Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirects and general funnyness


  • This topic is locked This topic is locked
8 replies to this topic

#1 mkgphoto

mkgphoto

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 30 December 2008 - 03:25 PM

hi.

i think i have at least one infection (but probably more).

today is the first time i've ever had a google search result redirect to a different site.

i don't surf porn sites but i will download an occasional torrent (azureus/vuze) for an interesting program for my smart phone (i'm suspicious that that is what got me here today).

i've had some slowness and general odd behavior before (mostly just slow performance, and slow startup). i scan occasionally with AVG and have spybot/teatimer running on my computer.

i use XP professional and i work on an older dell at 512ram (i've always accepted that to be my slowness issue).

i will be happy to provide other information as needed to help me out, and i thank you very much for even attempting to help me.

if i'm posting in the wrong forum, kindly direct me to the appropriate section, and forgive my mistake.

*edit - there is a new process i noticed today stunnel-4.10.exe - dunno if that will help. also, i can't connect to AVG update and my microsoft phishing filter is unavailable.

*second edit - i have a trojanC (according to spybot) as a result of installing a program listed as "codegeneratorspellbound11_3019" . it installed a program called "videosoft"

according to --- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---, this happened:

Win32.Agent.sd: [SBI $2968F182] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-746137067-682003330-725345543-1003\Software\{NSINAME}

Win32.Agent.sd: [SBI $72640A46] Program directory (Directory, nothing done)
c:\resycled\

Win32.Agent.sd: [SBI $8DCCA8F7] Data (File, nothing done)
c:\resycled\boot.com

Win32.Agent.sd: [SBI $58009CA6] Installer (File, nothing done)
c:\autorun.inf

i "fixed" these problems, but i'd like to get some help on a thorough scan to make certain, i'm clean.

Win32.Agent.sd: [SBI $2968F182] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-746137067-682003330-725345543-1003\Software\{NSINAME}

Win32.Agent.sd: [SBI $72640A46] Program directory (Directory, fixed)
c:\resycled\

Win32.Agent.sd: [SBI $8DCCA8F7] Data (File, fixed)
c:\resycled\boot.com

Win32.Agent.sd: [SBI $58009CA6] Installer (File, fixed)
c:\autorun.inf

Kurt

Edited by mkgphoto, 30 December 2008 - 04:54 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:32 PM

Posted 30 December 2008 - 04:55 PM

Hi, well the 512 will keep it down,but other than AVG are you running any other spyware tools?

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mkgphoto

mkgphoto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 30 December 2008 - 04:58 PM

hey boopme, thx for the quick reply.

spybot did help me find one problem (not sure if you caught that in my most recent edit).

i'll go through all you have suggested and get back with you.

regarding spyware tools, i believe i mentioned spybot search and destroy and teatimer. besides that, i have no other active protection. is that what you wanted to know?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:32 PM

Posted 30 December 2008 - 05:02 PM

Yes that was what I was interested in. The teatimer should be disabled prior to scans with other tools as they will adjust the registry and Teatimer will always ask about it.

Please disable Spybot S&D’s TeaTimer protection, because it is known to interfere with our fixes.
You can enable it again after you're clean.
Open Spybot and click on 'Mode' then click 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mkgphoto

mkgphoto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 30 December 2008 - 06:14 PM

ok, i ran the program and took the actions it suggested.

my computer "hung up" upon restart, so i just hit the button, and restarted it the "hard way."

i had bookmarked this page, and after a restart, i couldn't get to the page (perhaps it's a login issue).

i opened google, and navigated to the page with no other problems.

AVG has now managed to connect to it's update server, and all is running fine there.

as a side note, i still see the stunnel-4.10.exe in my tasklist of processes. my searches don't show much information on this.

here is the log from the scan you suggested i do.

Malwarebytes' Anti-Malware 1.31
Database version: 1579
Windows 5.1.2600 Service Pack 3

12/30/2008 4:33:36 PM
mbam-log-2008-12-30 (16-33-36).txt

Scan type: Quick Scan
Objects scanned: 54998
Time elapsed: 8 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\sais for pocket pc (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\MKG\Start Menu\Programs\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\msqpdxhxrjkhff.dll (Trojan.TDSS) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-746137067-682003330-725345543-1003\Dc134.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxylyavbwi.sys (Trojan.Agent) -> Quarantined and deleted successfully.

thanks, and what shall i do next?

Kurt

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:32 PM

Posted 30 December 2008 - 09:21 PM

Hello this Stunnel may be the legit version for SSL. SSL can refer to:
In computing and electronics:
Secure Sockets Layer, now Transport Layer Security, a communications protocol.

What is stunnel?
Quoted directly from the README:

The stunnel program is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware daemons running on your system you can easily setup them to communicate with clients over secure SSL channel.
stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs' code.

IT.s this aspect that bothers me. It could very well be malware. The type that Phines home and steals personal info.

Stunnel will not help you with anything that compromises your host's security in some other way. Once an attacker has gained root access to a machine, he can then subvert stunnel, too.

I am not certain and cannot get enough safe info on this. So depending on where it runs from will determine it's severity. I do suspect it to be the malware type by it's performance here.

I feel our smartest move is to get this found and dug out by the HJT team. because should it be malware you will need to remove all traces.
Please follow our guide to post an HJT Log.
Preparation Guide For Use Before Using Hijackthis

Edited by boopme, 30 December 2008 - 09:22 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mkgphoto

mkgphoto
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 30 December 2008 - 10:10 PM

thank you for all your help.

if there is anything else i should do here, please let me know, otherwise i'll be in the HJT section.

i like 2T4:3, too.

Kurt

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:32 PM

Posted 30 December 2008 - 10:29 PM

No.. It's really the best thing for you. I want you get rid of it. There is no specific tool for that so they need to find all of it's footprints. They will,that's why I don't want to waste any more time here. :thumbsup:

You're most welcome and Happy New Year
God Bless

Edited by boopme, 30 December 2008 - 10:31 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:32 PM

Posted 31 December 2008 - 08:13 PM

Hello mkgphoto,

Now that you have your log posted here: http://www.bleepingcomputer.com/forums/t/191041/boopme-said-come-here/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users