53 4096 d-----w- c:\program files\Audacity 1.3 Beta (Unicode) 2009-11-05 19:51 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-11-05 19:51 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-11-05 19:51 . 2009-11-05 19:51 -------- d-----w- c:\programdata\Avira 2009-11-05 19:51 . 2009-11-05 19:51 -------- d-----w- c:\program files\Avira 2009-11-05 19:41 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys 2009-11-05 19:41 . 2009-11-05 19:41 -------- d-----w- c:\program files\Panda Security 2009-11-04 17:30 . 2009-11-04 18:31 4096 d-----w- C:\SafetyCenter 2009-11-03 00:25 . 2009-11-03 00:25 -------- d-----w- c:\program files\Hasbro Interactive 2009-10-21 05:58 . 2009-10-21 05:58 -------- d-----w- c:\windows\system32\ca-ES 2009-10-21 05:58 . 2009-10-21 05:58 -------- d-----w- c:\windows\system32\eu-ES 2009-10-21 05:58 . 2009-10-21 05:58 -------- d-----w- c:\windows\system32\vi-VN 2009-10-21 05:28 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll 2009-10-21 05:28 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2(258).dll 2009-10-21 05:28 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe 2009-10-21 05:28 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-10-21 05:28 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll 2009-10-21 05:27 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll 2009-10-21 05:27 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-10-21 05:27 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll 2009-10-21 05:26 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll 2009-10-21 05:26 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe 2009-10-21 04:56 . 2009-10-21 04:56 4096 d-----w- c:\windows\system32\EventProviders 2009-10-20 04:20 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll 2009-10-20 04:20 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll 2009-10-20 04:20 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll 2009-10-14 18:16 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-10-14 18:07 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL 2009-10-14 18:07 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll 2009-10-14 18:07 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys 2009-10-12 01:41 . 2009-10-12 01:41 -------- d-----w- c:\program files\Coupons . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-07 14:35 . 2009-07-24 03:17 4096 d-----w- c:\users\ERIC\AppData\Roaming\vlc 2009-11-07 06:10 . 2008-02-24 02:48 4096 d-----w- c:\program files\YahELite 2009-11-07 03:44 . 2008-12-29 02:10 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-06 01:41 . 2009-04-03 22:07 4096 d-----w- c:\users\ERIC\AppData\Roaming\Winamp 2009-11-05 21:16 . 2009-07-02 04:17 4096 d-----w- c:\program files\Opera 2009-11-05 20:31 . 2009-08-14 04:00 4096 d-----w- c:\program files\Wise Registry Cleaner 2009-11-05 20:31 . 2008-02-21 23:43 4096 d-----w- c:\program files\Google 2009-11-05 19:37 . 2008-02-23 17:24 82896 ----a-w- c:\users\ERIC\AppData\Local\GDIPFONTCACHEV1.DAT 2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Sidebar 2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Journal 2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Collaboration 2009-10-21 05:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar 2009-10-21 05:58 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail 2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Photo Gallery 2009-10-21 05:58 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Defender 2009-10-21 05:57 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat 2009-10-12 19:32 . 2008-02-27 23:34 1356 ----a-w- c:\users\ERIC\AppData\Local\d3d9caps.dat 2009-10-04 04:43 . 2009-10-04 04:43 4096 d-----w- c:\program files\Common Files\DVDVideoSoft 2009-10-04 04:43 . 2009-10-04 04:43 -------- d-----w- c:\program files\DVDVideoSoft 2009-09-10 19:54 . 2008-12-29 02:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 19:53 . 2008-12-29 02:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-04 11:41 . 2009-10-14 18:08 60928 ----a-w- c:\windows\system32\msasn1.dll 2009-08-27 05:22 . 2009-10-14 18:08 916480 ----a-w- c:\windows\system32\wininet.dll 2009-08-27 05:17 . 2009-10-14 18:08 71680 ----a-w- c:\windows\system32\iesetup.dll 2009-08-27 05:17 . 2009-10-14 18:08 109056 ----a-w- c:\windows\system32\iesysprep.dll 2009-08-27 03:42 . 2009-10-14 18:08 133632 ----a-w- c:\windows\system32\ieUnatt.exe 2009-08-14 16:27 . 