Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Persistent search engine redirection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Persistent search engine redirection

Unread postby EAB » May 21st, 2010, 4:44 am

Hi, usually I can fake my way through these attacks but having a hard time removing this one, so I just signed up with the site to see what I can learn and fix the problem.

Description: When using a search engine, clicking a link in the search results leads to a redirection to blank pages or advertising sites. Extra browser windows will periodically activate themselves leading to the same blank / advertising pages even during normal use. Attempts to remove using CA, spybot, and superantispyware have been unsuccessful. Malwarebytes has been inoperative for some time, finally deleted. Firefox and Google are primarily used. OS is Vista.


Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:27:26 AM, on 5/21/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Windows\System32\nvraidservice.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\Justdo\Jd2002.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [lnngatyf] C:\Users\Eric\AppData\Local\roeaypyiv\aomygmytssd.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - Unknown owner - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (file missing)
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6758 bytes




Uninstall list:

AC3Filter 1.61b
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.3.2
Adobe Shockwave Player
Any Video Converter 2.7.8
AoA Audio Extractor 1.0
Apple Application Support
Apple Software Update
Applian FLV Player
CA Anti-Spyware
CA Anti-Virus
CA Internet Security Suite
CA Pest Patrol Realtime Protection
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DVD Decrypter (Remove Only)
Flash Catcher
Global Agenda Trial
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java(TM) 6 Update 20
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nTune
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
OGA Notifier 2.0.0048.0
On2 VP7 Personal Edition
PC Pitstop Disk MD 2.0
PC Pitstop Optimize 1.5
PVSonyDll
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Star Trek Online
Star Wars Galaxies
Station Launcher
Steam
Switch Sound File Converter
System Requirements Lab
System Requirements Lab
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.4053
Ventrilo Client
Vista Codec Package
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.0
Windows Media Player Firefox Plugin



Thanks in advance for any assistance.
EAB
Active Member
 
Posts: 5
Joined: May 21st, 2010, 4:23 am
Advertisement
Register to Remove

Re: Persistent search engine redirection

Unread postby xixo_12 » May 22nd, 2010, 6:45 pm

Hello and Welcome to Malware Removal Forums.
  • My name is xixo_12 and I will guide you.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • You may wish to print them off or copy the instruction into Notepad.
  • If you have any question please don't hesitate to ask.
  • The instructions that I will give to you are specific to your current problem and shouldn't be used on other systems.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.
  • Keep interact with me until your computer is clean.

Please make sure you have done your reading on this topic : How to get help at this forum
Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed
***Note : Windows Vista require user to right click > Run as Administrator to use the tools.

First,
P2P software.
IMPORTANT: I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

  • It's not a good idea to have them.
  • You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
  • If you do not wish to remove your P2P programs, don't proceed with the next instruction and please tell me to close this topic.

Next,
OTM by Old Timer.
Please download from HERE and save to the desktop.
  • Right click on OTM.exe > Run as an Administrator.
  • Copy the lines in the codebox below.
    :processes
    :files
    C:\Program Files\DNA
    :commands
    [emptytemp]
    [start explorer]
    [reboot]
  • Return to OTM, right click in the Paste Instructions for Items to be Moved window (under the yellow bar, Code box into OTMoveIt3 (1).) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM.

Note:
  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
  • If you are asked to reboot the machine choose Yes.
  • In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next,
CKScanner.
Please download from HERE and save to the desktop.
  • Right click on CKScanner.exe > Run as Administrator to run it and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Next,
Checklist.
Please post.
  • Content of OTM log.
  • Content of CKFiles.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Persistent search engine redirection

Unread postby EAB » May 23rd, 2010, 12:06 am

Hi xixo_12. I am sorry to say that things have become more complicated since my initial posting.

Just today, my user profile service stopped loading at startup. The profile does however load normally in safe mode. I attempted making a second profile, which has the same error messages upon startup. This leads me to suspect that the profile is still intact (I hope) but the malware is interfering with it on startup.

