Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Hijacked!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Google Hijacked!

Unread postby Airscape » July 13th, 2010, 12:10 am

I mean rename combofix.exe to cf.com
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm
Advertisement
Register to Remove

Re: Google Hijacked!

Unread postby raynorth » July 13th, 2010, 10:27 pm

I tried changing the .exe file on the desktop to cf.com. Same result saying CA Anti Virus is still active. Do I need to get CA completely cleared off the machine? Or is it ok to just run ComboFix as is?
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am

Re: Google Hijacked!

Unread postby Airscape » July 13th, 2010, 11:41 pm

Yes carry on with ComboFix... if CA interferes... run ComboFix in Safe Mode.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Google Hijacked!

Unread postby raynorth » July 14th, 2010, 10:21 am

I ran ComboFix and it started ok, then gave me the same active CA messages, I kept OKing the process and it started fine, but after about an hour, it seemed to have no progress. I checked Task manager and it was not using any CPU. Did it crash or should I give it more time?
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am

Re: Google Hijacked!

Unread postby Airscape » July 14th, 2010, 11:01 am

Did you try Safe Mode?
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Google Hijacked!

Unread postby raynorth » July 14th, 2010, 12:37 pm

I did finally get it to successfully run. Here is the log:

ComboFix 10-07-13.08 - Owner 07/14/2010 11:03:27.4.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.733 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\CF.com.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\Owner\Application Data\Zear
c:\documents and settings\Owner\Application Data\Zear\lepyi.exe
c:\program files\webserver
c:\windows\jtrmsan.dll
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\SHELLLNK.TLB
c:\windows\system32\Thumbs.db
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PPDRV
-------\Legacy_SVCHOST32
-------\Legacy_WEBSERVER
-------\Service_svchost32


((((((((((((((((((((((((( Files Created from 2010-06-14 to 2010-07-14 )))))))))))))))))))))))))))))))
.

