I believe I have a hijack virus

[j_ringo5]

systemlook.txt

SystemLook 04.09.10 by jpshortstuff
Log created at 14:53 on 06/02/2011 by Jon
Administrator - Elevation successful

========== filefind ==========

Searching for "sfcfiles.dll"
C:\WINDOWS\system32\sfcfiles.dll --a---- 1614848 bytes [22:15 29/08/2008] [22:15 29/08/2008] 362BC5AF8EAF712832C58CC13AE05750

-= EOF =-

 

[ken545]

Combofix flagged that file, lets check it out to make sure its ok

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again

C:\WINDOWS\system32\sfcfiles.dll

If the site is busy you can try this one
http://virusscan.jotti.org/en

 

[j_ringo5]

Results of File

VT Community Sign in ▼ My account ▼ Sign out Signing out... Languages ▼
VirusTotal's website has changed, we need new translations, do you feel like helping the community?
info@virustotal.com
Sign in to VT Community

Safety ratings and user comments (disinfection, in-the-wild locations, reverse engineering reports, etc.) on malware and URLs, free and easy.
email
password
Keep me logged in

Sign in
Signing in, please wait...
Login failed, please try again
Forgot your password? Create an account
Edit my profile
View my profile
Inbox
Virus Total
Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
1 VT Community user(s) with a total of 726 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
sfcfiles.dll
Submission date:
2011-02-06 21:10:50 (UTC)
Current status:
queued (#78) queued (#78) analysing finished
Result:
0/ 42 (0.0%)

VT Community

goodware
Safety score: 100.0%
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.02.06.00 2011.02.06 -
AntiVir 7.11.2.80 2011.02.04 -
Antiy-AVL 2.0.3.7 2011.01.28 -
Avast 4.8.1351.0 2011.02.06 -
Avast5 5.0.677.0 2011.02.06 -
AVG 10.0.0.1190 2011.02.06 -
BitDefender 7.2 2011.02.06 -
CAT-QuickHeal 11.00 2011.02.06 -
ClamAV 0.96.4.0 2011.02.06 -
Commtouch 5.2.11.5 2011.02.06 -
Comodo 7599 2011.02.06 -
DrWeb 5.0.2.03300 2011.02.06 -
Emsisoft 5.1.0.2 2011.02.06 -
eSafe 7.0.17.0 2011.02.06 -
eTrust-Vet 36.1.8141 2011.02.04 -
F-Prot 4.6.2.117 2011.02.04 -
F-Secure 9.0.16160.0 2011.02.06 -
Fortinet 4.2.254.0 2011.02.06 -
GData 21 2011.02.06 -
Ikarus T3.1.1.97.0 2011.02.06 -
Jiangmin 13.0.900 2011.02.05 -
K7AntiVirus 9.81.3761 2011.02.06 -
Kaspersky 7.0.0.125 2011.02.06 -
McAfee 5.400.0.1158 2011.02.06 -
McAfee-GW-Edition 2010.1C 2011.02.06 -
Microsoft 1.6502 2011.02.06 -
NOD32 5851 2011.02.06 -
Norman 6.07.03 2011.02.06 -
nProtect 2011-01-27.01 2011.02.02 -
Panda 10.0.3.5 2011.02.06 -
PCTools 7.0.3.5 2011.02.06 -
Prevx 3.0 2011.02.06 -
Rising 23.44.00.00 2011.02.06 -
Sophos 4.61.0 2011.02.06 -
SUPERAntiSpyware 4.40.0.1006 2011.02.06 -
Symantec 20101.3.0.103 2011.02.06 -
TheHacker 6.7.0.1.125 2011.02.06 -
TrendMicro 9.200.0.1012 2011.02.06 -
TrendMicro-HouseCall 9.200.0.1012 2011.02.06 -
VIPRE 8331 2011.02.06 -
ViRobot 2011.2.5.4294 2011.02.06 -
VirusBuster 13.6.185.0 2011.02.06 -
Additional information
Show all
MD5 : 362bc5af8eaf712832c58cc13ae05750
SHA1 : c8c2d44f34115f27f10bc435dd986d4eff00fe3f
SHA256: 8b9ef2f37266e7dcb4ebfc0e3f0065f6f5cc0d9555d7589ce8b5ca42cd158fc4
ssdeep: 3072:uUeP8F3PH/mvTKurhqCaDfzqdKfD+P7KbLxvmzmeXuNrR4:ur8Fymfzqn4Lxvmzp
File size : 1614848 bytes
First seen: 2009-05-04 06:25:13
Last seen : 2011-02-06 21:10:50
TrID:
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows 2000 System File Checker
original name:
internal name:
file version.: 5.1.2600.5512 (xpsp.080413-2111)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x120D
timedatestamp....: 0x48025222 (Sun Apr 13 18:34:10 2008)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0xCBF, 0xE00, 5.90, d3fe89394e3542961bec08f951a2b772
.data, 0x2000, 0x17E730, 0x17E800, 3.28, 2e54b06118c98cf9da49ccc14783dee2
.rsrc, 0x181000, 0x408, 0x600, 2.49, 6ad33d817c21d5547a4921c76c19efff
.reloc, 0x182000, 0xA230, 0xA400, 5.76, 31a909823c459f02f7ee7c2c9f09fc93

