Go Back   Cyber Tech Help Support Forums > Software > Malware Removal Forum

Notices

Reply
 
Topic Tools
  #16  
Old March 12th, 2012, 02:44 PM
bobo's Avatar
bobo bobo is offline
Senior Member
 
Join Date: Aug 2003
Location: Ontario
Posts: 171
Gmer

Got it right this time:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-12 09:43:20
Windows 6.1.7601 Service Pack 1
Running: 66el9khp.exe


---- Modules - GMER 1.0.15 ----

Module \SystemRoot\system32\DRIVERS\nvstor64.sys (NVIDIA® nForce(TM) Sata Performance Driver/NVIDIA Corporation) 010C4000-01103000 (258048 bytes)
Module \SystemRoot\system32\drivers\amdxata.sys (Storage Filter Driver/Advanced Micro Devices) 01166000-01171000 (45056 bytes)
Module \SystemRoot\system32\DRIVERS\mwlPSDFilter.sys (PSD Filter Driver/Egis Technology Inc.) 01652000-0165B000 (36864 bytes)
Module \SystemRoot\system32\DRIVERS\mwlPSDVDisk.sys (MyWinLocker PSD Virtual Disk Driver/Egis Technology Inc.) 03D12000-03D25000 (77824 bytes)
Module \SystemRoot\system32\DRIVERS\mwlPSDNServ.sys (MyWinLocker PSD Named Pipe Driver/Egis Technology Inc.) 03D25000-03D2D000 (32768 bytes)
Module \SystemRoot\system32\drivers\mssmbios.sys (System Management BIOS Driver/Microsoft Corporation) 03D2D000-03D38000 (45056 bytes)
Module \SystemRoot\System32\Drivers\ElbyCDIO.sys (ElbyCD Windows x64 I/O driver/Elaborate Bytes AG) 03D38000-03D43000 (45056 bytes)
Module \SystemRoot\System32\drivers\discache.sys (System Indexer/Cache Driver/Microsoft Corporation) 03D43000-03D52000 (61440 bytes)
Module \SystemRoot\system32\DRIVERS\avkmgr.sys (Avira Manager Driver/Avira GmbH) 03D81000-03D8B000 (40960 bytes)
Module \SystemRoot\system32\DRIVERS\avipbb.sys (Avira Driver for Security Enhancement/Avira GmbH) 03D8B000-03DB2000 (159744 bytes)
Module \??\C:\Windows\system32\drivers\UBHelper.sys (NTI CDROM Filter Driver/NewTech Infosystems Corporation) 04106000-0410E000 (32768 bytes)
Module \??\C:\Windows\system32\drivers\NTIDrvr.sys (NTI CD-ROM Filter Driver/NewTech Infosystems, Inc.) 0410E000-04116000 (32768 bytes)
Module \SystemRoot\system32\DRIVERS\nvmf6264.sys (NVIDIA MCP Networking Function Driver./NVIDIA Corporation) 04116000-04168000 (335872 bytes)
Module \SystemRoot\system32\DRIVERS\nvlddmkm.sys (NVIDIA Windows Kernel Mode Driver, Version 258.96 /NVIDIA Corporation) 0F083000-0FD15000 (13180928 bytes)
Module \SystemRoot\system32\DRIVERS\nvBridge.kmd (NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 258.96 /NVIDIA Corporation) 0FD15000-0FD17000 (8192 bytes)
Module \SystemRoot\system32\DRIVERS\PdiPorts.sys (PdiPorts Device Driver/Portrait Displays, Inc.) 0FD52000-0FD5B000 (36864 bytes)
Module \SystemRoot\system32\DRIVERS\RimSerial_AMD64.sys (RIM Virtual Serial Driver/Research in Motion Ltd) 0FD5B000-0FD6D000 (73728 bytes)
Module \SystemRoot\system32\DRIVERS\VClone.sys (VirtualCloneCD Driver/Elaborate Bytes AG) 0FD7C000-0FD8B000 (61440 bytes)
Module \SystemRoot\system32\DRIVERS\mcdbus.sys (MagicISO SCSI Host Controller/MagicISO, Inc.) 0FDBA000-0FDF7000 (249856 bytes)
Module \SystemRoot\system32\DRIVERS\MarvinBus64.sys (Pinnacle Marvin Discrete Bus Enumerator/Pinnacle Systems GmbH) 04168000-041AC000 (278528 bytes)
Module \SystemRoot\system32\drivers\RTKVHD64.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) 04A18000-04BD6000 (1826816 bytes)
Module \SystemRoot\system32\drivers\nvhda64v.sys (NVIDIA HDMI Audio Driver/NVIDIA Corporation) 04097000-040C0000 (167936 bytes)
Module \SystemRoot\System32\TSDDD.dll (Framebuffer Display Driver/Microsoft Corporation) 004E0000-004EA000 (40960 bytes)
Module \SystemRoot\system32\DRIVERS\avgntflt.sys (Avira Minifilter Driver/Avira GmbH) 024F2000-02512000 (131072 bytes)
Module \SystemRoot\System32\Drivers\secdrv.SYS (Macrovision SECURITY Driver/Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) 05394000-0539F000 (45056 bytes)
Module \Windows\System32\usp10.dll (Uniscribe Unicode script processor/Microsoft Corporation) FF0B0000-FF179000 (823296 bytes)
Module \Windows\System32\lpk.dll (Language Pack/Microsoft Corporation) FDF20000-FDF2E000 (57344 bytes)
Module \Windows\System32\devobj.dll (Device Information Set DLL/Microsoft Corporation) FDA50000-FDA6A000 (106496 bytes)