2010-07-12 02:06 . 2010-07-12 02:06 -------- d-----w- c:\documents and settings\Owner\Application Data\CallingID
2010-07-12 00:37 . 2010-07-12 00:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-09 17:01 . 2010-07-09 17:01 -------- d-----w- c:\program files\ESET
2010-07-08 16:10 . 2010-07-08 16:13 -------- d-----w- C:\rsit
2010-07-08 16:06 . 2010-07-08 16:06 -------- d-----w- c:\program files\ERUNT
2010-07-06 04:42 . 2010-07-06 04:42 52432 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-06-25 18:11 . 2010-07-14 11:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-24 19:49 . 2010-06-24 19:49 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Unity
2010-06-16 18:40 . 2010-06-16 18:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-06-16 18:40 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-16 18:40 . 2010-06-16 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-16 18:39 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-16 18:39 . 2010-06-16 18:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 16:26 . 2008-11-09 23:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-07-14 02:32 . 2010-02-03 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
2010-07-14 02:32 . 2010-07-14 02:32 20232 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe_rc.dll
2010-07-14 02:32 . 2010-07-14 02:32 615688 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe.exe
2010-07-12 09:24 . 2008-01-24 19:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Ikuko
2010-07-12 03:22 . 2006-02-13 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2010-07-12 02:05 . 2005-09-01 19:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-11 04:49 . 2008-07-02 13:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-09 18:57 . 2005-09-01 19:50 -------- d-----w- c:\program files\Microsoft Works
2010-07-08 20:48 . 2006-10-14 14:54 -------- d-----w- c:\program files\Palm
2010-07-08 16:13 . 2008-06-30 19:19 -------- d-----w- c:\program files\Trend Micro
2010-06-16 22:26 . 2007-11-04 05:54 2098 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-11 21:31 . 2010-06-11 21:31 10752 ----a-w- c:\windows\DCEBoot.exe
2010-06-11 20:19 . 2010-03-26 02:09 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-06-06 02:41 . 2009-02-01 21:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-26 02:53 . 2010-05-26 02:46 -------- d-----w- c:\documents and settings\Owner\Application Data\MP3Rocket
2010-05-26 02:48 . 2010-05-26 02:46 -------- d-----w- c:\program files\MP3 Rocket
2010-05-26 02:46 . 2010-05-26 02:45 -------- d-----w- c:\program files\Ask.com
2010-05-06 10:41 . 2005-03-23 16:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-03-23 16:53 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-03-23 16:52 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-04-15 23:26 . 2008-04-15 23:18 595928 ----a-w- c:\program files\setup Steel Bldg.exe
2006-09-27 20:25 . 2007-01-09 16:33 1445888 ----a-w- c:\program files\WinsockxpFix.exe
2007-05-22 01:29 . 2010-02-24 02:51 69632 --sh--r- c:\windows\lnchshll.exe
2007-05-22 01:29 . 2010-02-24 02:51 49152 --sh--r- c:\windows\ScrnInt.exe
2004-08-04 19:00 . 2005-03-23 16:52 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2005-03-23 16:52 50688 --sh--w- c:\windows\twain_32.dll
2007-05-17 21:05 . 2010-02-24 02:51 368640 --sh--r- c:\windows\xlsp.exe
2007-11-04 05:54 . 2007-11-04 05:54 88 --sh--r- c:\windows\system32\B21105B38A.sys
2008-04-14 00:11 . 2005-03-23 16:52 1028096 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2005-03-23 16:52 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2005-03-23 16:52 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2005-03-23 16:52 343040 --sh--w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12 . 2005-03-23 16:52 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-08 22:40 1362320 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-08 1362320]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-08 1362320]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Roboform\RoboTaskBarIcon.exe" [2008-03-22 160592]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 1052672]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-05-25 1253376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Roboform\RoboTaskBarIcon.exe" [2008-03-22 160592]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
RCA Detective.lnk - c:\documents and settings\Owner\My Documents\RCA Detective\RCADetective.exe [2009-7-8 1070080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-4-25 25214]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk.disabled]
backup=c:\windows\pss\AT&T Self Support Tool.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Morning Offiice Routine.lnk]
backup=c:\windows\pss\Morning Offiice Routine.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 07:08 483328 -c--a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
2007-03-28 14:38 1015808 ----a-w- c:\program files\ACT\Act for Windows\ActSage.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
2007-03-28 14:43 9728 -c--a-w- c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Handy Free Clock]
2006-01-24 04:31 356352 ----a-w- c:\program files\Handy Free Clock\hfc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HFC.exe]
2006-01-24 04:31 356352 ----a-w- c:\program files\Handy Free Clock\hfc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-07-10 09:13 114688 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-07-10 09:25 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-08-09 11:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-08-09 11:03 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 15:36 267048 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KONICA MINOLTA PagePro 1400W STD]
2005-08-22 04:03 184320 ----a-w- c:\windows\system32\MSTMON_Y.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mainstreet login script]
2006-03-14 16:44 147 ----a-w- c:\windows\login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 04:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 -c--a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 03:24 32768 -c--a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
2004-05-27 00:57 139264 -c--a-w- c:\program files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-03-27 00:20 499712 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-03-27 00:20 98304 -c--a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
2008-02-28 17:35 1885464 ----a-w- c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 21:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Uniblue RegistryBooster 2"=c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16327:TCP"= 16327:TCP:BitComet 16327 TCP
"16327:UDP"= 16327:UDP:BitComet 16327 UDP
"443:TCP"= 443:TCP:800Meet_Conn_Port
"8200:TCP"= 8200:TCP:800Meet_Conn_Port
"8085:TCP"= 8085:TCP:pdrv

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [10/31/2007 1:30 PM 91136]
R2 Canon NetSpot Suite Service;Canon NetSpot Suite Service;c:\program files\Canon\Vdc\AuVdc.exe [10/3/2006 2:06 PM 57344]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
R2 MSSQL$EMMSDE;MSSQL$EMMSDE;c:\program files\Microsoft SQL Server\MSSQL$EMMSDE\Binn\sqlservr.exe -sEMMSDE --> c:\program files\Microsoft SQL Server\MSSQL$EMMSDE\Binn\sqlservr.exe -sEMMSDE [?]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [10/31/2007 1:42 PM 114944]
R2 xlsp;xlsp;c:\windows\xlsp.exe [2/23/2010 9:51 PM 368640]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [10/31/2007 1:29 PM 23180]
R3 TunRDriverV32;TunRDriverV32;c:\windows\system32\drivers\TunRDriverV32.sys [9/14/2007 12:40 AM 513152]
R3 TunRVideo32;TunRVideo32;c:\windows\system32\drivers\TunRVideo32.sys [9/14/2007 12:40 AM 2688]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 9:39 AM 135664]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [9/14/2007 12:40 AM 184320]
S3 SQLAgent$EMMSDE;SQLAgent$EMMSDE;c:\program files\Microsoft SQL Server\MSSQL$EMMSDE\Binn\sqlagent.EXE -i EMMSDE --> c:\program files\Microsoft SQL Server\MSSQL$EMMSDE\Binn\sqlagent.EXE -i EMMSDE [?]
S4 ProtectsStore;RtoAutos; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 14:38]