So, I followed your steps in both safe mode AND normal startup (where I get the user profile error, which I am posting from now) results are:


OTM - First run, not in safe mode:


All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\Program Files\DNA\plugins folder moved successfully.
C:\Program Files\DNA folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Journal

User: RegBack

User: systemprofile
->Temp folder emptied: 720896 bytes
->Temporary Internet Files folder emptied: 1679602 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 21753366 bytes
->Flash cache emptied: 27033 bytes

User: TxR

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 81920 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 320 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 23.00 mb







OTM - Next run, in Safe Mode:


All processes killed
========== PROCESSES ==========
========== FILES ==========
File/Folder C:\Program Files\DNA not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2045065 bytes
->FireFox cache emptied: 33694805 bytes
->Flash cache emptied: 42635 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Eric
->Temp folder emptied: 234728 bytes
->Temporary Internet Files folder emptied: 1196540 bytes
->Java cache emptied: 67369751 bytes
->FireFox cache emptied: 36062496 bytes
->Flash cache emptied: 655278 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 81920 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 135.00 mb





CKscanner - Not in safe mode:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----





CKscanner - Safe Mode:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----
EAB
Active Member
 
Posts: 5
Joined: May 21st, 2010, 4:23 am

Re: Persistent search engine redirection

Unread postby xixo_12 » May 23rd, 2010, 3:04 am

Hi,
Let's proceed.

First,
Malwarebytes' Anti-Malware.
Download Malwarebytes' Anti-Malware here and save to the desktop.
  • Right click on mbam-setup.exe > Run as Administrator and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    Image
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


Next,
Checklist.
Please post.
  • Content of MBAM log
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Persistent search engine redirection

Unread postby EAB » May 23rd, 2010, 9:53 am

Ran log once again in safe mode as user profile will not load normally.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18904

5/23/2010 4:58:51 AM
mbam-log-2010-05-23 (04-58-51).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|)
Objects scanned: 221804
Time elapsed: 36 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lnngatyf (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Eric\AppData\Local\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
EAB
Active Member
 
Posts: 5
Joined: May 21st, 2010, 4:23 am

Re: Persistent search engine redirection

Unread postby xixo_12 » May 23rd, 2010, 9:59 am

Hi,
Let's proceed.

First,
DeFogger - Disable
Please download from HERE and save to the desktop.
  • Right click on DeFogger.exe > Run as Administrator to run it.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK. If nothing appear, please do reboot manually.
.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next,
RSIT by random/random.
Please download from HERE and save to the desktop.
  • Right click on RSIT.exe > Run as Administrator to run the tool.
  • Click Continue at the disclaimer screen.
  • Once it finishes, two logs will open.
    • log.txt will be opened maximized
    • info.txt will be opened minimized
  • Please post the contents of both logs in your next post.
***You can find manually the log at C:\rsit

Next,
GMER.
Please download from HERE and save to the desktop.
  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Right click on Gmer.exe > Run as Administrator to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

Next,
Checklist.
Please post.
  • Content of log.txt and info.txt (Find both in c:\rsit)
  • Content of GMER.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Persistent search engine redirection

Unread postby EAB » May 23rd, 2010, 8:11 pm

RSIT run in safe mode

GMER will not complete successfully (4 attempts and blue screen each time)



log.txt

Logfile of random's system information tool 1.07 (written by random/random)
Run by Eric at 2010-05-23 18:05:39
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 537 GB (56%) free of 954 GB
Total RAM: 2558 MB (86% free)