---- Processes - GMER 1.0.15 ----

Process nvvsvc.exe (NVIDIA Driver Helper Service, Version 258.96/NVIDIA Corporation) 888
Process IScheduleSvc.exe 1180
Process sched.exe 1292
Process lxbkcoms.exe (Printer Communication System/ ) 1348
Process nvvsvc.exe (NVIDIA Driver Helper Service, Version 258.96/NVIDIA Corporation) 1364
Process NBService.exe 1472
Process EgisUpdate.exe 1476
Process soffice.exe 1784
Process armsvc.exe 1796
Process avguard.exe 1836
Process pdisrvc.exe 1864
Process CTDevSrv.exe 1868
Process DTSRVC.exe 1916
Process nSvcAppFlt.exe 1980
Process PsiService_2.exe 2008
Process GregHSRW.exe 2044
Process UpdaterService.exe 2092
Process nSvcIp.exe 2256
Process FlashUtil11f_ActiveX.exe 2400
Process HotkeyUtility.exe 2436
Process wpCtrl.exe 2628
Process RAVCpl64.exe 2640
Process mwlDaemon.exe (MyWinLocker/Egis Technology Inc.) 2648
Process LXBKbmgr.exe 2656
Process sidebar.exe 2664
Process SoftAuto.exe 2672
Process KiesPDLR.exe 2688
Process LXBKbmon.exe 2836
Process MagicDisc.exe 2992
Process BackupManagerTray.exe 3040
Process winampa.exe 3280
Process soffice.bin 3288
Process VCDDaemon.exe 3296
Process jusched.exe 3324
Process Floater.exe 3352
Process thunderbird.exe 3400
Process TrustedInstaller.exe 3444
Process dthtml.exe 3540
Process HookManager.exe 3572
Process avshadow.exe 3660
Process avwebgrd.exe 3700
Process KiesTrayAgent.exe 3792
Process RIMBBLaunchAgent.exe 3800
Process Updater.exe 3820
Process updrgui.exe 3844
Process avgnt.exe 3888
Process PresentationFontCache.exe 4492
Process ielowutil.exe 4524
Process 66el9khp.exe 4608
Process wmpnetwk.exe 4652
Process iexplore.exe 4904
Process iexplore.exe 4936
Process update.exe 5824