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 14:38]

2010-07-14 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-08 22:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:1361
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\Roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Roboform\RoboFormComFillForms.html
IE: Save Forms - file://c:\program files\Roboform\RoboFormComSavePass.html
Trusted Zone: allregs.com\www
Trusted Zone: classmates.com\secure
Trusted Zone: classmates.com\www
Trusted Zone: mortgagemarketguide.com
Trusted Zone: usbank.com\sellus
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xglh0wtj.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPE2Host.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsharedview.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{75243E56-3860-B048-E389-C46190A83261} - c:\documents and settings\Owner\Application Data\Zear\lepyi.exe
HKLM-Run-VetStart - c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
HKU-Default-Run-Oqukiquyiwi - c:\windows\jtrmsan.dll
Notify-avldr - (no file)
MSConfigStartUp-PC Pitstop Optimize Reminder - c:\program files\PCPitstop\Optimize3\Reminder-Optimize3.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 11:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ProtectsStore]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1456)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(520)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\FOG\File Own Guard\FOGExpExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\VPN Client\cvpnd.exe
c:\program files\Microsoft SQL Server\MSSQL$EMMSDE\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\cryptainersrv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
.
**************************************************************************
.
Completion time: 2010-07-14 11:34:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-14 16:34
ComboFix2.txt 2008-07-12 03:39

Pre-Run: 23,940,558,848 bytes free
Post-Run: 23,864,651,776 bytes free

- - End Of File - - 36DC2CB5BEDA9C43CB18F49A1F37E33C
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am

Re: Google Hijacked!

Unread postby Airscape » July 14th, 2010, 6:58 pm

Hi raynorth,

Go to VirusTotal or Jotti
Click the browse button next to the white box.
Copy/paste the following file and path into the file name box:

c:\windows\lnchshll.exe

Click Open.
Click Send/Submit, and the file will be scanned for malware.
After a while, a window will open, with details of what the scans found.
Note details of any viruses found, and post the results/links in your next reply.

Note: if the file has been scanned before, please reanalyze the file if asked.

Repeat for these files then post the results/links:
c:\windows\ScrnInt.exe
c:\windows\DCEBoot.exe
c:\windows\system32\B21105B38A.sys
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Google Hijacked!

Unread postby raynorth » July 14th, 2010, 7:41 pm

Here are the results:

