?
Solved

Does this log  show virus? What should I do?

Posted on 2011-10-04
15
Medium Priority
?
758 Views
Last Modified: 2013-12-06
Redirect virus causes BHO trojan to resurface in registry after malbyte scrub removes it (HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO).  Here's the Hijack Log on "cleaned" computer. Does this log show any problems I can fix?


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:00:16 AM, on 10/4/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\prevhost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {0222D6D9-E01F-49B0-B6E5-CEA67F24FFF1} - C:\Users\Olivia\AppData\Local\TrayUser.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [WindowsNotifierProfile] rundll32.exe "C:\ProgramData\WindowsNotifierProfile.dll",DllRegisterServer
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Reasonable_Software_House Update] C:\Users\Olivia\AppData\Local\Reasonable_Software_House\Reasonable_Software_HouseUpdate\Reasonable_Software_Houseupdt32.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: WePrint Server.lnk = C:\Program Files\WePrint\WePrint Server.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SATARaid5Manager.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll
O23 - Service: SATARaid5 Configuration Service (SATARaid5 Config Service) - Unknown owner - C:\Program Files\Silicon Image\3132-W-R\SATARaid5ConfigService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Silicon Image HBA Wakeup Utility (SiHbaWakeupService) - Unknown owner - C:\Program Files\Silicon Image\Silicon Image HBA Wakeup Utility\SiHbaWakeupService.exe

--
End of file - 6144 bytes
0
Comment
Question by:oliviajones
  • 5
  • 3
  • 3
  • +3
15 Comments
 

Author Comment

by:oliviajones
ID: 36910655
Here's a good one. if you click EE's search tab at top of this page, which uses google, same trojan is placed again in the registry.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36914580
HJT log looks clean.....

Autoruns
http://live.sysinternals.com/autoruns.exe

Can you please run a scan (Options>and Uncheck "Hide ms and windows entries") and save the .arn file here?
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 36914596
run msconfig and do a diagnostic boot, then run malware bytes and see what results you get... what is this 'reasonable software house stuff is it "legit"? I went to the http://reasonables.com/ website and it hasn't been updated in 5 years.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 36914598
also stop that rundlll32.exe
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36914663
That rundll might be a part of an NVidia/ATI driver service..... Might want to see what the FULL command line path to it is.... Add the Command Line path in the Task Manager, and see what it points to...
0
 
LVL 70

Expert Comment

by:Merete
ID: 36915000
The hijackthis is clean

If you need deeper cleaning remember to empty recycle bins and TEMP files in TEMP Folder
Stop the system restore and restart to start a new settings point
delete the old one's
Windows 7 go to control panel> System and Security >System>System Protection>under the panel Local Disc C
See
Configure restore points settings,manage disc space and delete restore points>Configure>
at the bottom Delete all restore points
0
 
LVL 27

Assisted Solution

by:Jonvee
Jonvee earned 400 total points
ID: 36915107

As stated above your HiJackThis log looks clean, but please be aware that several recent Malware are not detected by HiJackThis.

Suggest you first try downloading & updating Malwarebytes anti-Malware, from here:
http://www.malwarebytes.org/mbam.php
Run in normal mode.
Tutorial, if required:
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t169669.html

MalwareBytes(free) should remove the problem, but if MalwareBytes won't run, download and run Rkill first.
Do not boot after running Rkill, then run MalwareBytes.

Rkill is a small, freeware and portable tool designed to terminate active malware processes allowing you to use other removal tools:
http://www.technibble.com/rkill-repair-tool-of-the-week/
http://www.bleepingcomputer.com/forums/topic308364.html

If you're still having difficulties, try running TDSSKiller to see if removes the infection. Try renaming TDSSkiller if it refuses to run:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

Download the file TDSSKiller.zip and extract it into a folder
Execute the file TDSSKiller.exe.
Wait for the scan and disinfection process to be over.
Close all programs and press “Y” key to restart your computer.

More detail TDSSKiller tutorial:
http://support.kaspersky.com/viruses/solutions?qid=208280684

Excellent articles for further help, if needed:
Google Hijack" - Google Search Gets Redirected:
http://www.experts-exchange.com/A_3299.html

Infected Router - Google Search Redirects Even on a Clean System
http://www.experts-exchange.com/A_5327.html
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 36915131
There's no harm in running TDSSKiller first, you may be fortunate and nail the 'Redirect problem' immediately ...but it's still prudent to follow that with a Malwarebytes deep scan.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 400 total points
ID: 36916111
oliviajones,
Please ignore the advice to clean out all of your TEMP folders and empty the Recycle Bin. There are newer variants of malware that will move some of your key files/folders into various paths in your profile and no one should be deleting any files or folders (during the disinfection process) without careful consideration of each one.

Also ignore the advice to reset (delete) your restore points. Although restore points MAY contain infections, they cannot go active unless the restore point is actually used.

A really good EE Article by MS MVP 'rpggamergirl' is here:
Viruses in System Volume Information (System Restore)

*****************

I've been on holiday for a few days and unable to post, but have noticed several questions from you with approximately the same problem. Are your recent questions all about the same computer/infection?

If you are posting a "Follow Up" question about the same problem, please use the "Ask a related question" function which will allow all of us to read through the prior question/comments before offering suggestions.

Details here: http://www.experts-exchange.com/help.jsp#hs=29&hi=414
0
 

Author Comment

by:oliviajones
ID: 36921224
My original question went dormant while I had to be away for a little more than a week. I was not aware of the ask a related question option. thanks.
I have tried to remove the reasonable software stuff from an old noclone install.  It no longer shows up in add/ remove programs nor in my program files folder.
Please tell me how to find the full command path to rundlll32.exe.

I've attached the autorun scan from http://live.sysinternals.com/autoruns     
AutoRuns.arn
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 1200 total points
ID: 36922124
Under the Drivers Tab, you need to find out what this file is.....

TrueSight                  c:\users\olivia\desktop\truesight.sys

Take it to http://www.virustotal.com and see what the results are..... Not alot of info out there on it.... Shows up in a CF Safe List....

Other than that, nothing obvious, besides a lot of bloat you can trim out.....

"Please tell me how to find the full command path to rundlll32.exe. "

In the Task Manager, click the View>Select Columns, and add "Command Line". Now look at the Processes Tab, and report the FULL path to that rundll32.exe...
0
 

Accepted Solution

by:
oliviajones earned 0 total points
ID: 36934420
I believe the solution to this problem was to boot in safemode and run mbam followed by AV antivirus. For whatever reason, Mbam found and removed 4 trojans that had not shown up in normal mode, and now I seem to have full browser access and no redirect. Virus could be waiting and lurking. If so, I'll be back. Meanwhile, I want to award points for all the time spent on this. Thanks a lot.
0
 

Author Closing Comment

by:oliviajones
ID: 36954325
As noted above, I believe the solution to this problem was to boot in safemode and run mbam followed by AV antivirus. This was not suggested by EE, but by an IT neighbor. For whatever reason, Mbam in safe mode found and removed 4 trojans that had not shown up in normal mode, and now I seem to have full browser access and no redirect. I believe that cumulative earlier efforts of EE experts assisted in this result. Virus could be waiting and lurking. If so, I'll be back. Meanwhile, I want to award points for all the time spent on this. Thanks a lot
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 36935384
Thanks for the report!   It is indeed surprising that MBAM found and removed the four trojans in Safe mode after failing to detect them in normal mode, because MBAM has been designed to work in the latter, where Malware is more active.

You may like to study some of the comments in this MBAM forum link, referred to some months ago by E_E's younghv:
http://forums.malwarebytes.org/index.php?showtopic=17334&pid=88995&start=&st=#entry88995

If you still have access to the computer, the other suggestion is to get a 'second opinion' by trying at least two of the following scanners:

ESET Online Scanner, a free, & powerful tool:
http://www.eset.com/online-scanner 

McAfee Labs Stinger:
http://www.mcafee.com/us/downloads/free-tools/how-to-use-stinger.aspx
Recommend you do not initially disable System Restore as suggested.

Dr.Web CureIt!.
http://www.freedrweb.com/cureit/?lng=en
0
 

Author Comment

by:oliviajones
ID: 36937590
Thanks for these useful tools, which I will now run as an added precaution!
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question