Google Redirects and CMD will not run Options

[MattR]

Hello all!

I need help!

I have read this thread here :
http://www.bleepingcomputer.com/forums/topic206736.html

and also read through this thread :
http://www.bleepingcomputer.com/forums/topic203158.html

but none of them have a solution.


any help appreciated!!!!

here is the HiJackThis Log file :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:31 AM, on 3/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\QJ4CAE.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080619
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://portal.teksouth.com/sites/AdMan/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080619
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP Wireless Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://mgmt.teksouth.com:4343/officescan/c...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://mgmt.teksouth.com:4343/officescan/c...stall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://mgmt.teksouth.com:4343/officescan/c.../RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231860150743
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231860144478
O16 - DPF: {E9A2B153-810F-4B63-ADFF-8BAAC43A4A2B} (RPDEClient Control) - https://www3.ultiproworkplace.com/scripts/RPDEClientLib.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://wc.wachovia.com/common/cab/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = teksouth.com
O17 - HKLM\Software\..\Telephony: DomainName = teksouth.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = teksouth.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = teksouth.com,internal.teksouth.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = teksouth.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = teksouth.com,internal.teksouth.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = teksouth.com,internal.teksouth.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10204 bytes

[miekiemoes]

Hi,

You're probably dealing with a new Win32:Daonol variant. This one is responsible for "locking" a lot of (commandline)tools such as Combofix, DDS, plus cmd, regedit etc..
Could be by design, or could be because it's buggy...

Navigate to your C:\Windows folder and search for the file regedit.exe
Rightclick it and select to rename the file. Rename it to reg3dit.exe
Then launch the reg3dit.exe in order to open your Registry Editor.

There, browse to the following key:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

You'll see on the left that you can expand the keys (they will look like folders). So expand them until you get drivers32
Rightclick the drivers32 key (folder) and select to export:


(sorry, my regedit is in dutch, but I'm sure you understand)

Give it a name and export it as a txtfile on your desktop.


Then copy and paste the contents of it in your next reply.

If confused, please ask first.

Reminder (in case I forget to tell you afterwards), once we are done with this thread, please rename your reg3dit.exe back to regedit.exe (as it was before).

[MattR]

First off Thank you so much for the reply!

here is the information you requested :

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Class Name: <NO CLASS>
Last Write Time: 2/22/2009 - 8:12 PM
Value 0
Name: midimapper
Type: REG_SZ
Data: midimap.dll

Value 1
Name: msacm.imaadpcm
Type: REG_SZ
Data: imaadp32.acm

Value 2
Name: msacm.msadpcm
Type: REG_SZ
Data: msadp32.acm

Value 3
Name: msacm.msg711
Type: REG_SZ
Data: msg711.acm

Value 4
Name: msacm.msgsm610
Type: REG_SZ
Data: msgsm32.acm

Value 5
Name: msacm.trspch
Type: REG_SZ
Data: tssoft32.acm

Value 6
Name: vidc.cvid
Type: REG_SZ
Data: iccvid.dll

Value 7
Name: vidc.I420
Type: REG_SZ
Data: msh263.drv

Value 8
Name: vidc.iv31
Type: REG_SZ
Data: ir32_32.dll

Value 9
Name: vidc.iv32
Type: REG_SZ
Data: ir32_32.dll

Value 10
Name: vidc.iv41
Type: REG_SZ
Data: ir41_32.ax

Value 11
Name: vidc.iyuv
Type: REG_SZ
Data: iyuv_32.dll

Value 12
Name: vidc.mrle
Type: REG_SZ
Data: msrle32.dll

Value 13
Name: vidc.msvc
Type: REG_SZ
Data: msvidc32.dll

Value 14
Name: vidc.uyvy
Type: REG_SZ
Data: msyuv.dll

Value 15
Name: vidc.yuy2
Type: REG_SZ
Data: msyuv.dll

Value 16
Name: vidc.yvu9
Type: REG_SZ
Data: tsbyuv.dll

Value 17
Name: vidc.yvyu
Type: REG_SZ
Data: msyuv.dll

Value 18
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv

Value 19
Name: msacm.msg723
Type: REG_SZ
Data: msg723.acm

Value 20
Name: vidc.M263
Type: REG_SZ
Data: msh263.drv

Value 21
Name: vidc.M261
Type: REG_SZ
Data: msh261.drv

Value 22
Name: msacm.msaudio1
Type: REG_SZ
Data: msaud32.acm

Value 23
Name: msacm.sl_anet
Type: REG_SZ
Data: sl_anet.acm

Value 24
Name: msacm.iac2
Type: REG_SZ
Data: C:\WINDOWS\system32\iac25_32.ax

Value 25
Name: vidc.iv50
Type: REG_SZ
Data: ir50_32.dll

Value 26
Name: msacm.l3acm
Type: REG_SZ
Data: C:\WINDOWS\system32\l3codeca.acm

Value 27
Name: wave
Type: REG_SZ
Data: wdmaud.drv

Value 28
Name: midi
Type: REG_SZ
Data: wdmaud.drv

Value 29
Name: mixer
Type: REG_SZ
Data: wdmaud.drv

Value 30
Name: aux
Type: REG_SZ
Data: C:\DOCUME~1\KIM~1.KAN\LOCALS~1\Temp\..\tsr.uto


Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server
Class Name: <NO CLASS>
Last Write Time: 8/11/2004 - 11:11 PM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP
Class Name: <NO CLASS>
Last Write Time: 8/11/2004 - 11:11 PM
Value 0
Name: wave
Type: REG_SZ
Data: rdpsnd.dll

Value 1
Name: mixer
Type: REG_SZ
Data: rdpsnd.dll

Value 2
Name: MaxBandwidth
Type: REG_DWORD
Data: 0x56b9

Value 3
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv

Value 4
Name: EnableMP3Codec
Type: REG_DWORD
Data: 0x1

Value 5
Name: midimapper
Type: REG_SZ
Data: midimap.dll

[miekiemoes]

Hi,

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\DOCUME~1\KIM~1.KAN\LOCALS~1\tsr.uto

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

After reboot,

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="wdmaud.drv"

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Let me know if that solved your redirect problem.

[MattR]

YES! that appears to have fixed it! CMD will now run and as of now have not gotten any redirects!!!!

is this virus installed just by going to a certain page? does it steal personal data or anything like that or is it just for advertising? basically if you know, what are the things that this virus does?

THANK YOU SO MUCH!!! you're the WOman!




This post has been edited by MattR: Mar 4 2009, 12:44 PM

[miekiemoes]

Hi,

You'll find more info about the malware (which isn't a virus) you were dealing with here: http://miekiemoes.blogspot.com/2008/10/fak...archengine.html
I've also explained there how this one is getting installed. In 80% via legitimate websites. And, sad but true, most of the infected sites are hosted by IX Webhosting. I've also blogged about it: http://miekiemoes.blogspot.com/2009/01/ix-...g-reliable.html
Best prevention is, use Firefox with the noscript extension, so it blocks scripts by default. Because, as you see, you don't have to visit bad sites to get infected. Malware is lurking everywhere.

As far as I know, it doesn't steal personal data. It's only responsible for displaying fake results in searches, so you click it (ads)

THANK YOU SO MUCH!!! you're the man!

Still female though, but you could not know

[MattR]

hahaha!

I was reading about you a little bit and saw that you were a woman so I edited my reply. My appologies! You're pretty famous I guess for having the description named after you! not sure if that is good or bad though


I said virus for a reason because I wanted your opinion on exactly the classification of it. it appeared to be Malware but seemed to take the extra effort in hiding itself possibly pushing it into the virus category. thank you for the clarification.

I'll read up on it and your blog looks to have very interesting information in it so thank you from all the lurkers

thanks again for the help and quick responses, it worked like a charm!

[miekiemoes]

Many people give the name Virus for every type of malware, while actually, we don't see that many viruses around (if you compare it with other malware). However, there's an exception, because Virut and Sality are viruses that we see A LOT lately. Sality and Virut belong to the file infector Viruses.
You can read more info here and here about what exactly viruses are.

And you're most welcome.

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.