Antivirus Version Last Update Result
a-squared 5.0.0.31 2010.07.14 -
AhnLab-V3 2010.07.15.00 2010.07.14 -
AntiVir 8.2.4.10 2010.07.14 -
Antiy-AVL 2.0.3.7 2010.07.14 -
Authentium 5.2.0.5 2010.07.15 -
Avast 4.8.1351.0 2010.07.14 -
Avast5 5.0.332.0 2010.07.15 -
AVG 9.0.0.836 2010.07.15 -
BitDefender 7.2 2010.07.14 -
CAT-QuickHeal 11.00 2010.07.14 -
ClamAV 0.96.0.3-git 2010.07.15 -
Comodo 5430 2010.07.15 -
DrWeb 5.0.2.03300 2010.07.15 -
eSafe 7.0.17.0 2010.07.14 -
eTrust-Vet 36.1.7706 2010.07.14 -
F-Prot 4.6.1.107 2010.07.14 -
F-Secure 9.0.15370.0 2010.07.15 -
Fortinet 4.1.143.0 2010.07.14 -
GData 21 2010.07.15 -
Ikarus T3.1.1.84.0 2010.07.14 -
Jiangmin 13.0.900 2010.07.14 -
Kaspersky 7.0.0.125 2010.07.14 -
McAfee 5.400.0.1158 2010.07.15 -
McAfee-GW-Edition 2010.1 2010.07.14 -
Microsoft 1.5902 2010.07.15 -
NOD32 5278 2010.07.14 -
Norman 6.05.11 2010.07.14 -
nProtect 2010-07-14.01 2010.07.14 -
Panda 10.0.2.7 2010.07.14 -
PCTools 7.0.3.5 2010.07.15 -
Prevx 3.0 2010.07.15 -
Rising 22.56.02.04 2010.07.14 -
Sophos 4.55.0 2010.07.15 -
Sunbelt 6582 2010.07.14 -
SUPERAntiSpyware 4.40.0.1006 2010.07.15 -
Symantec 20101.1.1.7 2010.07.14 -
TheHacker 6.5.2.1.313 2010.07.13 -
TrendMicro 9.120.0.1004 2010.07.14 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.15 -
VBA32 3.12.12.6 2010.07.14 -
ViRobot 2010.7.12.3932 2010.07.14 -
VirusBuster 5.0.27.0 2010.07.14 -
Additional information
File size: 69632 bytes
MD5...: 01ce6e48af57d56828dc2403bc8d3f29
SHA1..: 2ef08aaa37244405a28d2904f4eee38809c7ad1f
SHA256: 8729673f5bad7409eddf1bea69d82bca51a463e84f7af344227cb65235fa1148
ssdeep: 768:kk6KXYEKNJM45QAPLVTMmEMDSxWXVNHQynEScorxW7zpR6Qp0c+uomljBJKZ
a:kSYv/tMmEMD/EPotWxEPuoQBkZa

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5057
timedatestamp.....: 0x46522b4a (Mon May 21 23:29:14 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9ede 0xa000 6.63 1cffc118db0aa17d1f0f22465e822a1a
.rdata 0xb000 0x13a8 0x2000 3.60 ffbe673f0a022ca8633aebe5a7e9a9bf
.data 0xd000 0x2598 0x1000 2.07 8596743e3bbe244fa27baac3a4dabd16
.rsrc 0x10000 0x2978 0x3000 3.56 876d06a5473a24f39aec319f635df119

( 6 imports )
> KERNEL32.dll: InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, GetVersionExA, Sleep, GetTickCount, GetStartupInfoA, WideCharToMultiByte, ReadFile, GetFileSize, CreateFileA, GetWindowsDirectoryA, GetModuleFileNameA, GetLastError, MultiByteToWideChar, InterlockedIncrement, lstrlenA, CloseHandle, InterlockedDecrement, CompareStringW, CompareStringA, FlushFileBuffers, SetStdHandle, LoadLibraryA, GetProcAddress, GetOEMCP, GetACP, GetCPInfo, GetStringTypeW, GetStringTypeA, SetFilePointer, IsBadCodePtr, IsBadReadPtr, WriteFile, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, SetUnhandledExceptionFilter, LCMapStringW, SetEnvironmentVariableA, LCMapStringA, HeapSize, HeapReAlloc, GetVersion, GetCommandLineA, GetModuleHandleA, HeapAlloc, HeapFree, RtlUnwind, RaiseException, GetTimeZoneInformation, GetSystemTime, GetLocalTime, ExitProcess, TerminateProcess, GetCurrentProcess
> ADVAPI32.dll: OpenServiceA, ControlService, OpenSCManagerA
> ole32.dll: CoInitialize, CoCreateInstance, CoTaskMemFree, OleUninitialize, CoTaskMemAlloc
> SHELL32.dll: FindExecutableA, ShellExecuteA
> USER32.dll: MessageBoxA, DdeInitializeA, DdeUninitialize, GetFocus, FindWindowA, ShowWindow, SetFocus, DdeAccessData, TranslateMessage, DdeConnectList, DdeGetLastError, DdeQueryNextServer, DdeDisconnectList, DdeConnect, DdeQueryStringA, DdeCreateStringHandleA, DdeNameService, DdeClientTransaction, DdeFreeStringHandle, DdeCreateDataHandle, DdeFreeDataHandle, DdeDisconnect, PeekMessageA, DdeUnaccessData, DispatchMessageA
> OLEAUT32.dll: -, -, -, -

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Warranty Corporation of America
copyright....: Copyright (c) 2003-2004
product......: Mobile Lifeline
description..: MLL Helper
original name: LnchShll.EXE
internal name: Decryption Tool
file version.: 2.001
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

--------------------------------------------------------
Antivirus Version Last Update Result
a-squared 5.0.0.31 2010.07.14 -
AhnLab-V3 2010.07.15.00 2010.07.14 -
AntiVir 8.2.4.10 2010.07.14 -
Antiy-AVL 2.0.3.7 2010.07.14 -
Authentium 5.2.0.5 2010.07.15 -
Avast 4.8.1351.0 2010.07.14 -
Avast5 5.0.332.0 2010.07.15 -
AVG 9.0.0.836 2010.07.15 -
BitDefender 7.2 2010.07.14 -
CAT-QuickHeal 11.00 2010.07.14 -
ClamAV 0.96.0.3-git 2010.07.15 -
Comodo 5430 2010.07.15 -
DrWeb 5.0.2.03300 2010.07.15 -
eSafe 7.0.17.0 2010.07.14 -
eTrust-Vet 36.1.7706 2010.07.14 -
F-Prot 4.6.1.107 2010.07.14 -
F-Secure 9.0.15370.0 2010.07.15 -
Fortinet 4.1.143.0 2010.07.14 -
GData 21 2010.07.15 -
Ikarus T3.1.1.84.0 2010.07.14 -
Jiangmin 13.0.900 2010.07.14 -
Kaspersky 7.0.0.125 2010.07.14 -
McAfee 5.400.0.1158 2010.07.15 -
McAfee-GW-Edition 2010.1 2010.07.14 -
Microsoft 1.5902 2010.07.15 -
NOD32 5278 2010.07.14 -
Norman 6.05.11 2010.07.14 -
nProtect 2010-07-14.01 2010.07.14 -
Panda 10.0.2.7 2010.07.14 -
PCTools 7.0.3.5 2010.07.15 -
Prevx 3.0 2010.07.15 -
Rising 22.56.02.04 2010.07.14 -
Sophos 4.55.0 2010.07.15 -
Sunbelt 6582 2010.07.14 -
SUPERAntiSpyware 4.40.0.1006 2010.07.15 -
Symantec 20101.1.1.7 2010.07.14 -
TheHacker 6.5.2.1.313 2010.07.13 -
TrendMicro 9.120.0.1004 2010.07.14 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.15 -
VBA32 3.12.12.6 2010.07.14 -
ViRobot 2010.7.12.3932 2010.07.14 -
VirusBuster 5.0.27.0 2010.07.14 -
Additional information
File size: 49152 bytes
MD5...: 0c0593cda83916fc231523b46c9c25fc
SHA1..: d6d7c48b7152f2375ad969679be10fd453b92851
SHA256: 18d2f1653a82f80df74fa212789aa591160147cec5e7691549431a827762a3be
ssdeep: 768:YlR/H15Ezds88c+GcbXwaMWfQC8M2AXM9xR489z+WnVyeo:YlVV5EzW8y/QC
8M2AYptRo

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3476
timedatestamp.....: 0x46522b4c (Mon May 21 23:29:16 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x64c0 0x7000 6.17 3e6ff212416b8c42ff798dbda33191df
.rdata 0x8000 0x100e 0x2000 3.26 7feaa51084a8e45eeba107f7a87a8ef7
.data 0xa000 0x2738 0x1000 1.64 6c191d6e33435d3e4c75dbf95edd7312
.rsrc 0xd000 0x140 0x1000 0.29 bb00410c2b5f58eae3a5b80a5a0c6bf8