[[ 1 import(s) ]]
ntdll.dll: LdrDisableThreadCalloutsForDll, NtClose, NtQueryValueKey, NtOpenKey, RtlInitUnicodeString, RtlGetVersion, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, NtQueryVirtualMemory

[[ 1 export(s) ]]
SfcGetFiles
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 3584
CompanyName: Microsoft Corporation
EntryPoint: 0x120d
FileDescription: Windows 2000 System File Checker
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 1577 kB
FileSubtype: 0
FileType: Win32 DLL
FileVersion: 5.1.2600.5512 (xpsp.080413-2111)
FileVersionNumber: 5.1.2600.5512
ImageVersion: 5.1
InitializedDataSize: 1610240
InternalName:
LanguageCode: English (U.S.)
LinkerVersion: 7.1
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Executable application
PEType: PE32
ProductVersionNumber: 5.1.2600.5512
Subsystem: Windows command line
SubsystemVersion: 4.1
Tag26005512: D
TimeStamp: 2008:04:13 20:34:10+02:00
UninitializedDataSize: 0
filesdll: j%
ProductName
icrosoftCorporationAllrightsreserved: B
OriginalFilename
lesdll: .
LegalCopyright
rosoftWindowsOperatingSystem: @
ProductVersion

VT Community

1

User:
Cecilia
Reputation:
726 credits
Comment date:
2010-09-24 13:57:44 (UTC)
Windows XP
Tags: Goodware,

Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful

User:
Cecilia
Reputation:
726 credits
Comment date:
2010-09-24 13:57:44 (UTC)
Windows XP
Tags: Goodware,

Was this comment helpful? Yes (0) | No (0) | Report abuse Reported as abuseful
Loading...

Prev1Next



Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?
You can add basic styles to your comments using the following accepted bbcode tags:

text -- bold
text -- italics
text -- underline
text -- strikethrough

text

-- preformatted text

You can also address comments to particular users using the "@" twitter-like mode. By prepending a "#" symbol to a word you can add custom tags to your comment, tags that can then be searched for.

Goodware
Malware
Spam attachment/link

P2P download
Propagating via IM
Network worm

Drive-by-download


Anonymous limit exceeded: anonymous users can only make one comment per file or URL, either sign in or register in order to continue making reviews on this item. Note that anonymous user discrimination is based on IP addresses, hence, it may be possible that another user behind your same proxy or NAT connection already made a review.
Preview comment Edit comment
Post comment
Posting comment...
Comment successfully posted




ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal © Hispasec Sistemas - Blog - Twitter - Contact: info@virustotal.com - Terms of Service & Privacy Policy

 

[ken545]

That file looks ok, it may be damaged but its not infected

Backup Your Registry with ERUNT:

• Download erunt.zip to your Desktop from here:
  http://aumha.org/downloads/erunt.zip
• Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
• Inside the new folder, double-click ERUNT.exe to start the program
• OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe





Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Registry::

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

 

[j_ringo5]

combo fix log

ComboFix 11-02-05.01 - Jon 02/06/2011 17:46:31.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1657 [GMT -5:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jon\Desktop\cfscript.txt
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.

((((((((((((((((((((((((( Files Created from 2011-01-06 to 2011-02-06 )))))))))))))))))))))))))))))))
.

2011-02-05 20:59 . 2011-02-05 20:59 -------- d-----w- C:\_OTM
2011-02-03 21:05 . 2011-02-03 21:05 -------- d-----w- C:\Intel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-16 23:39 . 2010-12-16 23:39 365888 ----a-w- c:\windows\system32\PSUNCpl.cpl
2010-12-16 23:12 . 2010-12-16 23:12 113096 ----a-w- c:\windows\system32\drivers\PSINProt.sys
2010-12-16 23:12 . 2010-12-16 23:12 111944 ----a-w- c:\windows\system32\drivers\PSINProc.sys
2010-12-16 23:12 . 2010-12-16 23:12 130376 ----a-w- c:\windows\system32\drivers\PSINKNC.sys
2010-12-16 23:12 . 2010-12-16 23:12 97352 ----a-w- c:\windows\system32\drivers\PSINFile.sys
2010-12-16 23:12 . 2010-12-16 23:12 141768 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
2010-11-09 14:52 . 2008-04-14 00:42 249856 ----a-w- c:\windows\system32\odbc32.dll
.

------- Sigcheck -------

[-] 2008-08-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-02-06_18.19.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 13:00 . 2011-02-06 18:18 40394 c:\windows\system32\perfc009.dat
+ 2001-08-23 13:00 . 2011-02-06 22:49 40394 c:\windows\system32\perfc009.dat
+ 2011-02-06 22:35 . 2011-02-06 22:35 16384 c:\windows\ERDNT\2-6-2011\Users\00000002\UsrClass.dat
+ 2001-08-23 13:00 . 2011-02-06 22:49 312172 c:\windows\system32\perfh009.dat
- 2001-08-23 13:00 . 2011-02-06 18:18 312172 c:\windows\system32\perfh009.dat
+ 2011-02-06 22:35 . 2005-10-20 17:02 163328 c:\windows\ERDNT\2-6-2011\ERDNT.EXE
+ 2011-02-06 22:35 . 2011-02-06 22:35 1200128 c:\windows\ERDNT\2-6-2011\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2010-12-16 23:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2010-12-16 23:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-24 2220032]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1024000]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-12-16 423232]
"Panda Security URL Filtering"="c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2010-12-19 223400]
"THGuard"="c:\program files\TrojanHunter 5.3\THGuard.exe" [2010-10-23 1070360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-11-30 608584]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [12/16/2010 6:12 PM 130376]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [12/16/2010 6:19 PM 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [12/16/2010 6:12 PM 141768]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [12/16/2010 6:12 PM 97352]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [12/16/2010 6:12 PM 111944]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [12/16/2010 6:12 PM 113096]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\5cm2omqa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-06 17:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2011-02-06 17:52:25
ComboFix-quarantined-files.txt 2011-02-06 22:52
ComboFix2.txt 2011-02-06 18:21

Pre-Run: 243,957,321,728 bytes free
Post-Run: 243,953,352,704 bytes free

- - End Of File - - E4569FD4CB3DBC3BFDA3486738FCD7D1

 

[ken545]

Are you still being redirected ?

 

[j_ringo5]

still the same

yes, I am still getting redirected from my google search, and I also just randomly get redirected to a "secure content" website while on the internet.

 

[ken545]

Do you connect to the internet using a router ? If so disconnect your router and connect directly to your modem ( cable or DSL ) and see if you still have the redirects

 

[j_ringo5]

i think it's fixed

I bypassed the router and it seems to be working. I reset the router and put things back to normal and it still seems to be working correctly. I will reply again to this post if things get wacky again in the next day or so.

Thanks so much for your help.

 

[ken545]

There appears to be a rash of routers being infected lately. I'll tell ya, these dirtbags that write this garbage will infect your front teeth if they could find a way.

I will keep this thread open for you for a few days, post back and let me know how its going and if still issues we can dig deeper. If the thread is closed just start a new topic.


Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups

• 
  How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Safe Surfn
Ken

 

[j_ringo5]

looks good

everything seems to be working as expected. thanks so much for your time and effort in resolving this problem.

 

[ken545]

:bigthumb:

Be sure to post back if you have a problem, if this thread is closed just start a new topic.


Glad all is well,

Ken