GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

100k searches virus, it redirects my google search to a google fishing site

View previous topic View next topic Go down

100k searches virus, it redirects my google search to a google fishing site

Post by Polendulgur on Wed Jul 27, 2011 9:32 pm

Hi,
I really need help with my computer. It got infected with a virus that redirects my google searches to a google-like website... while the browser is transferring the info it says 100ksearches.com
It also asks me for permission to do everything and does not allow me to run the antimalware programs, it shuts them down.

Can you please help me?
I used cheetah antirogue and this is the report.

Cheetah-Anti-Rogue v1.5.1
by DragonMaster Jay

Microsoft Windows [Versi¢n 6.1.7600]
Date: 27/07/2011 - Time: 17:02:02 - Arch.: x86


-- Malware removal tools check --
CCleaner
Malwarebytes' Anti-Malware


-- Known infection --



Extra message: Detection only.


EOF

The report from gooredfix is the following

GooredFix by jpshortstuff (03.07.10.1)
Log created at 17:04 on 27/07/2011 (kurt)
Firefox version 5.0 (es-ES)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [02:26 01/05/2011]
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [22:09 19/08/2010]
{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [04:35 18/02/2011]
{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [04:11 15/06/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}"="D:\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}" [02:49 08/09/2010]

-=E.O.F=-

Can you help me???
Thanks in advance.

Polendulgur

Polendulgur
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2011-07-27
OS : windows 7

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Sneakyone on Thu Jul 28, 2011 1:53 am

Hi,

Please download aswMBR from [You must be registered and logged in to see this link.]


  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below




Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are [You must be registered and logged in to see this link.]


  • Once the scan finishes click Save log to save the log to your Desktop


  • Copy and paste the contents of aswMBR.txt back here for review


I'm livin' life in the fast lane.


Sneakyone
Master
Master

Status :
Online
Offline

Posts : 2707
Joined : 2010-01-10
Gender : Male
OS : Windows 7 Ultimate 64-bit

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Polendulgur on Thu Jul 28, 2011 7:32 pm

Hi sneakyone, here is the log from the scan

aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-28 15:06:09
-----------------------------
15:06:09.211 OS Version: Windows 6.1.7600
15:06:09.211 Number of processors: 2 586 0x170A
15:06:09.212 ComputerName: KURT-PC UserName: kurt
15:06:13.030 Initialize success
15:26:46.714 AVAST engine defs: 11072800
15:29:03.890 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-3
15:29:03.901 Disk 0 Vendor: WDC_WD5000AAKS-00UU3A0 01.03B01 Size: 476940MB BusType: 3
15:29:03.916 Disk 0 MBR read successfully
15:29:03.920 Disk 0 MBR scan
15:29:03.947 Disk 0 Windows 7 default MBR code
15:29:03.952 Disk 0 scanning sectors +976771072
15:29:04.031 Disk 0 scanning C:\Windows\system32\drivers
15:29:05.050 File: C:\Windows\system32\drivers\csc.sys **INFECTED** Win32:Sirefef-G [Rtk]
15:29:10.116 Service scanning
15:29:11.693 Modules scanning
15:29:12.990 Module: C:\Windows\system32\drivers\csc.sys **SUSPICIOUS**
15:29:17.138 Disk 0 trace - called modules:
15:29:17.149 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85bd5a90]<<
15:29:17.161 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85a1a2d0]
15:29:17.165 3 CLASSPNP.SYS[88dd659e] -> nt!IofCallDriver -> [0x85c07978]
15:29:17.169 \Driver\00000429[0x85c07ab0] -> IRP_MJ_CREATE -> 0x85bd5a90
15:29:17.827 AVAST engine scan C:\Windows
15:29:20.082 AVAST engine scan C:\Windows\system32
15:29:23.043 File: C:\Windows\system32\atwtusb.exe **INFECTED** Win32:Patched-WQ [Trj]
15:30:23.851 File: C:\Windows\system32\nvvsvc.exe **INFECTED** Win32:Patched-WQ [Trj]
15:31:00.622 AVAST engine scan C:\Windows\system32\drivers
15:31:01.869 File: C:\Windows\system32\drivers\csc.sys **INFECTED** Win32:Sirefef-G [Rtk]
15:31:08.294 AVAST engine scan C:\Users\kurt
15:31:26.055 Disk 0 MBR has been saved successfully to "C:\Users\kurt\Desktop\MBR.dat"
15:31:26.060 The log file has been saved successfully to "C:\Users\kurt\Desktop\aswMBR.txt"

Polendulgur
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2011-07-27
OS : windows 7

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Sneakyone on Fri Jul 29, 2011 5:32 am

Hi,

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]


Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


I'm livin' life in the fast lane.