2009-09-09 06:14 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys 2009-08-14 15:53 . 2009-09-09 06:14 17920 ----a-w- c:\windows\system32\netevent.dll 2009-08-14 13:49 . 2009-09-09 06:14 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE 2009-08-14 13:49 . 2009-09-09 06:14 17920 ----a-w- c:\windows\system32\ROUTE.EXE 2009-08-14 13:49 . 2009-09-09 06:14 11264 ----a-w- c:\windows\system32\MRINFO.EXE 2009-08-14 13:49 . 2009-09-09 06:14 27136 ----a-w- c:\windows\system32\NETSTAT.EXE 2009-08-14 13:49 . 2009-09-09 06:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE 2009-08-14 13:49 . 2009-09-09 06:14 19968 ----a-w- c:\windows\system32\ARP.EXE 2009-08-14 13:49 . 2009-09-09 06:14 10240 ----a-w- c:\windows\system32\finger.exe 2009-08-14 13:48 . 2009-09-09 06:14 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys 2009-08-14 13:48 . 2009-09-09 06:14 105984 ----a-w- c:\windows\system32\netiohlp.dll 2009-11-05 19:38 . 2008-08-09 04:04 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll 2008-02-22 07:15 . 2008-02-22 07:02 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
|
|
#6
2 Weeks Ago
|
|||
|
|||
|
combofix log part 2
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] "Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112] "UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-05 30192] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-10 -03 221184] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti- Malware\mbam.exe" [2009-09-10 1312080] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-07 149280] "RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo re r] "NoSMMyPictures"= 0 (0x0) "NoStartMenuMyMusic"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er ] "NoStartMenuMyGames"= 0 (0x0) "NoCommonGroups"= 0 (0x0) "NoSimpleStartMenu"= 0 (0x0) "NoDFSTab"= 0 (0x0) "NoFileAssociate"= 0 (0x0) "NoChangeAnimation"= 0 (0x0) "RestrictWelcomeCenter"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell Ex ecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef en d] @="Service" [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk] backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup backupExtension=.CommonStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "VistaSp2"=hex(b):b2,a7,f0,4b,14,52,ca,01 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21- 2887468060-1512202398-357854717-1000] "EnableNotifications"=dword:00000001 "EnableNotificationsRef"=dword:00000001 R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [11/5/2009 14:41 28552] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 21:24 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 21:24 74480] R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/5/2007 06:17 77824] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/5/2009 14:51 108289] R3 Partizan;Partizan;c:\windows\System32\drivers\Partizan.sys [11/7/2009 01:50 34760] S2 gupdate1c9b66b2b5dc010;Google Update Service (gupdate1c9b66b2b5dc010);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2009 22:52 133104] S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2008 18:43 30192] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 21:24 7408] --- Other Services/Drivers In Memory --- *NewlyCreated* - MBR *Deregistered* - mbr *Deregistered* - PROCEXP113 . Contents of the 'Scheduled Tasks' folder 2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 03:52] 2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 03:52] 2009-11-05 c:\windows\Tasks\Wise Registry Cleaner 4.job - c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-08-14 21:45] . . ------- Supplementary Scan ------- . TCP: {7245DEAA-8917-4D48-8AD1-71CE34C402B5} = 208.67.222.222,208.67.222.220 FF - ProfilePath - c:\users\ERIC\AppData\Roaming\Mozilla\Firefox\Profiles\kbtwiwys.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.kitco.com/ FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed -80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref ("security.ssl3.rsa_seed_sha", true); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-07 01:13 Windows 6.0.6002 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE- BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2009-11-07 1:15 ComboFix-quarantined-files.txt 2009-11-07 06:15 ComboFix2.txt 2009-11-07 14:57 Pre-Run: 229,217,439,744 bytes free Post-Run: 229,180,481,536 bytes free - - End Of File - - 0A9DCB4C66A42925CBC86B5A2631F3D3
|
|
#7
2 Weeks Ago
|
||||
|
||||
|
Please download Malwarebytes' Anti-Malware from Here.
Double Click mbam-setup.exe to install the application.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
|
|
#8
2 Weeks Ago
|
|||
|
|||
|
Mbam logs
Malwarebytes' Anti-Malware 1.41
Database version: 3118 Windows 6.0.6002 Service Pack 2 11/7/2009 2:33:30 PM mbam-log-2009-11-07 (14-33-30).txt Scan type: Quick Scan Objects scanned: 91195 Time elapsed: 4 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\SafetyCenter\sound.wav (Trojan.FakeAlert) -> Quarantined and deleted successfully. ------------------------------------------------------------ Malwarebytes' Anti-Malware 1.41 Database version: 3118 Windows 6.0.6002 Service Pack 2 11/7/2009 11:42:15 PM mbam-log-2009-11-07 (23-42-15).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 234429 Time elapsed: 53 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
|
|
#10
1 Week Ago
|
|||
|
|||
|
hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 9:28:12 AM, on 11/9/2009 Platform: Unknown Windows (WinNT 6.00.1906 SP2) MSIE: Internet Explorer v8.00 (8.00.6001.18828) Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Eraser\Eraser.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\UnHackMe\hackmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\ERIC\AppData\Local\temp\Temp1_hijackthis.zip\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll O11 - Options group: [INTERNATIONAL] International O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7245DEAA-8917-4D48-8AD1-71CE34C402B5}: NameServer = 208.67.222.222,208.67.222.220 O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: Google Update Service (gupdate1c9b66b2b5dc010) (gupdate1c9b66b2b5dc010) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing) O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
|
|
#11
1 Week Ago
|
||||
|
||||
|
Actually,
Thats a really really outdated version. Use this instead. DDS by sUBs Please download DDS by sUBs from HERE or HERE and save it to your Desktop. Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
|
|
#12
1 Week Ago
|
|||
|
|||
|
Files
That version of hijackthis was d/l directly from Trendmicro's site.
|
|
#13
1 Week Ago
|
||||
|
||||
|
That looks fine.
How are things now? Also could you show me the download link for HijackThis that you use?
|
|
#14
1 Week Ago
|
|||
|
|||
|
hijackthis d/l
kritius, first of all, thankz for the help. Not sure of the d/l site of the version of hijackthis. Everything seems to be working w/o any problems. I used hijackthis way back on my WIN98 box to get out a virus. I'm now running all at the same time, Avira A/V, Superantispyware and unhackme. Windows "defender" was useless against this malware.
http://free.antivirus.com/hijackthis/ and http://download.cnet.com/Trend-Micro...-10227353.html
|
|
#15
1 Week Ago
|
||||
|
||||
|
I would also use Malwarebytes anti malware.
Go to start and run and type Combofix /Uninstall
|
|
| Tags |
| google, malware, redirect, search |
| Thread Tools | |
|
|
| Similar Topics | ||||
| Topic | Category | Replies | Last Post | |
| Google Redirect | Virus & Malware removal | 5 | 06-04-2009 01:42 AM | |
| Google Redirect | Virus & Malware removal | 4 | 04-07-2009 06:27 AM | |
| Google redirect | Virus & Malware removal | 17 | 03-01-2007 10:06 PM | |
| Browser hijack [google redirect to random sites] | Virus & Malware removal | 10 | 01-23-2007 11:23 PM | |
| Google redirect from common hijack | Virus & Malware removal | 3 | 02-10-2005 07:44 AM | |
All times are GMT -4. The time now is 09:25 PM.