Send to a Friend

Hypocrisy_Central's avatar

Where is the slimy little bugger (malicious program) hiding?

Asked by Hypocrisy_Central (26879points) January 14th, 2015

This might seem like a boring dry question to some, but it can be beneficial if the right answers come, and you ever encounter the situation.

Somehow back around the 9th some malware, or whatever snuck pass all my security and attached itself in my system. Microsoft Security Essentials, Adaware, Spybot, and Malwarebytes all missed it and supposedly can’t find it. It has not seemed to affect anything but my Chrome browser running on Win 7 Pro. When I want to click onto a link, sometimes within the same Web site, this slimy, nasty, malicious program opens up and another tab or window and takes me to it, and I have to shut it down to get where I intended. I ran Hijackthis which gave me this result:

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 8:10:17 PM, on 1/13/2015
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17496)

Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
F:\Installed from net\Ad-Aware Antivirus\Ad-Aware Antivirus\11.1.5354.0\AdAwareTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
F:\Toolbox\Spybot – Search & Destroy\TeaTimer.exe
C:\Windows\System32\C2MP\TrayMenu.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Windows\System32\taskmgr.exe
C:\Windows\explorer.exe
E:\Vault\Tools\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\taskhost.exe
D:\tools\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = _http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:54748;https=127.0.0.1:54748
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 – BHO: Spybot-S&D IE Protection – {53707962–6F74–2D53–2644-206D7942484F} – F:\Toolbox\Spybot – Search & Destroy\SDHelper.dll
O2 – BHO: Groove GFS Browser Helper – {72853161–30C5–4D22-B7F9–0BBC1D38A37E} – C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
O2 – BHO: Google Toolbar Helper – {AA58ED58–01DD-4d91–8333-CF10577473F7} – C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 – BHO: URLRedirectionBHO – {B4F3A835–0E21–4959-BA22–42B3008E02FF} – C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O3 – Toolbar: Google Toolbar – {2318C2B1–4965-11d4–9B18–009027A5CD4F} – C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 – Toolbar: (no name) – {6c97a91e-4524–4019-86af-2aa2d567bf5c} – (no file)
O4 – HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe –s
O4 – HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 – HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 – HKLM\..\Run: [Ad-Aware Browsing Protection] “C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe”
O4 – HKLM\..\Run: [AdAwareTray] “F:\Installed from net\Ad-Aware Antivirus\Ad-Aware Antivirus\11.1.5354.0\AdAwareTray.exe”
O4 – HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 – HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 – HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 – HKLM\..\Run: [MSC] “c:\Program Files\Microsoft Security Client\msseces.exe” -hide –runkey
O4 – HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 – HKCU\..\Run: [SpybotSD TeaTimer] F:\Toolbox\Spybot – Search & Destroy\TeaTimer.exe
O4 – HKCU\..\Run: [uTorrent] “C:\Users\AsusHE\AppData\Roaming\uTorrent\updates\3.4.2_36802.exe” /MINIMIZED
O4 – HKUS\S-1–5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘LOCAL SERVICE’)
O4 – HKUS\S-1–5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘LOCAL SERVICE’)
O4 – HKUS\S-1–5-19—{ED1FC765-E35E-4C3D-BF15–2C2B11260CE4}-0\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ’?’)
O4 – HKUS\S-1–5-19—{ED1FC765-E35E-4C3D-BF15–2C2B11260CE4}-0\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ’?’)
O4 – HKUS\S-1–5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘NETWORK SERVICE’)
O4 – HKUS\S-1–5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘NETWORK SERVICE’)
O4 – HKUS\S-1–5-20—{ED1FC765-E35E-4C3D-BF15–2C2B11260CE4}-0\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ’?’)
O4 – HKUS\S-1–5-20—{ED1FC765-E35E-4C3D-BF15–2C2B11260CE4}-0\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ’?’)
O4 – HKUS\S-1–5-21–3121945578-4220466481–3813107283-1000—{ED1FC765-E35E-4C3D-BF15–2C2B11260CE4}-0\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User ’?’)
O4 – S-1–5-21–3121945578-4220466481–3813107283-1000—{ED1FC765-E35E-4C3D-BF15–2C2B11260CE4}-0 Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (User ’?’)
O4 – Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
O4 – Global Startup: TrayMenu.lnk = C:\Windows\System32\C2MP\TrayMenu.exe
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
O8 – Extra context menu item: Se&nd to OneNote – res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O9 – Extra button: Send to OneNote – {2670000A-7350–4f3c-8081–5663EE0C6C49} – C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 – Extra ‘Tools’ menuitem: Se&nd to OneNote – {2670000A-7350–4f3c-8081–5663EE0C6C49} – C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 – Extra button: OneNote Lin&ked Notes – {789FE86F-6FC4–46A1–9849-EDE0DB0C95CA} – C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 – Extra ‘Tools’ menuitem: OneNote Lin&ked Notes – {789FE86F-6FC4–46A1–9849-EDE0DB0C95CA} – C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 – Extra button: (no name) – {DFB852A3–47F8–48C4-A200–58CAB36FD2A2} – F:\Toolbox\Spybot – Search & Destroy\SDHelper.dll
O9 – Extra ‘Tools’ menuitem: Spybot – Search && Destroy Configuration – {DFB852A3–47F8–48C4-A200–58CAB36FD2A2} – F:\Toolbox\Spybot – Search & Destroy\SDHelper.dll
O11 – Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 – DPF: {D27CDB6E-AE6D-11CF-96B8–444553540000} (Shockwave Flash Object) – http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 – Protocol: IW231 – {1CD50F0B-C67D-4B01-A707–55573DACAADF} – “F:\Installed from net\Viewers and enhancers\ImageWalker231\ImageWalkerU.exe” (file missing)
O18 – Filter hijack: text/xml – {807573E5–5146-11D5-A672–00B0D022E945} – C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 – Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) – Adobe Systems Incorporated – C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 – Service: Google Update Service (gupdate) (gupdate) – Google Inc. – C:\Program Files\Google\Update\GoogleUpdate.exe
O23 – Service: Google Update Service (gupdatem) (gupdatem) – Google Inc. – C:\Program Files\Google\Update\GoogleUpdate.exe
O23 – Service: Google Software Updater (gusvc) – Google – C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 – Service: Ad-Aware Service 11 (LavasoftAdAwareService11) – Unknown owner – F:\Installed from net\Ad-Aware Antivirus\Ad-Aware Antivirus\11.1.5354.0\AdAwareService.exe
O23 – Service: SBSD Security Center Service (SBSDWSCService) – Safer Networking Ltd. – F:\Toolbox\Spybot – Search & Destroy\SDWinSec.exe


End of file – 8707 bytes

The entries in bold I eliminated per a Hijackthis analysis Web site, but the redirect is still there, and seem to be tripped by clinking links, but at least the popups are gone. The question remains, where is this slimy redirect program hiding?

Using Fluther

or

Using Email

Separate multiple emails with commas.
We’ll only use these emails for this message.