Sneakyone
Master
Master

Status :
Online
Offline

Posts : 2707
Joined : 2010-01-10
Gender : Male
OS : Windows 7 Ultimate 64-bit

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Polendulgur on Fri Jul 29, 2011 12:33 pm

Hi, Here´s the combo fix log


Polendulgur
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2011-07-27
OS : windows 7

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Sneakyone on Sat Jul 30, 2011 6:20 am

Hi,

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    atwtusb.exe
    nvvsvc.exe
    csc.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


I'm livin' life in the fast lane.


Sneakyone
Master
Master

Status :
Online
Offline

Posts : 2707
Joined : 2010-01-10
Gender : Male
OS : Windows 7 Ultimate 64-bit

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Polendulgur on Sat Jul 30, 2011 2:45 pm

Hi, thanks again for all this. Here´s the log

SystemLook 30.07.11 by jpshortstuff
Log created at 10:38 on 30/07/2011 by kurt
Administrator - Elevation successful

========== filefind ==========

Searching for "atwtusb.exe"
C:\Windows\System32\atwtusb.exe --a---- 392864 bytes [16:06 08/05/2011] [15:34 22/04/2009] 7A053199B4B8EE0E7EF1ACB205FBA8F7

Searching for "nvvsvc.exe"
C:\Windows\System32\nvvsvc.exe --a---- 215656 bytes [21:47 27/09/2009] [21:47 27/09/2009] DB66C62DA5C0D3755A63434E9F7922DA

Searching for "csc.sys"
C:\Windows\System32\drivers\csc.sys --a---- 387584 bytes [23:15 13/07/2009] [23:15 13/07/2009] 0A48ED60D4BE817D2F65713CB27E0824
C:\Windows\winsxs\x86_microsoft-windows-offlinefiles-core_31bf3856ad364e35_6.1.7600.16385_none_9e1e9f0abd3adf87\csc.sys --a---- 387584 bytes [23:15 13/07/2009] [23:15 13/07/2009] 0A48ED60D4BE817D2F65713CB27E0824

-= EOF =-

Polendulgur
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2011-07-27
OS : windows 7

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Sneakyone on Sun Jul 31, 2011 4:03 am

Hi,

Could you please re-run aswMBR?


I'm livin' life in the fast lane.


Sneakyone
Master
Master

Status :
Online
Offline

Posts : 2707
Joined : 2010-01-10
Gender : Male
OS : Windows 7 Ultimate 64-bit

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Polendulgur on Sun Jul 31, 2011 1:46 pm

hi, Here's the log:

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-07-31 09:19:36
-----------------------------
09:19:36.958 OS Version: Windows 6.1.7600
09:19:36.958 Number of processors: 2 586 0x170A
09:19:36.959 ComputerName: KURT-PC UserName: kurt
09:19:40.373 Initialize success
09:38:57.319 AVAST engine defs: 11073100
09:40:22.586 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-3
09:40:22.589 Disk 0 Vendor: WDC_WD5000AAKS-00UU3A0 01.03B01 Size: 476940MB BusType: 3
09:40:24.686 Disk 0 MBR read successfully
09:40:24.692 Disk 0 MBR scan
09:40:24.743 Disk 0 Windows 7 default MBR code
09:40:24.749 Disk 0 scanning sectors +976771072
09:40:24.843 Disk 0 scanning C:\Windows\system32\drivers
09:40:25.920 File: C:\Windows\system32\drivers\csc.sys **INFECTED** Win32:Sirefef-G [Rtk]
09:40:31.774 Service scanning
09:40:32.973 Modules scanning
09:40:38.441 Disk 0 trace - called modules:
09:40:38.462 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
09:40:38.469 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85a45510]
09:40:38.809 3 CLASSPNP.SYS[88da859e] -> nt!IofCallDriver -> [0x85556790]
09:40:38.813 5 ACPI.sys[8883f3b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-3[0x85556030]
09:40:39.519 AVAST engine scan C:\Windows
09:40:41.313 AVAST engine scan C:\Windows\system32
09:40:43.637 File: C:\Windows\system32\atwtusb.exe **INFECTED** Win32:Patched-WQ [Trj]
09:41:53.690 File: C:\Windows\system32\nvvsvc.exe **INFECTED** Win32:Patched-WQ [Trj]
09:42:45.223 AVAST engine scan C:\Windows\system32\drivers
09:42:47.495 File: C:\Windows\system32\drivers\csc.sys **INFECTED** Win32:Sirefef-G [Rtk]
09:42:57.717 AVAST engine scan C:\Users\kurt
09:44:50.209 Disk 0 MBR has been saved successfully to "C:\Users\kurt\Desktop\Virus\MBR.dat"
09:44:50.214 The log file has been saved successfully to "C:\Users\kurt\Desktop\Virus\aswMBR2.txt"

Polendulgur
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2011-07-27
OS : windows 7

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Sneakyone on Mon Aug 01, 2011 5:42 am

Hi,

Submit a file for analysis.

  1. Please visit this website: [You must be registered and logged in to see this link.]
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\atwtusb.exe
  3. Press the "Upload button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.