---- Services - GMER 1.0.15 ----

Service C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Acrobat Update Service/Adobe Systems Incorporated) [AUTO] AdobeARMservice
Service system32\DRIVERS\adp94xx.sys (Adaptec Windows SAS/SATA Storport Driver/Adaptec, Inc.) [MANUAL] adp94xx
Service system32\DRIVERS\adpahci.sys (Adaptec Windows SATA Storport Driver/Adaptec, Inc.) [MANUAL] adpahci
Service system32\DRIVERS\adpu320.sys (Adaptec StorPort Ultra320 SCSI Driver (X64)/Adaptec, Inc.) [MANUAL] adpu320
Service system32\drivers\aliide.sys (ALi mini IDE Driver/Acer Laboratories Inc.) [MANUAL] aliide
Service system32\drivers\amdsata.sys (AHCI 1.2 Device Driver/Advanced Micro Devices) [MANUAL] amdsata
Service system32\DRIVERS\amdsbs.sys (AMD Technology AHCI Compatible Controller Driver for Windows - AMD64 platform/AMD Technologies Inc.) [MANUAL] amdsbs
Service system32\drivers\amdxata.sys (Storage Filter Driver/Advanced Micro Devices) [BOOT] amdxata
Service System32\Drivers\ssadadb.sys (ADB Interface/Google Inc) [MANUAL] androidusb
Service C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Scheduler/Avira Operations GmbH & Co. KG) [AUTO] AntiVirSchedulerService
Service C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira On-Access Service/Avira Operations GmbH & Co. KG) [AUTO] AntiVirService
Service C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE (Avira WebGuard Service/Avira Operations GmbH & Co. KG) [AUTO] AntiVirWebService
Service system32\DRIVERS\arc.sys (Adaptec RAID Storport Driver/Adaptec, Inc.) [MANUAL] arc
Service system32\DRIVERS\arcsas.sys (Adaptec SAS RAID WS03 Driver/Adaptec, Inc.) [MANUAL] arcsas
Service system32\DRIVERS\avgntflt.sys (Avira Minifilter Driver/Avira GmbH) [AUTO] avgntflt
Service system32\DRIVERS\avipbb.sys (Avira Driver for Security Enhancement/Avira GmbH) [SYSTEM] avipbb
Service system32\DRIVERS\avkmgr.sys (Avira Manager Driver/Avira GmbH) [SYSTEM] avkmgr
Service system32\DRIVERS\bxvbda.sys (Broadcom NetXtreme II GigE VBD/Broadcom Corporation) [MANUAL] b06bdrv
Service system32\DRIVERS\b57nd60a.sys (Broadcom NetXtreme Gigabit Ethernet NDIS6.x Unified Driver./Broadcom Corporation) [MANUAL] b57nd60a
Service system32\DRIVERS\BrFiltLo.sys (Windows ME USB Mass-Storage Bulk-Only Lower Filter Driver/Brother Industries, Ltd.) [MANUAL] BrFiltLo
Service system32\DRIVERS\BrFiltUp.sys (Windows ME USB Mass-Storage Bulk-Only Upper Filter Driver/Brother Industries, Ltd.) [MANUAL] BrFiltUp
Service System32\Drivers\Brserid.sys (Brotehr Serial I/F Driver (WDM)/Brother Industries Ltd.) [MANUAL] Brserid
Service System32\Drivers\BrSerWdm.sys (Brother Serial driver (WDM version)/Brother Industries Ltd.) [MANUAL] BrSerWdm
Service System32\Drivers\BrUsbMdm.sys (Brother USB MDM Driver /Brother Industries Ltd.) [MANUAL] BrUsbMdm
Service System32\Drivers\BrUsbSer.sys (Brother USB Serial Driver/Brother Industries Ltd.) [MANUAL] BrUsbSer
Service BTHPORT
Service system32\drivers\cmdide.sys (CMD PCI IDE Bus Driver/CMD Technology, Inc.) [MANUAL] cmdide
Service C:\Program Files (x86)\Creative\Shared Files\CTDevSrv.exe (CTDevSrv Window Service Application/Creative Technology Ltd) [AUTO] CTDevice_Srv
Service C:\Program Files (x86)\Creative\Creative Centrale\CTUPnPSv.exe (Creative Centrale Media Server Service/Creative Technology Ltd) [MANUAL] CTUPnPSv
Service system32\DRIVERS\emDevice64.sys (USB 28xx WDM Driver/eMPIA Technology, Inc.) [MANUAL] DCamUSBEMPIA
Service System32\drivers\discache.sys (System Indexer/Cache Driver/Microsoft Corporation) [SYSTEM] discache
Service C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [AUTO] DTSRVC
Service system32\DRIVERS\evbda.sys (Broadcom NetXtreme II 10 GigE VBD/Broadcom Corporation) [MANUAL] ebdrv
Service System32\Drivers\ElbyCDIO.sys (ElbyCD Windows x64 I/O driver/Elaborate Bytes AG) [SYSTEM] ElbyCDIO
Service system32\DRIVERS\elxstor.sys (Storport Miniport Driver for LightPulse HBAs/Emulex) [MANUAL] elxstor
Service system32\drivers\emAudio64.sys (USB EMP Audio Device/eMPIA Technology, Inc.) [MANUAL] emAudio