HijackThis download failed

======Scheduled tasks folder======

C:\Windows\tasks\CAAntiSpywareScan_Daily as Eric at 7 18 PM.job
C:\Windows\tasks\PC Pitstop Disk MD - Monthly C.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-03 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}]
SnapFlash Class - C:\Program Files\Common Files\Justdo\Jd2002.dll [2006-03-16 131072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-05-03 41760]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"NVRaidService"=C:\Windows\system32\nvraidservice.exe [2006-12-22 178176]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-02-15 4390912]
""= []
"NVIDIA nTune"=C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [2007-01-22 81920]
"PC Pitstop Optimize Scheduler"=C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe [2008-03-26 2577120]
"TkBellExe"=C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe -osboot []
"cctray"=C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe [2010-01-29 181488]
"CAVRID"=C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe [2010-01-29 230640]
"cafw"=C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe [2010-01-29 771312]
"capfasem"=C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe [2010-01-29 173296]
"CaPPcl"=C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2010-01-29 472304]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-04-04 36272]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-03-24 952768]
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"=c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe []
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe []
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]


CAAntiSpywareScan_Daily as Eric at 7 18 PM.job
PC Pitstop Disk MD - Monthly C.job
SA.DAT
SCHEDLGU.TXT


CAAntiSpywareScan_Daily as Eric at 7 18 PM.job
PC Pitstop Disk MD - Monthly C.job
SA.DAT
SCHEDLGU.TXT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-05-23 18:05:39 ----D---- C:\rsit
2010-05-23 04:06:32 ----D---- C:\Users\Eric\AppData\Roaming\Malwarebytes
2010-05-22 22:18:40 ----D---- C:\_OTM
2010-05-22 15:52:38 ----D---- C:\Sun
2010-05-22 15:26:50 ----SHD---- C:\Windows\system32\%APPDATA%
2010-05-21 19:38:39 ----D---- C:\ProgramData\Alwil Software
2010-05-21 19:38:39 ----D---- C:\Program Files\Alwil Software
2010-05-21 03:27:12 ----D---- C:\Program Files\Trend Micro
2010-05-21 03:26:00 ----D---- C:\ProgramData\Sun
2010-05-21 03:26:00 ----D---- C:\Program Files\Common Files\Java
2010-05-21 03:25:44 ----A---- C:\Windows\system32\deployJava1.dll
2010-05-20 21:33:03 ----DC---- C:\Windows\system32\DRVSTORE
2010-05-20 21:30:49 ----D---- C:\ProgramData\Lavasoft
2010-05-20 21:30:49 ----D---- C:\Program Files\Lavasoft
2010-05-13 13:04:34 ----D---- C:\Program Files\QuickTime(118)
2010-05-13 13:04:34 ----D---- C:\Program Files\QuickTime
2010-05-13 13:04:33 ----D---- C:\ProgramData\Apple Computer
2010-05-12 16:12:13 ----A---- C:\Windows\system32\inetcomm.dll
2010-05-01 07:46:48 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-04-27 11:30:24 ----D---- C:\Program Files\Common Files\Adobe AIR
2010-04-27 11:29:43 ----D---- C:\Users\Eric\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

