Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirecting Malware/BHO/Trojan?


  • Please log in to reply
4 replies to this topic

#1 rgincel

rgincel

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 30 December 2008 - 05:21 PM

Please anyone who can help me fix this issue:
Every time I Google anything I get the results but when clicking on a link I am redirected to a random site, the url listed below the description does not match where I want to go.
and I see at the bottom of the screen "finding site 7.7.7.0...." or what looks like a IP address, not "Searching Google"

I have run:
RegMechanic
Tracks Eraser Pro
Malwarebytes
SuperAntiSpyware
CCleaner
Adaware
SmitFraud
CWSshredder
TrendMicro Online Scanner (4 times)
Kapersky Online Scanner (2 times )

Any help is greatly appreciated.
Respectfull
RGincel


DDS (Version 1.1.0) - NTFSx86
Run by United IT at 16:02:10.40 on Tue 12/30/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2475 [GMT -6:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Documents and Settings\United IT\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll__BHODemonDisabled_FDDPNGJMRJYNEMFBJZJSJ
BHO: ReadMe-BHODemon - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll__BHODemonDisabled_NVHWICACVPSXDSZZK
BHO: ReadMe-BHODemon - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll__BHODemonDisabled_KMERKYGRSNUUATYLTWJNKNJHBLI
BHO: ReadMe-BHODemon - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [BHR] c:\program files\zamaan's software\browser hijack retaliator 4.5\BHR.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\united~1\startm~1\programs\startup\bhodem~1.lnk - c:\program files\bhodemon 2\BHODemon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\united~1\applic~1\mozilla\firefox\profiles\2jurc5oj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-12-30 148496]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-9-3 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-30 353680]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 RUBotted;Trend Micro RUBotted Service;"c:\program files\trend micro\rubotted\TMRUBotted.exe" [2008-12-29 582992]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2008-12-29 206608]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2008-12-29 206608]

=============== Created Last 30 ================

2008-12-30 09:54 <DIR> --d----- c:\program files\BHODemon 2
2008-12-30 09:15 <DIR> --d----- c:\docume~1\united~1\applic~1\MailFrontier
2008-12-30 09:12 13,802,016 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-30 09:12 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-30 09:09 73,104 a------- c:\windows\zllsputility.exe
2008-12-30 09:09 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-12-30 09:09 <DIR> --d----- c:\program files\Zone Labs
2008-12-30 09:09 349,222 a------- c:\windows\system32\vsconfig.xml
2008-12-29 19:03 244,024 a------- c:\windows\system32\MSFLXGRD.OCX
2008-12-29 19:03 203,976 a------- c:\windows\system32\richtx32.ocx
2008-12-29 19:03 <DIR> --d----- c:\program files\Zamaan's Software
2008-12-29 19:00 <DIR> --d----- c:\program files\CCleaner
2008-12-29 16:57 <DIR> --d----- c:\program files\Lavasoft
2008-12-29 16:49 206,608 a------- c:\windows\system32\drivers\TMPassthru.sys
2008-12-29 16:40 <DIR> --d----- c:\documents and settings\united it\.housecall6.6
2008-12-29 12:41 66 a------- C:\pt2.bat
2008-12-18 18:44 67 a------- C:\ptm2.bat
2008-12-14 06:51 <DIR> --d----- c:\program files\Griffin Technology
2008-12-13 11:56 <DIR> --d----- c:\program files\iPod
2008-12-13 11:56 <DIR> --d----- c:\program files\iTunes
2008-12-13 11:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-03 17:40 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2008-12-30 09:33 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-12-30 08:31 2,762 a------- c:\windows\system32\tmp.reg
2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-10-31 19:40 726,008 a------- c:\documents and settings\united it\gotomypc_437.exe
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 07:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 07:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 01:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 01:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 04:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 04:02 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-07-16 08:32 3,902,784 a------- c:\documents and settings\united it\gosetup.exe
2008-08-26 07:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 16:02:34.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:11:24 PM

Posted 31 December 2008 - 11:45 PM

Letís check out the following:

Please highlight and copy the contents inside the code box below:

cd desktop
reg query "HKLM\software\microsoft\windows nt\currentversion\drivers32" /s >look.txt
start notepad look.txt
exit
cls

Click Start > Run, and, in the Open area, type: cmd
Press: Enter to open a command window.
Right-click by the blinking cursor in the command window and select: Paste
The command window will close and a log will open on your Desktop.

Please post the contents of the look.txt in your reply.

~~~~
Also, please go to Start > Run and type: cmd.exe
Press: Enter

Copy all the text inside the code box below, paste it at the blinking prompt, and then press Enter.

Dir %systemdrive%\wdmaud.* /a h /s >wdm.txt
Start notepad wdm.txt

Wdm.txt will show up on the Desktop.

Please provide the Wdm.txt information in your reply.



If you use FireFox, you may want to consider installing the NoScript extension: http://noscript.net/
You can then allow or deny what scripts load, etc.

Old duck...


#3 rgincel

rgincel
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 02 January 2009 - 07:09 AM

I believe that I found the issue, was a 14kb file in the Sys32 file called wdmaud.sys.
Restarted in safe mode, deleted it and reset the clocks to non military time. All seems well.
If something goes sideways i will post report you requested.
Thank you for your response.
Rgincel

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:11:24 PM

Posted 03 January 2009 - 07:11 PM

Even though you removed the file C:\Windows\System32\wdmaud.sys, there may still be a bogus entry in:
HKLM\software\microsoft\windows nt\currentversion\drivers32

If you want to make sure, please follow the reg query instructions in post #2

Old duck...


#5 rgincel

rgincel
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 04 January 2009 - 12:00 AM

Thank You, I am not around my machine right now. I will when I get back in pocket.
Thank you again
Rgincel




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users