Service system32\DRIVERS\emFilter64.sys (USB 28xx WDM Lower filter/eMPIA Technology, Inc.) [MANUAL] FiltUSBEMPIA
Service system32\DRIVERS\flpydisk.sys (Floppy Driver/Microsoft Corporation) [MANUAL] flpydisk
Service C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt. exe [AUTO] ForceWare Intelligent Application Manager (IAM)
Service C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe (GamesAppService/WildTangent, Inc.) [MANUAL] GamesAppService
Service C:\Program Files (x86)\Acer\Registration\GregHSRW.exe (Global Registration Service/Acer Incorporated) [AUTO] Greg_Service
Service C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (Google Installer/Google Inc.) [AUTO] gupdate
Service C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (Google Installer/Google Inc.) [MANUAL] gupdatem
Service system32\drivers\hcw85cir.sys (Hauppauge WinTV 885 Consumer IR Driver for eHome/Hauppauge Computer Works, Inc.) [MANUAL] hcw85cir
Service system32\drivers\HpSAMD.sys (Smart Array SAS/SATA Controller Media Driver/Hewlett-Packard Company) [MANUAL] HpSAMD
Service system32\drivers\iaStorV.sys (Intel Matrix Storage Manager driver - x64/Intel Corporation) [MANUAL] iaStorV
Service C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (IDriverT Module/Macrovision Corporation) [MANUAL] IDriverT
Service system32\DRIVERS\iirsp.sys (Intel/ICP Raid Storport Driver/Intel Corp./ICP vortex GmbH) [MANUAL] iirsp
Service system32\drivers\RTKVHD64.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) [MANUAL] IntcAzAudAddService
Service C:\Windows\system32\drivers\libusb0.sys (LibUSB-Win32 - Kernel Driver/http://libusb-win32.sourceforge.net) [MANUAL] libusb0
Service system32\DRIVERS\lsi_fc.sys (LSI Fusion-MPT FC Driver (StorPort)/LSI Corporation) [MANUAL] LSI_FC
Service system32\DRIVERS\lsi_sas.sys (LSI Fusion-MPT SAS Driver (StorPort)/LSI Corporation) [MANUAL] LSI_SAS
Service system32\DRIVERS\lsi_sas2.sys (LSI SAS Gen2 Driver (StorPort)/LSI Corporation) [MANUAL] LSI_SAS2
Service system32\DRIVERS\lsi_scsi.sys (LSI Fusion-MPT SCSI Driver (StorPort)/LSI Corporation) [MANUAL] LSI_SCSI
Service C:\Windows\system32\lxbkcoms.exe (Printer Communication System/ ) [AUTO] lxbk_device
Service system32\DRIVERS\MarvinBus64.sys (Pinnacle Marvin Discrete Bus Enumerator/Pinnacle Systems GmbH) [MANUAL] MarvinBus
Service C:\Windows\system32\DRIVERS\mcdbus.sys (MagicISO SCSI Host Controller/MagicISO, Inc.) [MANUAL] mcdbus
Service system32\DRIVERS\megasas.sys (MEGASAS RAID Controller Driver for Windows 7\Server 2008 R2 for x64/LSI Corporation) [MANUAL] megasas
Service system32\DRIVERS\MegaSR.sys (LSI MegaRAID Software RAID Driver/LSI Corporation, Inc.) [MANUAL] MegaSR
Service MSDTC Bridge 3.0.0.0
Service MSDTC Bridge 4.0.0.0
Service system32\drivers\mssmbios.sys (System Management BIOS Driver/Microsoft Corporation) [SYSTEM] mssmbios
Service system32\DRIVERS\mwlPSDFilter.sys (PSD Filter Driver/Egis Technology Inc.) [SYSTEM] mwlPSDFilter
Service system32\DRIVERS\mwlPSDNServ.sys (MyWinLocker PSD Named Pipe Driver/Egis Technology Inc.) [SYSTEM] mwlPSDNServ
Service system32\DRIVERS\mwlPSDVDisk.sys (MyWinLocker PSD Virtual Disk Driver/Egis Technology Inc.) [SYSTEM] mwlPSDVDisk
Service C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\MWLService.exe (MyWinLocker Service/Egis Technology Inc.) [MANUAL] MWLService
Service C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero BackItUp/Nero AG) [AUTO] Nero BackItUp Scheduler 4.0
Service system32\DRIVERS\nfrd960.sys (IBM ServeRAID Controller Driver/IBM Corporation) [MANUAL] nfrd960
Service C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [AUTO] nSvcIp
Service C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe (Backup Manager Module/NewTech Infosystems, Inc.) [AUTO] NTI IScheduleSvc
Service C:\Windows\system32\drivers\NTIDrvr.sys (NTI CD-ROM Filter Driver/NewTech Infosystems, Inc.) [MANUAL] NTIDrvr
Service system32\DRIVERS\nvm62x64.sys (NVIDIA MCP Networking Function Driver./NVIDIA Corporation) [MANUAL] NVENETFD