( 6 imports )
> KERNEL32.dll: SetStdHandle, LoadLibraryA, GetProcAddress, GetOEMCP, GetACP, GetCPInfo, SetFilePointer, IsBadCodePtr, IsBadReadPtr, SetUnhandledExceptionFilter, WriteFile, GetFileType, GetStringTypeA, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, Sleep, FreeEnvironmentStringsA, GetModuleFileNameA, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, LCMapStringW, LCMapStringA, IsBadWritePtr, HeapReAlloc, VirtualAlloc, GetStringTypeW, FlushFileBuffers, OpenEventA, GetStdHandle, SetEvent, VirtualFree, HeapCreate, HeapDestroy, ExitProcess, GetVersion, CloseHandle, GetCommandLineA, GetStartupInfoA, MulDiv, WideCharToMultiByte, GetLastError, FreeEnvironmentStringsW, MultiByteToWideChar, RtlUnwind, HeapFree, HeapAlloc, GetModuleHandleA
> USER32.dll: SetTimer, ReleaseDC, IsZoomed, ShowWindow, GetFocus, GetWindowTextA, GetParent, IsWindowVisible, MessageBoxA, EndDialog, GetWindowRect, GetSystemMetrics, MoveWindow, GetDC, PostMessageA, GetDlgItem, KillTimer, DialogBoxParamA, SetWindowTextA, MapWindowPoints, SetFocus, SetWindowPos, GetClientRect
> GDI32.dll: CreateHalftonePalette, DeleteObject, GetDeviceCaps
> ole32.dll: OleSetContainedObject, CoCreateInstance, OleInitialize
> OLEAUT32.dll: -, -, -
> ADVAPI32.dll: RegCloseKey, RegQueryValueExA, RegSetValueExA, RegOpenKeyExA

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (51.5%)
Windows Screen Saver (17.9%)
Win32 Executable Generic (11.6%)
Win32 Dynamic Link Library (generic) (10.3%)
Win32 Executable MS Visual FoxPro 7 (3.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

-------------------------------------------------------------
Antivirus Version Last Update Result
a-squared 5.0.0.31 2010.07.14 -
AhnLab-V3 2010.07.15.00 2010.07.14 Win-Trojan/Rootkit.10752.K
AntiVir 8.2.4.10 2010.07.14 -
Antiy-AVL 2.0.3.7 2010.07.14 -
Authentium 5.2.0.5 2010.07.15 -
Avast 4.8.1351.0 2010.07.14 -
Avast5 5.0.332.0 2010.07.15 -
AVG 9.0.0.836 2010.07.15 -
BitDefender 7.2 2010.07.14 -
CAT-QuickHeal 11.00 2010.07.14 -
ClamAV 0.96.0.3-git 2010.07.15 -
Comodo 5430 2010.07.15 -
DrWeb 5.0.2.03300 2010.07.15 -
eSafe 7.0.17.0 2010.07.14 Win32.TrojanHorse
eTrust-Vet 36.1.7706 2010.07.14 -
F-Prot 4.6.1.107 2010.07.15 -
F-Secure 9.0.15370.0 2010.07.15 -
Fortinet 4.1.143.0 2010.07.14 -
GData 21 2010.07.15 -
Ikarus T3.1.1.84.0 2010.07.14 -
Jiangmin 13.0.900 2010.07.14 -
Kaspersky 7.0.0.125 2010.07.14 -
McAfee 5.400.0.1158 2010.07.15 -
McAfee-GW-Edition 2010.1 2010.07.14 -
Microsoft 1.5902 2010.07.15 -
NOD32 5278 2010.07.14 -
Norman 6.05.11 2010.07.14 -
nProtect 2010-07-14.01 2010.07.14 Trojan/W32.Agent.10752.LU
Panda 10.0.2.7 2010.07.14 -
PCTools 7.0.3.5 2010.07.15 -
Prevx 3.0 2010.07.15 -
Rising 22.56.02.04 2010.07.14 -
Sophos 4.55.0 2010.07.15 -
Sunbelt 6582 2010.07.14 -
SUPERAntiSpyware 4.40.0.1006 2010.07.15 -
Symantec 20101.1.1.7 2010.07.14 -
TheHacker 6.5.2.1.313 2010.07.13 -
TrendMicro 9.120.0.1004 2010.07.14 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.15 -
VBA32 3.12.12.6 2010.07.14 -
ViRobot 2010.7.12.3932 2010.07.14 Trojan.Win32.Rootkit.10752
VirusBuster 5.0.27.0 2010.07.14 -
Additional information
File size: 10752 bytes
MD5...: 1a69e2188dac0e9233df53f20c48c592
SHA1..: d4a8a1c7a6a6e977efb540a5cb7f1f4d5a65df7c
SHA256: bbe3143b9fd76e2402b1da7473a506699b89f2cac08ed3dc1e7bc7463d17ea89
ssdeep: 192:cDjU/eCH5T3h47Eeh8ogAKmqf5g60LhB4wNwHV:cP+EK5e74qwH

