netbones
asked on
Help w/Antimalwarelist.com removal
This is driving me nuts. One of our systems is infected with the antimalwarelist.com redirection malware, and I can't shake it.
I've taken the HD out and scanned offline, finding 50+ problems. Ran the scan multiple times using MalwareBytes and Vipre.
Put the hd back in, booted up, installed MalwareBytes and scanned again, found 12 more. Ran the scan 2 more times, looks clean. Ran Vipre, returned with no problems.
However, when I launch either FF or IE and attempt to go to any security, bank or similar site, I get redirected to antimalwarelist.com and of course it tells me I'm infected (I don't click anything of course).
I've followed all the instructions out there for cleaning the registry and removing the lnk files and others on the system, and I've ran HiJackThis and can't see any problems, yet it keeps coming back.
ANY Ideas? HJT log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:21:34 AM, on 11/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService .exe
C:\WINDOWS\system32\mfevtp s.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.ex e
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\SoftwareUpdat e\YahooAUS ervice.exe
C:\WINDOWS\system32\Search Indexer.ex e
C:\WINDOWS\system32\igfxtr ay.exe
C:\WINDOWS\system32\hkcmd. exe
C:\WINDOWS\system32\igfxpe rs.exe
C:\Program Files\CONEXANT\SMARTAUDIO\ SMAUDIO.EX E
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxsr vc.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.ex e
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\Program Files\Apoint2K\ApMsgFwd.ex e
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\WIDCOMM\BLUETO ~1\BTSTAC~ 1.EXE
C:\PROGRA~1\Yahoo!\MESSEN~ 1\ymsgr_tr ay.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.ex e
C:\WINDOWS\system32\Search ProtocolHo st.exe
C:\Documents and Settings\vidhushekhar\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd. exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpe rs.exe
O4 - HKLM\..\Run: [SmartAudio] C:\Program Files\CONEXANT\SMARTAUDIO\ SMAUDIO.EX E /c
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.ex e"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN ~1\YahooMe ssenger.ex e" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.ex e" /nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe"
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\ GPhotos.sc r/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office12\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleTo olbarDynam ic_mui_en_ 950DF09FAB 501E03.dll /cmsidewik i.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.h tm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-A EC46303B9E 5} - C:\Program Files\Skype\Toolbars\Inter net Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-A EC46303B9E 5} - C:\Program Files\Skype\Toolbars\Inter net Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\Offic e12\REFIEB AR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1275989533312
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0 060082AA75 C} (GpcContainer Class) - https://apache-da.webex.com/client/T27LB/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1 A0ADF03058 B} (JuniperSetupSP1 Control) - https://secure.ubicom.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = smartplayin.local
O17 - HKLM\Software\..\Telephony : DomainName = smartplayin.local
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = smartplayin.local
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = smartplayin.local
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-0 7617B9B86A 8} - C:\Program Files\Skype\Toolbars\Inter net Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1 830C7DD7F5 D} - C:\PROGRA~1\COMMON~1\Skype \SKYPE4~1. DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\Google Update.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService .exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtp s.exe
O23 - Service: VIPRE Antivirus (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.ex e
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdat e\YahooAUS ervice.exe
--
End of file - 7207 bytes
I've taken the HD out and scanned offline, finding 50+ problems. Ran the scan multiple times using MalwareBytes and Vipre.
Put the hd back in, booted up, installed MalwareBytes and scanned again, found 12 more. Ran the scan 2 more times, looks clean. Ran Vipre, returned with no problems.
However, when I launch either FF or IE and attempt to go to any security, bank or similar site, I get redirected to antimalwarelist.com and of course it tells me I'm infected (I don't click anything of course).
I've followed all the instructions out there for cleaning the registry and removing the lnk files and others on the system, and I've ran HiJackThis and can't see any problems, yet it keeps coming back.
ANY Ideas? HJT log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:21:34 AM, on 11/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spools
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService
C:\WINDOWS\system32\mfevtp
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.ex
C:\WINDOWS\system32\svchos
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\SoftwareUpdat
C:\WINDOWS\system32\Search
C:\WINDOWS\system32\igfxtr
C:\WINDOWS\system32\hkcmd.
C:\WINDOWS\system32\igfxpe
C:\Program Files\CONEXANT\SMARTAUDIO\
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxsr
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.ex
C:\Program Files\Google\GoogleToolbar
C:\Program Files\Apoint2K\ApMsgFwd.ex
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\WIDCOMM\BLUETO
C:\PROGRA~1\Yahoo!\MESSEN~
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.ex
C:\WINDOWS\system32\Search
C:\Documents and Settings\vidhushekhar\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [SmartAudio] C:\Program Files\CONEXANT\SMARTAUDIO\
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.ex
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.ex
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbar
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleTo
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.h
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-A
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-A
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-0
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\Google
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtp
O23 - Service: VIPRE Antivirus (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.ex
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdat
--
End of file - 7207 bytes
ASKER
Been there, done that but thanks. Even when running w/o add-ons it redirects me. And also on Firefox.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
If this does not resolve your issue then try ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
When using ComboFix you need to STOP all your monitoring programs (Antivirus/Antispyware) as they could interfere with ComboFix. Don't interrupt the program till is done. When the scan is done, please save that log and attach it.
When using ComboFix you need to STOP all your monitoring programs (Antivirus/Antispyware) as they could interfere with ComboFix. Don't interrupt the program till is done. When the scan is done, please save that log and attach it.
ASKER
I'll try both suggestions, thanks. Right now I am in safe mode doing a deep scan w/Vipre, once done I'll try Hitman, TDS and Combofix in that order.
I would definitely go with some rootkit scanners as well, it sounds like something is trying to hide.
TDSS killer, Sophos anti-rootkit, and whatever other bug killers you might use. You might also want to clean the MBR, a common hiding place for stubborn bugs.
TDSS killer, Sophos anti-rootkit, and whatever other bug killers you might use. You might also want to clean the MBR, a common hiding place for stubborn bugs.
ASKER
TDSKiller did the trick, thanks!
iexplore -extoff
Test for being redirected. If not just go to tools\Manage Addons. It shouldn't be hard to find the culprit and disable it.