Service system32\drivers\nvhda64v.sys (NVIDIA HDMI Audio Driver/NVIDIA Corporation) [MANUAL] NVHDA
Service system32\DRIVERS\nvlddmkm.sys (NVIDIA Windows Kernel Mode Driver, Version 258.96 /NVIDIA Corporation) [MANUAL] nvlddmkm
Service system32\DRIVERS\nvmf6264.sys (NVIDIA MCP Networking Function Driver./NVIDIA Corporation) [MANUAL] NVNET
Service NvNetBus
Service system32\drivers\nvraid.sys (NVIDIA® nForce(TM) RAID Driver/NVIDIA Corporation) [MANUAL] nvraid
Service system32\DRIVERS\nvsmu.sys (NVIDIA nForce(TM) SMU Microcontroller Driver/NVIDIA Corporation) [MANUAL] nvsmu
Service system32\drivers\nvstor.sys (NVIDIA® nForce(TM) Sata Performance Driver/NVIDIA Corporation) [MANUAL] nvstor
Service system32\DRIVERS\nvstor64.sys (NVIDIA® nForce(TM) Sata Performance Driver/NVIDIA Corporation) [BOOT] nvstor64
Service C:\Windows\system32\nvvsvc.exe (NVIDIA Driver Helper Service, Version 258.96/NVIDIA Corporation) [AUTO] nvsvc
Service system32\DRIVERS\PdiPorts.sys (PdiPorts Device Driver/Portrait Displays, Inc.) [MANUAL] PdiPorts
Service C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe (pdisrvc/Portrait Displays, Inc.) [AUTO] PdiService
Service C:\??\C:\Windows\system32\drivers\pfc.sys [MANUAL] pfc
Service c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe (PsiService PsiService/Protexis Inc.) [AUTO] PSI_SVC_2
Service system32\DRIVERS\ql2300.sys (QLogic Fibre Channel Stor Miniport Driver/QLogic Corporation) [MANUAL] ql2300
Service system32\DRIVERS\ql40xx.sys (QLogic iSCSI Storport Miniport Driver/QLogic Corporation) [MANUAL] ql40xx
Service System32\Drivers\RimUsb_AMD64.sys [MANUAL] RimUsb
Service system32\DRIVERS\RimSerial_AMD64.sys (RIM Virtual Serial Driver/Research in Motion Ltd) [MANUAL] RimVSerPort
Service system32\DRIVERS\emScan64.sys (USB 28xx WDM Upper Filter/eMPIA Technology, Inc.) [MANUAL] ScanUSBEMPIA
Service (Macrovision SECURITY Driver/Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [AUTO] secdrv
Service ServiceModelEndpoint 3.0.0.0
Service ServiceModelOperation 3.0.0.0
Service ServiceModelService 3.0.0.0
Service system32\DRIVERS\SiSRaid2.sys (SiS RAID Stor Miniport Driver/Silicon Integrated Systems Corp.) [MANUAL] SiSRaid2
Service system32\DRIVERS\sisraid4.sys (SiS AHCI Stor-Miniport Driver/Silicon Integrated Systems) [MANUAL] SiSRaid4
Service SMSvcHost 3.0.0.0
Service SMSvcHost 4.0.0.0
Service system32\DRIVERS\ssadbus.sys (SAMSUNG Android USB Composite Device Driver/MCCI Corporation) [MANUAL] ssadbus
Service system32\DRIVERS\ssadmdfl.sys (SAMSUNG Android USB Modem Filter Driver/MCCI Corporation) [MANUAL] ssadmdfl
Service system32\DRIVERS\ssadmdm.sys (SAMSUNG Android USB Modem/MCCI Corporation) [MANUAL] ssadmdm
Service system32\DRIVERS\ssadserd.sys (SAMSUNG Android USB Diagnostic Serial Port Device Driver/MCCI Corporation) [MANUAL] ssadserd
Service system32\DRIVERS\stexstor.sys (Promise SuperTrak EX Series Driver for Windows /Promise Technology) [MANUAL] stexstor
Service TCPIP6TUNNEL
Service TCPIPTUNNEL
Service C:\Windows\system32\drivers\UBHelper.sys (NTI CDROM Filter Driver/NewTech Infosystems Corporation) [MANUAL] UBHelper
Service system32\DRIVERS\umpass.sys (Generic pass-through driver/Microsoft Corporation) [MANUAL] UmPass
Service C:\Program Files\Acer\Acer Updater\UpdaterService.exe (Acer Update Service/Acer) [AUTO] Updater Service
Service system32\DRIVERS\VClone.sys (VirtualCloneCD Driver/Elaborate Bytes AG) [MANUAL] VClone
Service system32\DRIVERS\vgapnp.sys (VGA/Super VGA Video Driver/Microsoft Corporation) [MANUAL] vga
Service system32\drivers\viaide.sys (VIA Generic PCI IDE Bus Driver/VIA Technologies, Inc.) [MANUAL] viaide
Service system32\DRIVERS\vsmraid.sys (VIA RAID DRIVER FOR AMD-X86-64/VIA Technologies Inc.,Ltd) [MANUAL] vsmraid
Service C:\Windows\system32\drivers\wimmount.sys (Wim file system Driver/Microsoft Corporation) [MANUAL] WIMMount
Service Windows Workflow Foundation 3.0.0.0
Service C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe [AUTO] WMPNetworkSvc
Service WSearchIdxPi