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x28bb
timedatestamp.....: 0x4a55b810 (Thu Jul 09 09:27:44 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1c4c 0x1e00 5.60 a50bc4568c53d7ed402dda0056cdd416
.data 0x3000 0x519 0x600 7.11 d09c70e16152458497a14fa274af6478
.reloc 0x4000 0xde 0x200 2.56 6cab77cd58490b77b82237009a881b1e

( 1 imports )
> ntdll.dll: NtReadFile, NtCreateFile, NtQueryInformationFile, NtSetInformationFile, NtClose, ZwSetInformationFile, NtDeleteFile, NtOpenKey, NtQueryValueKey, NtSetValueKey, RtlInitUnicodeString, RtlCreateHeap, wcsncpy, memset, RtlDestroyHeap, RtlFreeHeap, RtlDosPathNameToNtPathName_U, RtlAllocateHeap, RtlAdjustPrivilege, memmove, NtTerminateProcess, _chkstk

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

--------------------------------------------------------
Antivirus Version Last Update Result
a-squared 5.0.0.31 2010.07.14 -
AhnLab-V3 2010.07.15.00 2010.07.14 -
AntiVir 8.2.4.10 2010.07.14 -
Antiy-AVL 2.0.3.7 2010.07.14 -
Authentium 5.2.0.5 2010.07.15 -
Avast 4.8.1351.0 2010.07.14 -
Avast5 5.0.332.0 2010.07.15 -
AVG 9.0.0.836 2010.07.15 -
BitDefender 7.2 2010.07.14 -
CAT-QuickHeal 11.00 2010.07.14 -
ClamAV 0.96.0.3-git 2010.07.15 -
Comodo 5430 2010.07.15 -
DrWeb 5.0.2.03300 2010.07.15 -
eSafe 7.0.17.0 2010.07.14 -
eTrust-Vet 36.1.7706 2010.07.14 -
F-Prot 4.6.1.107 2010.07.15 -
F-Secure 9.0.15370.0 2010.07.15 -
Fortinet 4.1.143.0 2010.07.14 -
GData 21 2010.07.15 -
Ikarus T3.1.1.84.0 2010.07.14 -
Jiangmin 13.0.900 2010.07.14 -
Kaspersky 7.0.0.125 2010.07.14 -
McAfee 5.400.0.1158 2010.07.15 -
McAfee-GW-Edition 2010.1 2010.07.14 -
Microsoft 1.5902 2010.07.15 -
NOD32 5278 2010.07.14 -
Norman 6.05.11 2010.07.14 -
nProtect 2010-07-14.01 2010.07.14 -
Panda 10.0.2.7 2010.07.14 -
PCTools 7.0.3.5 2010.07.15 -
Prevx 3.0 2010.07.15 -
Rising 22.56.02.04 2010.07.14 -
Sophos 4.55.0 2010.07.15 -
Sunbelt 6582 2010.07.14 -
SUPERAntiSpyware 4.40.0.1006 2010.07.15 -
Symantec 20101.1.1.7 2010.07.14 -
TheHacker 6.5.2.1.313 2010.07.13 -
TrendMicro 9.120.0.1004 2010.07.14 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.15 -
VBA32 3.12.12.6 2010.07.14 -
ViRobot 2010.7.12.3932 2010.07.14 -
VirusBuster 5.0.27.0 2010.07.14 -
Additional information
File size: 88 bytes
MD5...: c61ec75c3575c4928ac0672e553bc441
SHA1..: c52a557a28b77654ef9ae8c600d8bf78bfead9a7
SHA256: 0ac0f99901d1dbac232ffbf1be0d22938ac532e23b7a4728b5ac56ea3d838ed1
ssdeep: 3:hl/8mRWDqn5LXMn:Qmwk54n

PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: MS Flight Simulator Aircraft Performance Info (100.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am

Re: Google Hijacked!

Unread postby Airscape » July 15th, 2010, 2:05 pm

Just to double check which file I listed was detected? did you upload them in order? :?

c:\windows\lnchshll.exe
c:\windows\ScrnInt.exe
c:\windows\DCEBoot.exe --- if you listed in the same order I did then this is the one?
c:\windows\system32\B21105B38A.sys --- probably would have been this?

