Major Trojan problem

[montypython]

My machine has just been infected by a Trojan/virus/something that constantly redirects my google searches and causes both Firefox and IE to accept third-party cookies even when I turn that over repeatedly. I've run Superantispyware, Malwarebytes, Spybot and AVG and the problem is still present. I ran the Kaspersky antivirus removal tool also. Any help would be really appreciated...

[Darth Wong]

The malware is obviously interfering with your antivirus software. I would suggest removing the hard drive, sticking it in an external hard drive dock, and then reading/scanning/disinfecting it from another computer. As long as you boot off the OS on that hard drive, you can't be sure that you're running clean.

[Dominus Atheos]

The malware is obviously interfering with your antivirus software. I would suggest removing the hard drive, sticking it in an external hard drive dock, and then reading/scanning/disinfecting it from another computer. As long as you boot off the OS on that hard drive, you can't be sure that you're running clean.

Those are the only two things it's doing, and it doesn't register as malware on any of those 4 programs? It's probably just a an adware toolbar or addon. Post a hijackthis log.

[montypython]

The malware is obviously interfering with your antivirus software. I would suggest removing the hard drive, sticking it in an external hard drive dock, and then reading/scanning/disinfecting it from another computer. As long as you boot off the OS on that hard drive, you can't be sure that you're running clean.

Those are the only two things it's doing, and it doesn't register as malware on any of those 4 programs? It's probably just a an adware toolbar or addon. Post a hijackthis log.

I reran the scans from a backup drive with the infected drive as a slave, it killed some adware but the problem is still present. I'll PM the Hijackthis log, but I'll be using the backup drive as the new master in the meantime for functionality.

[Dalton]

Post the log here. Multiple sets of eyes are better than one.

[montypython]

Post the log here. Multiple sets of eyes are better than one.

Sure, here's the log file:



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:26:05 AM, on 1/11/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Razer\DeathAdder\vdDaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\jly\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Virtual Account Numbers Helper - {17424104-1444-4810-85D7-B4DA413C5A9A} - C:\Program Files\Virtual Account Numbers\CitiVANHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Virtual Account Numbers - {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files\Virtual Account Numbers\CitiVANToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ScanSoft OmniPage 16-reminder] "C:\Program Files\ScanSoft\OmniPage16\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPage 16\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\jly\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WNA1100 Smart Wizard.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: JumpStart Wi-Fi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: WSWNA1100 - Unknown owner - C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe

--
End of file - 11652 bytes

[Dominus Atheos]

As I said over PM, none of those BHOs or toolbars are malicious.

[montypython]

As I said over PM, none of those BHOs or toolbars are malicious.

My own hunch is that something that was just killed by AVG or Malwarebytes may have changed some registry settings beforehand so that IE and Firefox settings are being continuously reverted, but I wouldn't know which registry settings to look at in order to clean out the problem. It would be even worse if both registry and Windows systems files have been changed, which I have seen on another PC that had been infected by a different virus.

[Dominus Atheos]

Try a system restore to before you got infected.

[Executor32]

Try running the rootkit scanner in AVG, and if that doesn't pick up anything, see if LSPFix fixes the redirect issue. I've cleaned a few PCs with Google redirect malware that still had their searches redirected post-cleaning, until running LSPFix.

[montypython]

Try running the rootkit scanner in AVG, and if that doesn't pick up anything, see if LSPFix fixes the redirect issue. I've cleaned a few PCs with Google redirect malware that still had their searches redirected post-cleaning, until running LSPFix.

I'll definitely get that going once I get that external dock for the drive (putting it in and out of the desktop is a real headache especially due to the internal case design and all the cables to boot).

[Kuroneko]

I had a similar problem months ago, with the problem apparently coming back every time I started Firefox (and only Firefox) regardless of whether my AV told me the infection was cleaned. I wound up signing up for Kaspersky trial and it fixed the problem; it turned out to be TDSS*. I let it lapse without buying, though.

*Try TDSSKiller, which is free; though it's not particularly likely that it's the same problem, it's worth a try.

[Elfdart]

The same bug hit my system when I clicked a news link on the AT&T/Yahoo main page.

[Ariphaos]

I personally consider AVG itself to be malicious. MSE is consistently one of the best options for home Windows users these days.

Try running the rootkit scanner in AVG, and if that doesn't pick up anything, see if LSPFix fixes the redirect issue. I've cleaned a few PCs with Google redirect malware that still had their searches redirected post-cleaning, until running LSPFix.

LSPFix won't find anything that doesn't register as an O10 item in Hijackthis.

If you have a means of fixing things that break (i.e., reinstalling your OS), Combofix is the best tool.

You can also typically stop this sort of thing before it loads into your OS (often, it hooks into explorer.exe), by running your stuff via command line via "Safe Mode with Command Prompt". This is slow (as in, scans are lower, possibly because various caching techniques aren't active yet - haven't looked into why), you have to copy your executables and database updates over manually (via the command line), etc. and often will have to do a two-step process with two tools before even touching safe mode, much less normal mode, again.

[montypython]

I had a similar problem months ago, with the problem apparently coming back every time I started Firefox (and only Firefox) regardless of whether my AV told me the infection was cleaned. I wound up signing up for Kaspersky trial and it fixed the problem; it turned out to be TDSS*. I let it lapse without buying, though.

*Try TDSSKiller, which is free; though it's not particularly likely that it's the same problem, it's worth a try.

I ran TDSS after running AVG and Malwarebytes, it killed some infection but the problem affecting both Firefox and IE continued to persist, which is the confusing part.

[montypython]

It may be TDSS related, however, given that one of the .exe files that was seemingly deleted was 72631899.exe (or a similar number), which I've heard is associated with a TDSS-type infection. In any case I'll run Combofix, GMER and Blacklight as well to hunt down rootkit file changes.

[montypython]

An update on the drive status: tried booting the drive up in external enclosure, but the drive automatically and consistently bluescreened before even getting to the start screen, even with safe mode boot. At this point reinstallation of the OS or using the drive as a data backup seems best given the additional instability issues cropping up with the registry.

[Tolya]

try loading up from a DOS boot disk (you can find those on the internet) and firing up roguefix - it's a rootkit removal tool that really helped me in the past.

Combofix is good too. At this point you can easily forget about all non-specialized general antivirus programs like AVG.

It's a batch file really, but it's not small, so you may have to do some additional DOS tweaking to fire up your optical drive via relevant driver and MSCDEX.

If you need help with this just holler.