---- EOF - GMER 1.0.15 ----
Reply With Quote


  #17  
Old March 13th, 2012, 02:13 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,114
Not really sure I am seeing anything in that. Can you provide details about how you experience these hijackings occur please?
Reply With Quote
  #18  
Old March 13th, 2012, 03:14 AM
bobo's Avatar
bobo bobo is offline
Senior Member
 
Join Date: Aug 2003
Location: Ontario
Posts: 171
how it hijacks

The home page comes up fine (iGoogle) and I type in a search. Results show, but when I click a link it takes me to a porn site, or a search engine or a site similar to the search topic. Some pages will backpage, others will produce popups that cycle me between the page and the dialog and prevent access to any other tabs, so I am forced to close IE altogether.

Chrome, by the way, seems to be unaffected.

Some sites I end up at: 1) mp3-best-search.com; 2) search-google.r.gd/ - this one was a search for blackberry apps, which showed up in the url after this initial string and took me to a semi-porn site where I tried to copy part of the page to report here and an adobe flash installer phish came up which was immediately identified by Avira as a virus scandsk[1].bat from ww2.strongtlguard.uni.me, also identified in the Avira popup as HIDDENEXT/Crypted. I'll check a few more because I almost lost this message while fooling around with that page.
Reply With Quote
  #19  
Old March 13th, 2012, 01:21 PM
bobo's Avatar
bobo bobo is offline
Senior Member
 
Join Date: Aug 2003
Location: Ontario
Posts: 171
Another common one

http://www1.bestkesecurity.25u.com/(huge long string continuing here - same site content as the last one, just different celeb porn; also started with a numerical isp redirect before settling on this one; backpaging brings up a dialog: "Do you want to leave this page?" but here three attemps will finally allow backpaging and I didn't get the Flashplayer installer)
Reply With Quote
  #20  
Old March 13th, 2012, 01:38 PM
bobo's Avatar
bobo bobo is offline
Senior Member
 
Join Date: Aug 2003
Location: Ontario
Posts: 171
Another common site

http://tuberene.com/buy/(this also has a short string attached which I can post if you like - I was leery of posting the entirety of something that somebody might copy and visit, thereby contracting the virus -it is a search engine page where I often end up after a redirect; interestingly, it is an expired domain name and is listed at malwaredomains.com).