======List of files/folders modified in the last 1 months======

2010-05-23 18:05:41 ----A---- C:\Windows\ntbtlog.txt
2010-05-23 18:02:23 ----D---- C:\Windows\System32
2010-05-23 18:02:23 ----D---- C:\Windows\inf
2010-05-23 18:02:23 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-05-23 17:56:30 ----D---- C:\Windows\Temp
2010-05-23 17:54:04 ----D---- C:\Windows\Prefetch
2010-05-23 16:57:03 ----D---- C:\Windows\system32\catroot2
2010-05-23 16:55:23 ----D---- C:\Windows\system32\Msdtc
2010-05-23 16:55:21 ----D---- C:\Windows\system32\wbem
2010-05-23 16:55:21 ----D---- C:\Windows
2010-05-23 16:54:12 ----D---- C:\Windows\system32\config
2010-05-23 16:54:04 ----D---- C:\Windows\winsxs
2010-05-23 16:54:04 ----D---- C:\Windows\system32\drivers
2010-05-23 16:54:04 ----D---- C:\Windows\ehome
2010-05-23 16:54:04 ----D---- C:\Program Files\Windows Sidebar
2010-05-23 16:54:04 ----D---- C:\Program Files\Windows Media Player
2010-05-23 16:54:04 ----D---- C:\Program Files\Windows Defender
2010-05-23 16:54:04 ----D---- C:\Program Files\Internet Explorer
2010-05-23 16:54:00 ----D---- C:\Windows\Tasks
2010-05-23 16:54:00 ----D---- C:\Windows\system32\Tasks
2010-05-23 16:54:00 ----D---- C:\Windows\system32\spool
2010-05-23 16:54:00 ----D---- C:\Windows\system32\CodeIntegrity
2010-05-23 16:53:59 ----SHD---- C:\Windows\Installer
2010-05-23 16:53:59 ----D---- C:\Windows\Minidump
2010-05-23 16:53:59 ----D---- C:\Users\Eric\AppData\Roaming\vlc
2010-05-23 16:53:59 ----D---- C:\Users\Eric\AppData\Roaming\Ventrilo
2010-05-23 16:53:58 ----D---- C:\Users\Eric\AppData\Roaming\DNA
2010-05-23 16:53:57 ----D---- C:\ProgramData\NVIDIA
2010-05-23 16:53:56 ----HD---- C:\ProgramData
2010-05-23 16:53:56 ----D---- C:\Program Files\Steam
2010-05-23 16:53:56 ----D---- C:\Program Files\StarWarsGalaxies
2010-05-23 16:53:56 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-05-23 16:53:54 ----RD---- C:\Program Files
2010-05-23 16:53:54 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-05-23 16:53:53 ----SHD---- C:\$Recycle.Bin
2010-05-23 16:53:52 ----D---- C:\Windows\registration
2010-05-23 16:51:34 ----SHD---- C:\System Volume Information
2010-05-23 16:42:50 ----D---- C:\Users\Eric\AppData\Roaming\SUPERAntiSpyware.com
2010-05-23 16:42:50 ----D---- C:\Users\Eric\AppData\Roaming\BitTorrent
2010-05-23 16:42:49 ----D---- C:\ProgramData\Spybot - Search & Destroy
2010-05-23 16:42:49 ----D---- C:\Program Files\SUPERAntiSpyware
2010-05-22 17:40:22 ----D---- C:\Windows\Microsoft.NET
2010-05-22 17:32:20 ----D---- C:\Windows\system32\directx
2010-05-22 14:00:21 ----D---- C:\Windows\system32\catroot
2010-05-21 03:26:00 ----D---- C:\Program Files\Common Files
2010-05-21 03:25:42 ----D---- C:\Program Files\Java
2010-05-13 03:01:43 ----D---- C:\Program Files\Windows Mail
2010-05-03 15:50:13 ----A---- C:\Windows\kgt2k.INI
2010-04-30 13:51:06 ----A---- C:\Windows\system32\mrt.exe
2010-04-29 11:56:16 ----AD---- C:\ProgramData\TEMP
2010-04-28 02:11:23 ----RSD---- C:\Windows\Fonts
2010-04-27 12:25:47 ----D---- C:\Program Files\Adobe
2010-04-27 11:30:29 ----D---- C:\ProgramData\Adobe
2010-04-27 11:29:42 ----D---- C:\Users\Eric\AppData\Roaming\Adobe
2010-04-27 10:52:35 ----D---- C:\Program Files\Common Files\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 VETFDDNT;VET Floppy Boot Sector Monitor; C:\Windows\system32\drivers\VETFDDNT.sys [2010-01-29 21488]
S1 KmxAgent;KmxAgent; C:\Windows\System32\DRIVERS\kmxagent.sys [2008-06-24 63504]
S1 KmxFile;KmxFile; C:\Windows\System32\DRIVERS\KmxFile.sys [2008-06-24 45584]
S1 KmxFilter;HIPS Core Filter Driver; C:\Windows\system32\DRIVERS\KmxFilter.sys [2007-09-05 51728]
S1 VETEFILE;VET File Scan Engine; C:\Windows\system32\drivers\VETEFILE.sys [2010-01-29 739696]
S1 VET-FILT;VET File System Filter; C:\Windows\system32\drivers\VET-FILT.sys [2010-01-29 26352]
S1 VETMONNT;VET File Monitor; C:\Windows\system32\drivers\VETMONNT.sys [2010-01-29 161008]
S1 VET-REC;VET File System Recognizer; C:\Windows\system32\drivers\VET-REC.sys [2010-01-29 21104]
S2 KmxCF;KmxCF; C:\Windows\System32\DRIVERS\KmxCF.sys [2008-06-24 138744]
S2 KmxSbx;KmxSbx; C:\Windows\System32\DRIVERS\KmxSbx.sys [2008-06-24 66576]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-02-14 1740904]
S3 KmxCfg;KmxCfg; C:\Windows\System32\DRIVERS\kmxcfg.sys [2008-06-24 88816]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 ndiscm;Motorola SURFboard USB Cable Modem Windows Driver; C:\Windows\system32\DRIVERS\NetMotCM.sys [2004-09-29 15360]
S3 NVENETFD;NVIDIA nForce 10/100/1000 Mbps Ethernet ; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2008-08-01 1052704]
S3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2010-01-11 11586280]
S3 VETEBOOT;VET Boot Scan Engine; C:\Windows\system32\drivers\VETEBOOT.sys [2010-01-29 133520]
S4 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [2008-07-11 717296]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 CAISafe;CAISafe; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe [2010-01-29 144696]
S2 ITMRTSVC;CA Pest Patrol Realtime Protection Service; C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe [2008-09-29 283888]
S2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2010-01-11 129640]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe []
S2 UmxAgent;HIPS Event Manager; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2008-06-24 1010192]
S2 UmxCfg;HIPS Configuration Interpreter; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2008-06-24 801296]
S2 UmxFwHlp;HIPS Firewall Helper; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe [2007-09-05 145936]
S2 UmxPol;HIPS Policy Manager; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-24 281104]
S2 VETMSGNT;VET Message Service; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe [2010-01-29 255216]
S3 CaCCProvSP;CaCCProvSP; C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe [2010-01-29 214256]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 PPCtlPriv;PPCtlPriv; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2010-01-29 185584]
S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2009-07-16 316664]

-----------------EOF-----------------











info.txt

Time Written: 20090717041027.699532-000
Event Type: Audit Success
User:

Computer Name: QUADZILLA
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 35593
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090717040823.802532-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=C:\Program Files\NVIDIA Corporation\PhysX\Common;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\DivX Shared\;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_REVISION"=0f0b
"NUMBER_OF_PROCESSORS"=4
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"SAFEBOOT_OPTION"=MINIMAL

-----------------EOF-----------------
EAB
Active Member
 
Posts: 5
Joined: May 21st, 2010, 4:23 am

Re: Persistent search engine redirection

Unread postby xixo_12 » May 24th, 2010, 9:17 am

Hi,
Let's proceed.

First,
Advices.
===============================
Registry related program.
===============================

Next,
OTM by Old Timer.
Please run it again using this code and provide the log
Code: Select all
:processes
:reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
""=-
""=-
""=-
""=-
""=-
""=-
""=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"=-
"BitTorrent DNA"=-
:files
C:\Users\Eric\AppData\Roaming\DNA
C:\Users\Eric\AppData\Roaming\BitTorrent
c:\program files\uniblue
:commands
[emptytemp]
[start explorer]
[reboot]


Next,
Normal mode
Please try to boot into normal mode.
I'm afraid it's because your previous habit : Using registry fixer. You must aware about it after reading my first advice as above in this post.
This may take times to diagnostic if you like to continue.

Next,
Checklist.
Please post.
  • Content of OTM log.
  • Any question that you have.
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Persistent search engine redirection

Unread postby jmw3 » May 27th, 2010, 9:55 am

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware