Pupils DiL8t All American 4960 Posts user info edit post |
I've somehow received an unusual virus. I've tried removing it with TrendMicro, Malwarebytes and Spybot, but nothing has worked.
I've noticed new popup windows in my Vista toolbar mostly from Internet Explorer (although I never use it) and Mozilla. I haven't noticed any in Chrome.
However, even when clicking on a google search result in Chrome, it will open a completely different search engine page instead of the desired link, followed by a new popup window in Internet Explorer.
I wish I could at least remove Internet Explorer. Any help? 2/21/2010 11:34:03 PM |
evan All American 27701 Posts user info edit post |
sounds like someone's hijacked your TCP stack, if i had to take a guess based on this info.
http://free.antivirus.com/hijackthis/ run post report here we will help 2/21/2010 11:41:11 PM |
Pupils DiL8t All American 4960 Posts user info edit post |
2/22/2010 3:45:19 PM |
craptastic All American 6115 Posts user info edit post |
2/22/2010 4:14:39 PM |
Grandmaster All American 10829 Posts user info edit post |
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 2/22/2010 8:23:50 PM |
BIGcementpon Status Name 11319 Posts user info edit post |
Why didn't you just copy and paste the log file into a new message and save yourself some time? 2/22/2010 10:23:39 PM |
evan All American 27701 Posts user info edit post |
yeah, seriously, please just copy and paste it, haha 2/22/2010 11:07:58 PM |
GKMatt All American 2426 Posts user info edit post |
what are these?
2/23/2010 10:14:39 AM |
quagmire02 All American 44225 Posts user info edit post |
combofix if you have a 32-bit OS
otherwise, is it similar to what i was experiencing a few weeks back?
message_topic.aspx?topic=585361 2/23/2010 11:01:15 AM |
ArcBoyeee All American 1208 Posts user info edit post |
VUNDO
VIRTUMONDE
If you have it - then I have the 3 fix files. I have only found ONE way to eradicate this. 2/23/2010 2:44:13 PM |
Pupils DiL8t All American 4960 Posts user info edit post |
HijackThis, for whatever reason, pulled up a blank text file instead of text file with the log report, so I was unable to copy and paste those results.
ComboFix seemed to just stop running during its scan, so I never received any log report from it.
Using DDS, I was able to copy a paste this log report:
DDS (Ver_09-12-01.01) - NTFSx86 Run by Owner at 16:20:52.98 on Tue 02/23/2010 Internet Explorer: 8.0.6001.18882 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2813.1279 [GMT -5:00]
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe C:\Windows\system32\svchost.exe -k rpcss C:\Windows\system32\Ati2evxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f691e717\STacSV.exe C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\Hpservice.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\WLANExt.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\Ati2evxx.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\IDT\WDM\sttray.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe C:\WINDOWS\ehome\ehtray.exe C:\Users\Owner\AppData\Local\Temp\win16.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f691e717\aestsrv.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Windows\system32\agrsmsvc.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\WiFiConnector\NintendoWFCReg.exe C:\Users\Owner\AppData\Local\Autobahn\autobahn.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\system32\svchost.exe -k hpdevmgmt C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe C:\Windows\SMINST\BLService.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Webroot\WebrootSecurity\SSU.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Windows\System32\alg.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Owner\Documents\Downloads\dds.scr C:\Windows\system32\wbem\wmiprvse.exe 2/23/2010 4:27:58 PM |
Pupils DiL8t All American 4960 Posts user info edit post |
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/ uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb uInternet Settings,ProxyOverride = *.local BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun uRun: [WindowsWelcomeCenter] "rundll32.exe" oobefldr.dll,ShowWelcomeCenter uRun: [LightScribe Control Panel] "c:\program files\common files\lightscribe\LightScribeControlPanel.exe" -hidden uRun: [ehTray.exe] "c:\windows\ehome\ehTray.exe" uRun: [uishf9wuifwuh387fh3wufinhjfdwefe] "c:\users\owner\appdata\local\temp\ub81r5eabf.exe" uRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\users\owner\appdata\local\temp\win16.exe uRun: [Fnudumegede] rundll32.exe "c:\users\owner\appdata\local\ijurediqa.dll",Startup uRun: [kugazegag] Rundll32.exe "c:\progra~2\sojenatu\sojenatu.dll",a uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe" mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe" mRun: [SysTrayApp] "%ProgramFiles%\IDT\WDM\sttray.exe" mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\2.0" mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe" mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide mRun: [QlbCtrl.exe] "c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe" /Start mRun: [OnScreenDisplay] "c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe" mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe" mRun: [HP Health Check Scheduler] "c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe" mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe" mRun: [hpWirelessAssistant] "c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe" mRun: [WinampAgent] "c:\program files\winamp\winampa.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\autobahn.lnk - c:\users\owner\appdata\local\autobahn\autobahn.exe StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\runreg~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe" 2/23/2010 4:28:23 PM |
Pupils DiL8t All American 4960 Posts user info edit post |
================= FIREFOX ===================
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\7u7qk0t5.default\ FF - prefs.js: browser.search.selectedEngine - Ask.com FF - prefs.js: browser.startup.homepage - http://www.google.com FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q= FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071503000010.dll FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071701000002.dll FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071705000014.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [2009-5-31 15416] R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-1-23 52736]
=============== Created Last 30 ================
2010-02-23 02:30:45 0 d-s---w- C:\ComboFix 2010-02-23 01:49:13 77312 ----a-w- c:\windows\MBR.exe 2010-02-23 01:49:13 261632 ----a-w- c:\windows\PEV.exe 2010-02-23 01:49:12 98816 ----a-w- c:\windows\sed.exe 2010-02-23 01:49:12 161792 ----a-w- c:\windows\SWREG.exe 2010-02-22 05:19:37 0 d-----w- c:\program files\TrendMicro 2010-02-21 05:19:10 0 d-----w- c:\programdata\Spybot - Search & Destroy 2010-02-21 05:19:10 0 d-----w- c:\program files\Spybot - Search & Destroy 2010-02-18 04:41:28 10752 ----a-w- c:\windows\DCEBoot.exe 2010-02-18 00:06:22 0 d-----w- c:\programdata\sojenatu 2010-02-18 00:06:21 0 d-----w- c:\programdata\wawuhana 2010-02-18 00:06:21 0 d-----w- c:\programdata\nosamoti 2010-02-17 23:56:25 0 d-----w- c:\programdata\pupepiba 2010-02-17 23:56:25 0 d-----w- c:\programdata\malevinu 2010-02-17 23:56:25 0 d-----w- c:\programdata\duyotilu 2010-02-10 14:28:07 98304 ----a-w- c:\windows\system32\drivers\srvnet.sys 2010-02-10 14:28:07 301568 ----a-w- c:\windows\system32\drivers\srv.sys 2010-02-10 14:28:04 3597912 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-10 14:28:03 3546200 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-06 04:03:15 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll 2010-02-06 04:03:14 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll 2010-02-06 04:01:55 0 d-----w- c:\program files\Winamp Detect 2010-01-27 03:04:54 72704 ----a-w- c:\windows\system32\admparse.dll 2010-01-26 04:14:48 0 d-----w- c:\program files\GPL MPEG Decoder
==================== Find3M ====================
2010-02-21 04:40:49 2768 ----a-w- c:\users\owner\appdata\roaming\wklnhst.dat 2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll 2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll 2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll 2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe 2009-12-28 12:35:50 11776 ----a-w- c:\windows\system32\tsbyuv.dll 2009-12-28 12:35:00 1314816 ----a-w- c:\windows\system32\quartz.dll 2009-12-28 12:32:34 22528 ----a-w- c:\windows\system32\msyuv.dll 2009-12-28 12:32:32 31744 ----a-w- c:\windows\system32\msvidc32.dll 2009-12-28 12:32:32 123904 ----a-w- c:\windows\system32\msvfw32.dll 2009-12-28 12:32:25 13312 ----a-w- c:\windows\system32\msrle32.dll 2009-12-28 12:31:22 82944 ----a-w- c:\windows\system32\mciavi32.dll 2009-12-28 12:31:01 50176 ----a-w- c:\windows\system32\iyuv_32.dll 2009-12-28 12:28:43 91136 ----a-w- c:\windows\system32\avifil32.dll 2009-12-28 12:28:43 65024 ----a-w- c:\windows\system32\avicap32.dll 2009-12-28 05:48:49 51200 ----a-w- c:\windows\inf\infpub.dat 2009-12-28 05:48:49 143360 ----a-w- c:\windows\inf\infstrng.dat 2009-12-28 05:48:43 86016 ----a-w- c:\windows\inf\infstor.dat 2009-06-02 07:28:23 665600 ----a-w- c:\windows\inf\drvindex.dat 2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini 2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
============= FINISH: 16:25:42.69 =============== 2/23/2010 4:28:47 PM |