Just did another search and it must have gone through about 15 redirects as I tried to backpage - all to different little-known search engines and each unrelated to my search term. In this case high speed clicking manged to get me back to the home page, but it seems to have an inexhaustible supply of site destinations!
Reply With Quote
  #21  
Old March 13th, 2012, 11:52 PM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,114
Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
Reply With Quote
  #22  
Old March 14th, 2012, 01:39 AM
bobo's Avatar
bobo bobo is offline
Senior Member
 
Join Date: Aug 2003
Location: Ontario
Posts: 171
This has focused on a number of files I have been looking at. But the hijacking continues. Here's the log. Avira was disabled during scan.

ComboFix 12-03-13.01 - Bruce 13/03/2012 19:04:29.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.3839.2296 [GMT -4:00]
Running from: c:\users\Bruce\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Bruce\AppData\Local\Temp\b3ac04aa-9413-4ecb-ac45-ed44495e62a6\CliSecureRT.dll
c:\users\Public\gt2007.bin
c:\users\Public\gt2008.bin
c:\users\Public\gt2009.bin
c:\users\Public\gt2010.bin
c:\windows\jestertb.dll
c:\windows\SysWow64\muzapp.exe
E:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
.
.
2012-03-13 13:05 . 2012-03-13 13:05 -------- d-----w- c:\users\Bruce\AppData\Roaming\Malwarebytes
2012-03-13 13:05 . 2012-03-13 13:05 -------- d-----w- c:\programdata\Malwarebytes
2012-03-13 13:05 . 2012-03-13 13:05 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-13 13:05 . 2011-12-10 19:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-12 21:50 . 2012-03-12 21:50 -------- d-----w- c:\programdata\Kaspersky Lab
2012-03-12 19:39 . 2012-03-12 19:40 -------- d-----w- c:\users\Bruce\AppData\Roaming\QuickScan
2012-03-12 19:34 . 2012-03-12 19:35 -------- d--h--w- c:\windows\AxInstSV
2012-03-10 03:05 . 2012-03-10 03:05 -------- d-----w- c:\users\Bruce\AppData\Roaming\Avira
2012-03-10 03:02 . 2012-03-10 03:02 -------- d-----w- c:\users\Bruce\AppData\Local\APN
2012-03-10 03:02 . 2012-01-31 13:57 132320 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-03-10 03:02 . 2012-01-31 13:57 97312 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-03-10 03:02 . 2011-09-16 21:09 27760 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-03-10 03:02 . 2012-03-10 03:03 -------- d-----w- c:\programdata\Avira
2012-03-10 03:02 . 2012-03-10 03:02 -------- d-----w- c:\program files (x86)\Avira
2012-03-09 20:12 . 2012-03-09 20:12 -------- d-----w- c:\windows\SysWow64\2002
2012-03-06 06:24 . 2012-03-06 06:24 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-03-06 06:21 . 2012-03-06 06:21 -------- d-----w- c:\program files (x86)\Toolbar Cleaner
2012-03-06 06:20 . 2012-03-10 01:31 -------- dc----w- c:\windows\system32\DRVSTORE
2012-03-06 06:20 . 2012-03-06 06:20 -------- d-----w- c:\program files (x86)\Lavasoft
2012-03-06 06:20 . 2012-03-10 01:31 -------- d-----w- c:\programdata\Lavasoft
2012-03-02 20:12 . 2012-03-09 20:12 -------- d-----w- c:\windows\SysWow64\1070
2012-02-27 17:56 . 2012-02-27 17:56 -------- d-----w- c:\program files (x86)\GenuSource Consulting
2012-02-15 14:52 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-15 14:52 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-02-15 14:52 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 14:52 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-15 14:52 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 14:52 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-15 14:52 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 14:52 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2012-03-04 23:52 . 2011-06-05 23:50 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-13 23:57 . 2011-06-02 13:06 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2012-01-05 01:45 . 2012-01-05 01:45 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\pp crlconfig600.dll
2011-08-23 22:42 . 2011-10-16 18:28 332144 ----a-w- c:\program files (x86)\Common Files\MediaOrganizer.dll
2011-08-23 22:35 . 2011-10-16 18:28 33136 ----a-w- c:\program files (x86)\Common Files\FlickrProvider.dll
2011-08-23 22:35 . 2011-10-16 18:28 402800 ----a-w- c:\program files (x86)\Common Files\facebook.dll
2011-08-23 22:35 . 2011-10-16 18:28 130416 ----a-w- c:\program files (x86)\Common Files\PluginCommon.dll
2011-08-23 22:34 . 2011-10-16 18:28 465264 ----a-w- c:\program files (x86)\Common Files\AppFramework.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{76E35D83-0819-1F3A-7879-47B836505709}]
2009-07-14 01:16 73728 ----a-w- c:\windows\SysWOW64\nlmggp.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ windows\currentversion\explorer\shelliconoverlayid entifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-09-10 13:41 120104 ----a-w- c:\program files (x86)\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"SoftAuto.exe"="c:\program files (x86)\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
"Xvid"="c:\program files (x86)\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"KiesPDLR"="c:\program files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDL R.exe" [2011-11-02 21392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ Windows\CurrentVersion\Run]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2009-08-12 261888]
"Hotkey Utility"="c:\program files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe" [2009-08-18 629280]
"EgisTecLiveUpdate"="c:\program files (x86)\EgisTec Egis Software Update\EgisUpdate.exe" [2009-08-04 199464]
"PivotSoftware"="c:\program files (x86)\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT ACR"="c:\program files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe" [2010-06-30 121456]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-07-11 74752]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"KiesHelper"="c:\program files (x86)\Samsung\Kies\KiesHelper.exe" [2011-11-02 928656]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2011-11-02 3508624]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-01 90448]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-01-31 258512]
.
c:\users\Bruce\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2011-4-23 576000]
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\ v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework6 4\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-18 135664]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [x]
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-18 135664]
R3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2011-11-23 29184]
R3 MWLService;MyWinLocker Service;c:\program files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe [2009-09-10 305448]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsus bflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.s ys [x]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIV ERS\mwlPSDFilter.sys [x]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVER S\mwlPSDNServ.sys [x]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVER S\mwlPSDVDisk.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2012-01-31 86224]
S2 Greg_Service;GRegService;c:\program files (x86)\Acer\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 lxbk_device;lxbk_device;c:\windows\system32\lxbkco ms.exe [2008-02-19 565928]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-08-12 62208]
S2 PdiService;Portrait Displays SDK Service;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2010-04-16 109168]
S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2009-07-04 240160]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-09 c:\windows\Tasks\At1.job
- c:\windows\SysWOW64\netbbtugc.exe [2011-06-23 12:17]
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-18 03:23]
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-18 03:23]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\eg isPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-09-10 13:44 137512 ----a-w- c:\program files (x86)\EgisTec\MyWinLocker 3\x64\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-20 7981088]
"mwlDaemon"="c:\program files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2009-09-10 349480]
"lxbkbmgr.exe"="c:\program files (x86)\Lexmark X1100 Series\lxbkbmgr.exe" [2008-02-28 74408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig?hl=en&source=iglk
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_x1800&r=17360610c9 07p0458v135w4461s40q
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8 574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-RegistryMechanic - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1159214114-3949205995-1174191015-1001\Software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5, cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d ,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5, cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d ,af,a8,e5,29,51,a3,e5,99,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macrome d\\Flash\\FlashUtil11f_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUt il11f_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11 f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11 f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11 f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11 f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\In terface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\In terface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\In terface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PC W\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Creative\Shared Files\CTDevSrv.exe
c:\program files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe
c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
.
************************************************** ************************
.
Completion time: 2012-03-13 19:15:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-13 23:15
.
Pre-Run: 446,202,765,312 bytes free
Post-Run: 449,284,644,864 bytes free
.
- - End Of File - - DD7902564483EE579238C4BFBE1EB607
Reply With Quote
  #23  
Old March 14th, 2012, 11:36 PM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,114
Not seeing it yet, but you do seem to be describing the usual search hijacking antics malware has been using lately.

To do Google searches for now, use this link:

http://www.google.com/webhp?complete=0&hl=en

That takes out any suggestion items, and tends to steer clear of these hijackings.


Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) to your desktop (click next to "Lien de téléchargement:").

Close all open programs
Remember to right click -> run as administrator, and click the downloaded file.
When prompted, type 1, and press Enter.
A RKreport.txt will be created in the same location as the RogueKiller file.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe, and try again.

Please post the contents of the RKreport.txt.
Reply With Quote
  #24  
Old March 15th, 2012, 04:07 AM
bobo's Avatar
bobo bobo is offline
Senior Member
 
Join Date: Aug 2003
Location: Ontario
Posts: 171
Hmmmm. Didn't get a prompt, just a pre-scan, then a request to press scan. Only ran for about 30 seconds and then I got the following from a "report" button. Different version? Anyway, I hope this is the sort of report you were looking for.

Thanks for the google alternative suggestion. I'm okay on that score, though, just not using IE for now as Chrome is unaffected. I'd like to get back to IE, though, as I like a few things about how it runs better than Chrome.

Here is the log:


RogueKiller V7.3.1 [03/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files...3-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Bruce [Admin rights]
Mode: Scan -- Date: 03/14/2012 23:00:44

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤
[SCRSV] HKCU\[...]\Desktop : SCRNSAVE.EXE (C:\Windows\WLXPGSS.SCR) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD64 00AAKS-22A7B SCSI Disk Device +++++
--- User ---
[MBR] d1ffc4a0e30dfbd35568174a866118f0
[BSP] aa5008ad1183a50fe5c2f1c55c3f8881 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 14000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 28674048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 28878848 | Size: 596378 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: SAMSUNG HD103SI USB Device +++++
--- User ---
[MBR] 4d6148a0c91f5e69ab1d0d9ad04903b6
[BSP] 3f0636d36bb8afd6817dc6008929de51 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: CENTON USB Device +++++
--- User ---
[MBR] 4f597dc4896abbda993e394c7ad84cce
[BSP] 0fde52951c9e8d43617ac37bb67edad7 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 2184 | Size: 7648 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
Reply With Quote
  #25  
Old March 15th, 2012, 11:36 PM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,114
I see something we need to check.

Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:

at /delete

Agree to allow it to remove all tasks, then type exit and press Enter to close the window.

-----------

Click here and download the 64 bit version of jpshortstuff's SystemLook to your desktop, then click that file to open the scan display. In the open textbox, copy and paste the following (inside the Code box below):

Code:
:filefind
netbbtugc.exe
Then click Look. Once the scan completes Notepad will open - copy/paste those contents back here please. That will also be saved as a log where you have the scan file, named SystemLook.txt.
Reply With Quote
  #26  
Old March 16th, 2012, 02:55 AM
bobo's Avatar
bobo bobo is offline
Senior Member
 
Join Date: Aug 2003
Location: Ontario
Posts: 171
SystemLook 30.07.11 by jpshortstuff
Log created at 21:48 on 15/03/2012 by Bruce
Administrator - Elevation successful

========== filefind ==========

Searching for "netbbtugc.exe"
C:\Windows\SysWOW64\netbbtugc.exe --a---- 45056 bytes [02:42 23/06/2011] [12:17 20/11/2010] 371D2FCF751D9C2E3608A5E1C7C88828

-= EOF =-
Reply With Quote
  #27  
Old March 16th, 2012, 11:01 PM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,114
Need to check that file.

Please locate the following hilighted file(s), zip a copy of it, and send it to jintan@malwarecrypt.com as an attachment. Please place "Submitted Files -bobo/cth/file" as the email Subject.

C:\Windows\SysWOW64\netbbtugc.exe

Important that you zip the file, so it is more likely to get past email scanners.
Reply With Quote
  #28  
Old March 24th, 2012, 03:12 PM
bobo's Avatar
bobo bobo is offline
Senior Member
 
Join Date: Aug 2003
Location: Ontario
Posts: 171
Hi again

Hi. Sent it in - did it show anything?
Reply With Quote
  #29  
Old March 25th, 2012, 01:29 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,114
Oh darn. I did get that file, thanks, and checked it, but then wandered off. As you mentioned in your email, the file you sent only had one "b", and was a legit file. The file we need to check was this still:

Searching for "netbbtugc.exe"
C:\Windows\SysWOW64\netbbtugc.exe --a---- 45056 bytes [02:42 23/06/2011] [12:17 20/11/2010] 371D2FCF751D9C2E3608A5E1C7C88828


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Open notepad (go to Start Search, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:
KillAll::
Suspect::
C:\Windows\SysWOW64\netbbtugc.exe
Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When the scan completes this time a text log will open, as well as an indication the removed files need to be submitted for analysis (showing under "Suspect" in the CFScript). You can just close the browser window and allow the scan to complete, as we will be assessing these locally.

Once the ComboFix scan completes, I would like you to locate the new zipped file on your desktop, called Submit [Date Time].zip, and send it to jintan@malwarecrypt.com as an attachment. Please place "Submitted Files -bobo/cth/cf" as the email Subject.
Reply With Quote
  #30  
Old March 26th, 2012, 02:38 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,114
I did receive that correct file, thanks. Your file:

File: netbbtugc.exe
Size: 45056
MD5: 371D2FCF751D9C2E3608A5E1C7C88828

And in a very few other very current threads:

sffc.exe MD5: 371d2fcf751d9c2e3608a5e1c7c88828

C:\Windows\SysWOW64\reeg.exe 371d2fcf751d9c2e3608a5e1c7c88828

So bogus. But what it's purpose is I am still checking. So far it seems to be initiated by some other mechanism.

Let's see what comes looking for it.

------------

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Open notepad (go to Start Search, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:
KillAll::
FMove::
C:\Windows\SysWOW64\netbbtugc.exe | C:\larry.dog
Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

Keep an eye out for anything unusual, especially something seeking a now missing netbbtugc.exe. FYI - with it moved and renamed to a non-executable file, it is then harmless.

----------

Click here to download Bobbi Flekman's Regsearch.zip to your desktop. Then unzip that, and click on the regsearch.exe to run the tool. In the display panel, copy and paste the following into the upper box:

netbbtugc

Then click Okay. Once the scan completes a textbox will open - copy/paste those contents back here please (the RegSearch.txt log can also be found in the same location as the regsearch.exe file you clicked).

----------

Open Gmer again. Once it has completed it's opening scan, this time just right click in the white space in the display and select Options - Only non MS files. Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 03:30 PM.