AhnLab-V3 2010.07.15.00 2010.07.14 Win-Trojan/Rootkit.10752.K
eSafe 7.0.17.0 2010.07.14 Win32.TrojanHorse
nProtect 2010-07-14.01 2010.07.14 Trojan/W32.Agent.10752.LU
Trojan.Win32.Rootkit.10752
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Google Hijacked!

Unread postby raynorth » July 15th, 2010, 2:56 pm

I ran them in order and I believe I did put in the logs in order. When I had to browse to find the first 2 files, they were not listed, but when I manually typed the names into the open box, they did upload. I guess they were hidden. I found all the files to upload, but the first 2 seem to have been hidden. Is the trojan what needs to be cleaned off the computer?
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am

Re: Google Hijacked!

Unread postby Airscape » July 15th, 2010, 6:39 pm

Is the trojan what needs to be cleaned off the computer?

I wouldn't worry too much about the file as only a few antiviruses detect it anyway. Don't try and delete anything yet.

If you don't mind can you please upload this file again and post the results, if it's been scanned before reanalyse it:

c:\windows\DCEBoot.exe

http://virusscan.jotti.org/en
http://www.virustotal.com/
http://virscan.org/
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Google Hijacked!

Unread postby raynorth » July 15th, 2010, 7:29 pm

2010-04-26 Found nothing 2010-04-26 Found nothing
2010-04-25 Found nothing 2010-04-26 Found nothing
2010-04-25 Found nothing 2010-04-26 Found nothing
2010-04-26 Found nothing 2010-04-26 Found nothing
2010-04-26 Found nothing 2010-04-25 Found nothing
2010-04-26 Found nothing 2010-04-26 Found nothing
2010-04-20 Found nothing 2010-04-26 Found nothing
2010-04-26 Found nothing 2010-04-25 Found nothing
2010-04-25 Found nothing 2010-04-25 Found nothing

used http://virusscan.jotti.org/en
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am

Re: Google Hijacked!

Unread postby Airscape » July 16th, 2010, 1:27 pm

Hi raynorth,

Can you please upload this file again to Jotti or if busy VirusTotal:
c:\windows\system32\B21105B38A.sys


Backup the Registry:

Please navigate to Start >> All Programs >> ERUNT >> ERUNT.

  • Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry
    • Current user registry
  • Next click on OK
  • When the Question pop-up appears click on Yes
  • After a short duration the Registry backup is complete! popup will appear
  • Now click on OK. A backup has been created.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Uninstall programs
Click Start > Control Panel > Add/Remove Programs
Click on the Programs listed below in red and click Remove etc.... then Restart the pc.

Spyware Doctor 6.0
Uniblue RegistryBooster 2


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download/Run OTM
Download OTM by OldTimer from Here and save it to your desktop.
  • Double click on OTM.exe to run it
  • Copy/Paste the text inside the Code box below into Paste Instructions for Items to be Moved

Code: Select all
:Processes

:Files
C:\Program Files\Ask.com
C:\Program Files\Uniblue
C:\Program Files\BitTorrent
C:\Program Files\DNA
C:\Program Files\Spyware Doctor
c:\windows\system32\d3d9caps.dat
c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Handy Free Clock]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HFC.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KONICA MINOLTA PagePro 1400W STD]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mainstreet login script]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Reminder]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk.disabled]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Morning Offiice Routine.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avldr]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"=-
"C:\Program Files\DNA\btdna.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16327:TCP"=-
"16327:UDP"=-
"8085:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{995ca3ee-ec35-11db-b9e3-00904bfdd50a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd17936e-ea6c-11de-bde8-00904bfdd50a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3244e30-6be1-11de-bd00-006073eeb18b}]

:Services
sdAuxService
sdCoreService

:Commands
[EmptyTemp]
[Reboot]


  • Click on the MoveIt! button
  • When the tool is finished, click on Exit
  • Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
  • A log will be produced at C:\_OTM\MovedFiles\date_time.log where date_time are numbers.
  • Please copy/paste the contents of that log into your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware and click the Update tab >> then Check for Updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post this log in your next reply.
If you receive an (Error Loading) error on reboot, please reboot a second time.
It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.

Please post back with the MBAM and OTM logs and tell me if the file from Jotti is bad?
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Google Hijacked!

Unread postby NonSuch » July 20th, 2010, 12:15 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 270 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware