hi guys
i believe i have a virus on my system, as all of the links I try to click on in google they send me to other web pages; one which is called hugosearch. I can't access Microsoft.com or Symantec or malware sites.
I have run malwarebytes and it found nothing, comodo was running and it found nothing either; although both did find things a few days ago and deleted them, now nothing but problem is on going.
There is a folder C:\Program Files\cbgrwsqt which I tried deleting but it says I can't due to the directory not being empty!
Any help would be great chaps.
I've got my hijack list log here:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:23:32, on 22/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\csrss.
exe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\svchos
t.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\spools
v.exe
C:\WINDOWS\system32\acs.ex
e
C:\WINDOWS\system32\svchos
t.exe
C:\Program Files\Common Files\Acronis\Schedule2\sc
hedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv
.exe
C:\WINDOWS\ATKKBService.ex
e
C:\Program Files\Java\jre6\bin\jqs.ex
e
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\system32\nvsvc3
2.exe
C:\WINDOWS\system32\svchos
t.exe
C:\Program Files\Atlassian\JIRA 4.1.2\bin\tomcat6.exe
C:\Program Files\Common Files\VMware\USB\vmware-us
barbitrato
r.exe
C:\WINDOWS\system32\vmnat.
exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\RealVNC\VNC4\WinVNC4
.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.e
xe
C:\WINDOWS\system32\vmnetd
hcp.exe
C:\WINDOWS\System32\alg.ex
e
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Program Files\ASUS\GamerOSD\GamerO
SD.exe
C:\Program Files\Microsoft Office\Office12\GrooveMoni
tor.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Real\Update_OB\reals
ched.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.ex
e
C:\Program Files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe
C:\Program Files\Acronis\OnlineBackup
Standalone
\TrueImage
Monitor.ex
e
C:\Program Files\Acronis\TrueImageHom
e\TrueImag
eMonitor.e
xe
C:\Program Files\Common Files\Acronis\Schedule2\sc
hedhlp.exe
C:\WINDOWS\system32\ctfmon
.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonito
r.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexing
Service.ex
e
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexSto
reSvr.exe
C:\Program Files\NETGEAR\WN111v2\WN11
1V2.exe
C:\Program Files\PrintKey2000\Printke
y2000.exe
C:\Program Files\MagicDisc\MagicDisc.
exe
C:\WINDOWS\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\Hijack
This.exe
C:\WINDOWS\system32\wbem\w
miprvse.ex
e
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Sear
ch_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
32\userini
t.exe,C:\P
rogram Files\cbgrwsqt\khuehsak.ex
e
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F
A578C2EBDC
3} - C:\Program Files\Common Files\Adobe\Acrobat\Active
X\AcroIEHe
lperShim.d
ll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4
C09146192C
A} - C:\Program Files\Real\RealPlayer\rpbr
owserrecor
dplugin.dl
l
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0
BBC1D38A37
E} - C:\PROGRA~1\MICROS~2\Offic
e12\GRA8E1
~1.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-4
2B3008E02F
F} - C:\PROGRA~1\MICROS~2\Offic
e14\URLRED
IR.DLL
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E
ABFE594F69
C} - C:\Program Files\Java\jre6\lib\deploy
\jqs\ie\jq
s_plugin.d
ll
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [GamerOSD] C:\Program Files\ASUS\GamerOSD\GamerO
SD.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMoni
tor.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceMana
ger\CS4Ser
viceManage
r.exe" -launchedbylogin
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
ched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.
exe
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.ex
e"
O4 - HKLM\..\Run: [Hercules DJ Series] C:\Program Files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe /boot
O4 - HKLM\..\Run: [SAOB Monitor] C:\Program Files\Acronis\OnlineBackup
Standalone
\TrueImage
Monitor.ex
e
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageHom
e\TrueImag
eMonitor.e
xe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\sc
hedhlp.exe
"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
dll,NvStar
tup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon
.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Loc
al Settings\Application Data\Google\Update\GoogleU
pdate.exe"
/c
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-
4d9f-84C7-
88D8A56B10
AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonito
r.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.
exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: NETGEAR WN111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111v2\WN11
1V2.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printke
y2000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
\Office12\
EXCEL.EXE/
3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
663EE0C6C4
9} - C:\PROGRA~1\MICROS~2\Offic
e12\ONBttn
IE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5
663EE0C6C4
9} - C:\PROGRA~1\MICROS~2\Offic
e12\ONBttn
IE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
C9C571A826
3} - C:\PROGRA~1\MICROS~2\Offic
e12\REFIEB
AR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-F
FDE2BAC296
7} (DLM Control) -
http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
O16 - DPF: {924B4927-D3BA-41EA-9F7E-8
A89194AB3A
C} (P3DActiveX Control) -
http://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-1
8920D89842
9} (ScorchPlugin Class) -
http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
4455354000
0} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-A
C9BF37916A
7} -
http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3
CB6248B04C
D} - C:\PROGRA~1\MICROS~2\Offic
e12\GR99D3
~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-0
0B0D022E94
5} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.D
LL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0
0A0C90312E
1} - C:\WINDOWS\system32\browse
ui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3
078302C203
0} - C:\WINDOWS\system32\browse
ui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\sc
hedul2.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.ex
e
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv
.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.ex
e
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingServ
ice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex
e
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WN111v2\jswp
sapi.exe
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService
) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexing
Service.ex
e
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
2.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Atlassian JIRA 4.1.2 6 (Tomcat6) - Apache Software Foundation - C:\Program Files\Atlassian\JIRA 4.1.2\bin\tomcat6.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.ex
e
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e
xe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd
hcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-us
barbitrato
r.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.
exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4
.exe
--
End of file - 11561 bytes
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
http://support.kaspersky.com/downloads/utils/tdsskiller.exe
Tutorial on TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684
Then try HitManpro to make sure anything which might be left behind is clean:
32bit
http://dl.surfright.nl/HitmanPro35.exe
http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html
64bit
http://dl.surfright.nl/HitmanPro35_x64.exe
Post logs here for further analysis.
Sudeep