Do the same for the follow:
C:\Windows\System32\nvvsvc.exe
C:\Windows\System32\drivers\csc.sys


I'm livin' life in the fast lane.


Sneakyone
Master
Master

Status :
Online
Offline

Posts : 2707
Joined : 2010-01-10
Gender : Male
OS : Windows 7 Ultimate 64-bit

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Polendulgur on Mon Aug 01, 2011 1:47 pm

File name:
atwtusb.exe
Submission date:
2011-08-01 13:22:43 (UTC)
Current status:
finished
Result:
34/ 43 (79.1%)
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.08.01.00 2011.07.31 Win-Trojan/Patched.DD
AntiVir 7.11.12.173 2011.08.01 W32/PatchLoad.A
Antiy-AVL 2.0.3.7 2011.08.01 -
Avast 4.8.1351.0 2011.08.01 Win32:Patched-WQ [Trj]
Avast5 5.0.677.0 2011.08.01 Win32:Patched-WQ [Trj]
AVG 10.0.0.1190 2011.08.01 Win32/Katusha.A
BitDefender 7.2 2011.08.01 Trojan.Patched.HE
CAT-QuickHeal 11.00 2011.08.01 W32.Patchload.O
ClamAV 0.97.0.0 2011.08.01 -
Commtouch 5.3.2.6 2011.08.01 W32/Patched.G
Comodo 9589 2011.08.01 TrojWare.Win32.Patched.HN
DrWeb 5.0.2.03300 2011.08.01 Trojan.Starter.1695
Emsisoft 5.1.0.8 2011.08.01 Trojan-Spy.Win32.Zbot!IK
eSafe 7.0.17.0 2011.07.31 -
eTrust-Vet 36.1.8475 2011.08.01 Win32/Patchload.U
F-Prot 4.6.2.117 2011.08.01 W32/Patched.G
F-Secure 9.0.16440.0 2011.08.01 Trojan.Patched.HE
Fortinet 4.2.257.0 2011.07.31 -
GData 22 2011.08.01 Trojan.Patched.HE
Ikarus T3.1.1.104.0 2011.08.01 Trojan-Spy.Win32.Zbot
Jiangmin 13.0.900 2011.07.31 TrojanSpy.Zbot.adxr
K7AntiVirus 9.109.4961 2011.07.29 Trojan
Kaspersky 9.0.0.837 2011.08.01 Trojan.Win32.Patched.mf
McAfee 5.400.0.1158 2011.08.01 W32/Katusha
McAfee-GW-Edition 2010.1D 2011.08.01 W32/Katusha
Microsoft 1.7104 2011.08.01 Virus:Win32/Patchload.O
NOD32 6340 2011.08.01 Win32/Patched.HN
Norman 6.07.10 2011.08.01 W32/Patched.BH
nProtect 2011-08-01.03 2011.08.01 -
Panda 10.0.3.5 2011.08.01 W32/Katusha.BN
PCTools 8.0.0.5 2011.08.01 Trojan.Paccyn
Prevx 3.0 2011.08.01 -
Rising 23.69.00.03 2011.08.01 Win32.Loader.li
Sophos 4.67.0 2011.08.01 -
SUPERAntiSpyware 4.40.0.1006 2011.07.30 -
Symantec 20111.1.0.186 2011.08.01 Trojan.Paccyn!inf
TheHacker 6.7.0.1.267 2011.08.01 -
TrendMicro 9.200.0.1012 2011.08.01 PTCH_KATUSHA.W
TrendMicro-HouseCall 9.200.0.1012 2011.08.01 PTCH_KATUSHA.W
VBA32 3.12.16.4 2011.08.01 Trojan-Spy.Zbot.gen
VIPRE 10029 2011.08.01 Virus.Win32.Agent.mpq (v)
ViRobot 2011.8.1.4599 2011.08.01 Win32.Patched.BE
VirusBuster 14.0.147.1 2011.07.31 Win32.Katusha.Gen
Additional information
MD5 : 7a053199b4b8ee0e7ef1acb205fba8f7
SHA1 : 1bae4a2b526865dc45ba65d0ecc2ecd64488436a
SHA256: 66d0e9faf800f89a4fee86ac861a225604dc4de0d29df8967966703508396fef
ssdeep: 6144:TVHqiOkCoIKnIh+268rZ38ItHN4wJaZrAOIiyOxYFTv:TIiFCou+lA38EN4BdHiFTv
File size : 392864 bytes
First seen: 2011-08-01 13:22:43
Last seen : 2011-08-01 13:22:43
TrID:
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: Atwtusb.exe
description..: User Mode Tablet Driver
original name: Usbtablet
internal name: Usbtablet
file version.: 2, 51, 0, 3
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x78198
timedatestamp....: 0x49EE8FB7 (Wed Apr 22 03:32:07 2009)
machinetype......: 0x14c (I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x4088F, 0x41000, 6.56, 50f972a9494ad6cf20f90e7963c27931
.rdata, 0x42000, 0xB624, 0xC000, 5.99, 81ecf5f0b6ae8af45dfaea3ac1d89600
.data, 0x4E000, 0x1B04C, 0x2000, 2.99, f013a9c39af8b46f25e9819e984ffc21
atwtusb_, 0x6A000, 0xC, 0x1000, 0.00, 620f0b67a91f7f74151bc5be745b7110
.rsrc, 0x6B000, 0xD918, 0xE000, 4.98, a1a36333d520352bbf88a96ee53618a0

[[ 10 import(s) ]]
SETUPAPI.dll: SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInterfaceDetailA, SetupDiDestroyDeviceInfoList, SetupDiGetClassDevsA
HID.DLL: HidD_GetPreparsedData, HidP_MaxUsageListLength, HidP_SetUsageValueArray, HidP_SetScaledUsageValue, HidD_FlushQueue, HidD_GetProductString, HidP_GetCaps, HidD_GetFeature, HidD_FreePreparsedData, HidP_SetUsages, HidP_UsageListDifference, HidP_SetUsageValue, HidD_GetSerialNumberString, HidP_GetSpecificButtonCaps, HidP_GetUsages, HidD_GetNumInputBuffers, HidP_GetUsageValueArray, HidD_SetFeature, HidD_GetManufacturerString, HidP_GetLinkCollectionNodes, HidD_GetAttributes, HidP_GetUsagesEx, HidD_SetNumInputBuffers, HidP_GetUsageValue, HidP_GetScaledUsageValue, HidP_SetData, HidD_GetHidGuid, HidD_GetIndexedString, HidP_UnsetUsages, HidD_GetPhysicalDescriptor, HidP_GetSpecificValueCaps, HidP_MaxDataListLength, HidP_GetData
VERSION.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
WINMM.dll: PlaySoundA
KERNEL32.dll: TerminateThread, Sleep, GetExitCodeProcess, CreateProcessA, TerminateProcess, GetSystemDirectoryA, CreateDirectoryA, GetStartupInfoA, FindFirstFileA, CopyFileA, SetFileAttributesA, FindClose, GetExitCodeThread, GetVersionExA, WinExec, GetVersion, LocalFree, DeleteFileA, lstrcpynA, GetFileSize, GetSystemDefaultLangID, ResetEvent, WaitForMultipleObjects, GetEnvironmentVariableW, GetLocaleInfoA, WaitForSingleObject, SetEvent, InitializeCriticalSection, WideCharToMultiByte, GetStringTypeExW, GetEnvironmentVariableA, CompareStringW, GetACP, ExitThread, GetTickCount, lstrlenW, SetThreadPriority, RaiseException, GetStringTypeExA, InterlockedExchange, lstrcmpiA, GetThreadLocale, GetLocalTime, DeviceIoControl, lstrcmpiW, CompareStringA, DeleteCriticalSection, CreateThread, MapViewOfFile, UnmapViewOfFile, MulDiv, CreateFileMappingA, GetCurrentProcess, GetCurrentThreadId, ReleaseMutex, LCMapStringW, LCMapStringA, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetOEMCP, IsValidCodePage, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, GetCPInfo, GetDateFormatA, GetTimeFormatA, GetStringTypeW, GetStringTypeA, FlushFileBuffers, SetStdHandle, RtlUnwind, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetModuleFileNameA, GetStdHandle, HeapSize, ExitProcess, TlsGetValue, TlsSetValue, TlsFree, SetEndOfFile, GetCurrentThread, SetLastError, TlsAlloc, IsBadWritePtr, VirtualFree, HeapCreate, HeapDestroy, FatalAppExitA, LeaveCriticalSection, EnterCriticalSection, GetCommandLineA, GetModuleHandleA, VirtualQuery, GetSystemInfo, VirtualAlloc, VirtualProtect, HeapReAlloc, HeapFree, HeapAlloc, SetFilePointer, CreateFileA, CloseHandle, GetLastError, GetOverlappedResult, ReadFile, CreateEventA, WriteFile, GlobalReAlloc, lstrlenA, lstrcmpA, DebugBreak, OutputDebugStringA, WritePrivateProfileStringA, LoadLibraryA, GetPrivateProfileStringA, GetProcAddress, GetProfileIntA, GetPrivateProfileIntA, GetWindowsDirectoryA, FreeLibrary, GlobalFree, GlobalAlloc, GetTimeZoneInformation, SetConsoleCtrlHandler, GetLocaleInfoW, SetEnvironmentVariableA, SetUnhandledExceptionFilter, IsBadReadPtr, CreateMutexA, MultiByteToWideChar, IsBadCodePtr
USER32.dll: GetThreadDesktop, CloseDesktop, SetThreadDesktop, keybd_event, GetClassNameA, CharUpperA, WindowFromPoint, GetClientRect, CharLowerW, CharLowerA, UnregisterClassA, GetWindowLongA, CharUpperW, EnumChildWindows, IsWindow, mouse_event, SetWindowTextA, SendMessageA, GetWindowThreadProcessId, GetSubMenu, DrawIconEx, SetDoubleClickTime, LoadMenuA, GetDoubleClickTime, GetDC, TrackPopupMenuEx, GetAsyncKeyState, BringWindowToTop, ReleaseDC, GetCursorPos, LoadImageA, DestroyMenu, GetDlgCtrlID, DestroyIcon, CheckMenuItem, GetWindow, GetMessageA, SetTimer, OpenDesktopA, GetTopWindow, SendInput, CreateDialogParamA, PostQuitMessage, KillTimer, EnumDisplaySettingsExW, TranslateMessage, CheckDlgButton, DispatchMessageA, SystemParametersInfoA, FindWindowA, UnregisterDeviceNotification, GetDlgItemTextA, SetScrollInfo, RegisterDeviceNotificationA, GetDlgItemInt, SendDlgItemMessageA, GetParent, GetWindowTextLengthA, GetWindowTextA, CharUpperBuffA, EndDialog, IsDlgButtonChecked, PostMessageA, CheckRadioButton, EnableWindow, DialogBoxParamA, SetDlgItemTextA, EndPaint, DestroyWindow, EnumDisplayMonitors, GetWindowRect, GetMessageExtraInfo, SetForegroundWindow, LoadStringA, MessageBeep, BeginPaint, PtInRect, ShowCursor, MessageBoxA, InvalidateRect, CreateWindowExA, DefWindowProcA, GetDesktopWindow, SetWindowPos, ShowWindow, GetSystemMetrics, UpdateWindow, LoadCursorA, RegisterClassA, wsprintfA, GetDlgItem
GDI32.dll: GetTextExtentPoint32A, CreateFontA, SetBkMode, DeleteObject, MoveToEx, Arc, PatBlt, LineTo, SelectObject, CreatePen, SetTextAlign, GetStockObject, TextOutA, SetBkColor, SetTextColor
comdlg32.dll: GetOpenFileNameA
ADVAPI32.dll: SetEntriesInAclA, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegCreateKeyA, RegFlushKey, GetNamedSecurityInfoA, RegCloseKey, SetServiceStatus, AllocateAndInitializeSid, ImpersonateLoggedOnUser, DuplicateTokenEx, RegOpenKeyExA, RegisterServiceCtrlHandlerExA, SetTokenInformation, CreateProcessAsUserA, OpenProcessToken, StartServiceCtrlDispatcherA, SetNamedSecurityInfoA, RegSetValueExA, RegQueryValueExA
SHELL32.dll: SHGetSpecialFolderPathA, Shell_NotifyIconA
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 266240
EntryPoint: 0x78198
FileDescription: User Mode Tablet Driver
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 384 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 2, 51, 0, 3
FileVersionNumber: 2.51.0.3
ImageVersion: 0.0
InitializedDataSize: 225280
InternalName: Usbtablet
LanguageCode: Chinese (Traditional)
LinkerVersion: 7.1
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 6.1
ObjectFileType: Executable application
OriginalFilename: Usbtablet
PEType: PE32
ProductName: Atwtusb.exe
ProductVersion: 1, 0, 0, 0
ProductVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2009:04:22 05:32:07+02:00
UninitializedDataSize: 0

Polendulgur
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2011-07-27
OS : windows 7

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Polendulgur on Mon Aug 01, 2011 1:48 pm

File name:
nvvsvc.exe
Submission date:
2011-08-01 13:25:13 (UTC)
Current status:
finished
Result:
34/ 43 (79.1%)
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.08.01.00 2011.07.31 Win-Trojan/Patched.DD
AntiVir 7.11.12.173 2011.08.01 W32/PatchLoad.A
Antiy-AVL 2.0.3.7 2011.08.01 -
Avast 4.8.1351.0 2011.08.01 Win32:Patched-WQ [Trj]
Avast5 5.0.677.0 2011.08.01 Win32:Patched-WQ [Trj]
AVG 10.0.0.1190 2011.08.01 Win32/Katusha.A
BitDefender 7.2 2011.08.01 Trojan.Patched.HE
CAT-QuickHeal 11.00 2011.08.01 W32.Patchload.O
ClamAV 0.97.0.0 2011.08.01 -
Commtouch 5.3.2.6 2011.08.01 W32/Patched.G
Comodo 9589 2011.08.01 TrojWare.Win32.Patched.HN
DrWeb 5.0.2.03300 2011.08.01 Trojan.Starter.1695
Emsisoft 5.1.0.8 2011.08.01 Trojan-Spy.Win32.Zbot!IK
eSafe 7.0.17.0 2011.07.31 -
eTrust-Vet 36.1.8475 2011.08.01 Win32/Patchload.U
F-Prot 4.6.2.117 2011.08.01 W32/Patched.G
F-Secure 9.0.16440.0 2011.08.01 Trojan.Patched.HE
Fortinet 4.2.257.0 2011.07.31 -
GData 22 2011.08.01 Trojan.Patched.HE
Ikarus T3.1.1.104.0 2011.08.01 Trojan-Spy.Win32.Zbot
Jiangmin 13.0.900 2011.07.31 TrojanSpy.Zbot.adxr
K7AntiVirus 9.109.4961 2011.07.29 Trojan
Kaspersky 9.0.0.837 2011.08.01 Trojan.Win32.Patched.mf
McAfee 5.400.0.1158 2011.08.01 W32/Katusha
McAfee-GW-Edition 2010.1D 2011.08.01 W32/Katusha
Microsoft 1.7104 2011.08.01 Virus:Win32/Patchload.O
NOD32 6340 2011.08.01 Win32/Patched.HN
Norman 6.07.10 2011.08.01 W32/Patched.BH
nProtect 2011-08-01.03 2011.08.01 -
Panda 10.0.3.5 2011.08.01 W32/Katusha.BN
PCTools 8.0.0.5 2011.08.01 Trojan.Paccyn
Prevx 3.0 2011.08.01 -
Rising 23.69.00.03 2011.08.01 Win32.Loader.li
Sophos 4.67.0 2011.08.01 -
SUPERAntiSpyware 4.40.0.1006 2011.07.30 -
Symantec 20111.1.0.186 2011.08.01 Trojan.Paccyn!inf
TheHacker 6.7.0.1.267 2011.08.01 -
TrendMicro 9.200.0.1012 2011.08.01 PTCH_KATUSHA.W
TrendMicro-HouseCall 9.200.0.1012 2011.08.01 PTCH_KATUSHA.W
VBA32 3.12.16.4 2011.08.01 Trojan-Spy.Zbot.gen
VIPRE 10029 2011.08.01 Virus.Win32.Agent.mpq (v)
ViRobot 2011.8.1.4599 2011.08.01 Win32.Patched.BE
VirusBuster 14.0.147.1 2011.07.31 Win32.Katusha.Gen
Additional information
MD5 : db66c62da5c0d3755a63434e9f7922da
SHA1 : 760615b1060ece7077f0c151770175e17de8efe0
SHA256: 5c22eb8d7a3a51699f6f664f14263d12deb7091e47c8518c9b9d0ddbe592285d
ssdeep: 3072:C85ZCHnSlmunuokKLigXe6Y7yYrhjT6jECUj6vtMLZA:pCHo7ri7/hjT64f6CG
File size : 215656 bytes
First seen: 2011-08-01 13:25:13
Last seen : 2011-08-01 13:25:13
TrID:
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: NVIDIA Corporation
copyright....: (C) NVIDIA Corporation. All rights reserved.
product......: NVIDIA Driver Helper Service, Version 191.07
description..: NVIDIA Driver Helper Service, Version 191.07
original name: nvsvc32.exe
internal name: NVSVC
file version.: 8.16.11.9107
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x346B8
timedatestamp....: 0x4AC003B5 (Mon Sep 28 00:30:45 2009)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x2713D, 0x28000, 6.60, f282007447222712909ea7fa45991209
.rdata, 0x29000, 0x662A, 0x7000, 5.07, 178b3e32a77d123779a1b7b51226de48
.data, 0x30000, 0x3150, 0x2000, 1.90, 9e0a497959922fde03b40882d95ef17d
.rsrc, 0x34000, 0xE38, 0x1000, 5.37, 6439fd9d99d6f1a94932fb807d48dcc5

[[ 7 import(s) ]]
KERNEL32.dll: SwitchToThread, CreateFileW, InterlockedDecrement, DisconnectNamedPipe, FlushFileBuffers, WriteFile, ReadFile, ResumeThread, InterlockedIncrement, ConnectNamedPipe, CreateNamedPipeW, GetCommandLineW, CompareStringW, CompareStringA, CreateFileA, GetTimeZoneInformation, GetLocaleInfoW, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, IsValidCodePage, IsValidLocale, EnumSystemLocalesA, InitializeCriticalSection, OpenEventW, DeleteCriticalSection, SetEvent, TerminateProcess, WTSGetActiveConsoleSessionId, CreateThread, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, CloseHandle, SetLastError, GetLastError, Sleep, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, FreeLibrary, CreateEventW, LocalFree, SetEnvironmentVariableA, WaitForSingleObject, GetLocaleInfoA, GetUserDefaultLCID, GetDateFormatA, InterlockedCompareExchange, GetTimeFormatA, GetStringTypeW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, RtlUnwind, HeapFree, GetCommandLineA, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoA, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, GetCurrentThread, HeapSize, ExitProcess, GetCPInfo, GetACP, GetOEMCP, HeapDestroy, HeapCreate, VirtualFree, FatalAppExitA, VirtualAlloc, HeapReAlloc, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, MultiByteToWideChar, SetConsoleCtrlHandler, InterlockedExchange, LoadLibraryA, LCMapStringA, LCMapStringW, GetStringTypeA
USER32.dll: RegisterDeviceNotificationW, UnregisterDeviceNotification
SHLWAPI.dll: SHDeleteValueW, SHSetValueW, PathAppendW, PathFileExistsW, PathAddBackslashW
SHELL32.dll: SHCreateDirectoryExW, SHGetFolderPathW, CommandLineToArgvW
ADVAPI32.dll: RegGetValueW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerExW, SetServiceStatus, OpenProcessToken, DuplicateTokenEx, SetTokenInformation, CreateProcessAsUserW, OpenServiceW, ControlService, QueryServiceStatus, DeleteService, OpenSCManagerW, CreateServiceW, CloseServiceHandle, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegDeleteValueW
RPCRT4.dll: UuidToStringW, RpcStringFreeW
ole32.dll: CoInitialize, CoInitializeSecurity
ExifTool:
file metadata
CharacterSet: Windows, Latin1
CodeSize: 163840
CompanyName: NVIDIA Corporation
EntryPoint: 0x346b8
FileDescription: NVIDIA Driver Helper Service, Version 191.07
FileFlagsMask: 0x003f
FileOS: Win32
FileSize: 211 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 8.16.11.9107
FileVersionNumber: 8.16.11.9107
ImageVersion: 0.0
InitializedDataSize: 49152
InternalName: NVSVC
LanguageCode: English (U.S.)
LegalCopyright: (C) NVIDIA Corporation. All rights reserved.
LinkerVersion: 8.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 6.1
ObjectFileType: Dynamic link library
OriginalFilename: nvsvc32.exe
PEType: PE32
ProductName: NVIDIA Driver Helper Service, Version 191.07
ProductVersion: 8.16.11.9107
ProductVersionNumber: 8.16.11.9107
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2009:09:28 02:30:45+02:00
UninitializedDataSize: 0

Polendulgur
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2011-07-27
OS : windows 7

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Polendulgur on Mon Aug 01, 2011 1:49 pm

File name:
csc.sys
Submission date:
2011-08-01 13:27:39 (UTC)
Current status:
finished
Result:
19 /43 (44.2%)
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.08.01.00 2011.07.31 Backdoor/Win32.ZAccess
AntiVir 7.11.12.173 2011.08.01 -
Antiy-AVL 2.0.3.7 2011.08.01 -
Avast 4.8.1351.0 2011.08.01 Win32:Sirefef-G [Rtk]
Avast5 5.0.677.0 2011.08.01 Win32:Sirefef-G [Rtk]
AVG 10.0.0.1190 2011.08.01 Agent3.WDG
BitDefender 7.2 2011.08.01 Gen:Variant.TDss.15
CAT-QuickHeal 11.00 2011.08.01 -
ClamAV 0.97.0.0 2011.08.01 -
Commtouch 5.3.2.6 2011.08.01 -
Comodo 9589 2011.08.01 -
DrWeb 5.0.2.03300 2011.08.01 Trojan.Packed.2221
Emsisoft 5.1.0.8 2011.08.01 Rootkit.Win32.TDSS!IK
eSafe 7.0.17.0 2011.07.31 -
eTrust-Vet 36.1.8475 2011.08.01 -
F-Prot 4.6.2.117 2011.08.01 -
F-Secure 9.0.16440.0 2011.08.01 Gen:Variant.TDss.15
Fortinet 4.2.257.0 2011.07.31 -
GData 22 2011.08.01 Gen:Variant.TDss.15
Ikarus T3.1.1.104.0 2011.08.01 Rootkit.Win32.TDSS
Jiangmin 13.0.900 2011.07.31 Rootkit.TDSS.fms
K7AntiVirus 9.109.4961 2011.07.29 -
Kaspersky 9.0.0.837 2011.08.01 Rootkit.Win32.ZAccess.e
McAfee 5.400.0.1158 2011.08.01 -
McAfee-GW-Edition 2010.1D 2011.08.01 -
Microsoft 1.7104 2011.08.01 -
NOD32 6340 2011.08.01 a variant of Win32/Sirefef.CL
Norman 6.07.10 2011.08.01 -
nProtect 2011-08-01.03 2011.08.01 Gen:Variant.TDss.15
Panda 10.0.3.5 2011.08.01 Generic Trojan
PCTools 8.0.0.5 2011.08.01 -
Prevx 3.0 2011.08.01 -
Rising 23.69.00.03 2011.08.01 -
Sophos 4.67.0 2011.08.01 Mal/TDSSPack-A
SUPERAntiSpyware 4.40.0.1006 2011.07.30 -
Symantec 20111.1.0.186 2011.08.01 -
TheHacker 6.7.0.1.267 2011.08.01 -
TrendMicro 9.200.0.1012 2011.08.01 TROJ_KRYPTIK.SMP
TrendMicro-HouseCall 9.200.0.1012 2011.08.01 TROJ_KRYPTIK.SMP
VBA32 3.12.16.4 2011.08.01 -
VIPRE 10029 2011.08.01 -
ViRobot 2011.8.1.4599 2011.08.01 -
VirusBuster 14.0.147.1 2011.07.31 Trojan.Sirefef!MMHPIACko9o
Additional information
MD5 : 0a48ed60d4be817d2f65713cb27e0824
SHA1 : 9206b728c127a16328333e4aaeb35058adfa30a5
SHA256: 55531feaa35ab56fcd1dca4672c3674bb1ad218228eb013e452bf02f94e99a06
ssdeep: 6144:OxgyzxHms++k9kNIzk16ffkurOpbDIgFhXYWXMHJyUooBMpacpVnYrZVxWn60u3V:OGyxF
Q2KJPcniWgdQsyDS
File size : 387584 bytes
First seen: 2011-08-01 13:27:39
Last seen : 2011-08-01 13:27:39
Magic: PE32 executable for MS Windows (native) Intel 80386 32-bit
TrID:
Win64 Executable Generic (87.2%)
Win32 Executable Generic (8.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x12FF
timedatestamp....: 0x4E1D4FFC (Wed Jul 13 07:57:48 2011)
machinetype......: 0x14C (Intel I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x3647, 0x3800, 7.62, 5226781b6e61842c0b52b55a055eb0de
.INIT, 0x5000, 0x43D, 0x600, 4.03, e043d4793abbfc5c75410379af8001d7
.rdata, 0x6000, 0x3C6A, 0x3E00, 7.63, 0151e0eabcd2187af8693d4e3704bb1a
.rsrc, 0xA000, 0x106F, 0x1200, 6.74, d61d85bdb6f92d64c74e8125834e62ae
.reloc, 0xC000, 0x7C, 0x200, 1.93, 0e79ec251822248bd92fab53878a7e37

[[ 1 import(s) ]]
ntoskrnl.exe: ZwInitiatePowerAction, ExDeletePagedLookasideList, ZwQueryInformationProcess, _alldvrm, ExAcquireResourceExclusiveLite, FsRtlIsNameInExpression, isspace, isupper, RtlFindSetBitsAndClear, IoQueryFileDosDeviceName, ZwDuplicateToken, KeSetIdealProcessorThread, KeRegisterBugCheckReasonCallback, ExInterlockedExtendZone, PoRegisterSystemState, NtWriteFile, towlower, ExAcquireFastMutexUnsafe, isdigit, IoConnectInterrupt, IoSetSystemPartition, RtlImageNtHeader, strrchr, LpcRequestPort, memcpy, memchr, ExAllocatePool, MmFreeContiguousMemorySpecifyCache, PsSetProcessPriorityByClass, DbgPrint, strspn, islower, FsRtlInitializeOplock, ExFreePoolWithTag, MmRemovePhysicalMemory, MmUnsecureVirtualMemory, InbvCheckDisplayOwnership, IoSetPartitionInformation, strcmp, wcstombs, MmGetPhysicalAddress, RtlDowncaseUnicodeString

[[ 2 export(s) ]]
VkNqwtOjqmjBxilojz, MavJmgbtqcHcmdhyeXetu
Androguard:
-
ExifTool:
-
Symantec reputation:Suspicious.Insight

VT Community
This file has never been reviewed by any VT Community member. Be the first one to comment on it!

Polendulgur
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2011-07-27
OS : windows 7

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Polendulgur on Mon Aug 01, 2011 1:50 pm

Thanks again,

here are the logs from the three files

Polendulgur
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2011-07-27
OS : windows 7

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Sneakyone on Tue Aug 02, 2011 4:06 am

Hi,

They are definitely patched and the backup is patched for csc.sys and there aren't any backups for the other 2. I've asked a colleague if he has any backups or ideas.


I'm livin' life in the fast lane.


Sneakyone
Master
Master

Status :
Online
Offline

Posts : 2707
Joined : 2010-01-10
Gender : Male
OS : Windows 7 Ultimate 64-bit

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Polendulgur on Tue Aug 02, 2011 11:09 am

Thanks again, keep me posted

Polendulgur
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2011-07-27
OS : windows 7

View user profile

Back to top Go down

Re: 100k searches virus, it redirects my google search to a google fishing site

Post by Sneakyone on Wed Aug 03, 2011 4:41 am

Hi,

  • [You must be registered and logged in to see this link.]
    If you encounter problems running the RescueDisk, you can get further assistance at the [You must be registered and logged in to see this link.].
If you are not sure how to burn an image, please read [You must be registered and logged in to see this link.]. If you need a FREE utility to burn the ISO image, download and use [You must be registered and logged in to see this link.].


I'm livin' life in the fast lane.


Sneakyone
Master
Master

Status :
Online
Offline

Posts : 2707
Joined : 2010-01-10
Gender : Male
OS : Windows 7 Ultimate 64-bit

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum