Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect hijack


  • This topic is locked This topic is locked
10 replies to this topic

#1 MsDecember

MsDecember

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:09:01 AM

Posted 02 January 2009 - 06:37 AM

Google search listing are redirected to unrelated websites - this happens when using both IE and Firefox to launch google. Both header and description match the website I am looking for but web address and link are unrelated. I have run AVG, Spybot and HJT but no virus is found. Everything else appears to run fine. DDS log attached below. Any help would be much appreciated.


DDS (Version 1.1.0) - NTFSx86
Run by Desktop at 22:14:07.95 on Fri 02/01/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1292 [GMT 11:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Desktop\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.smh.com.au/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress] NA
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [UVS11 Preload] c:\program files\ulead systems\ulead videostudio 11\uvPL.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blacki~1.lnk - c:\program files\iss\blackice\blackice.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
TCP: {0EFC744C-1FE8-417A-AE88-CADA5320A1C6} = 192.231.203.132,192.231.230.3
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\desktop\applic~1\mozilla\firefox\profiles\tl8obfx3.default\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-29 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-29 26824]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-29 231704]
R2 BlackICE;BlackICE;"c:\program files\iss\blackice\blackd.exe" [2007-8-27 1229430]
R3 RapDrv;RapDrv;\??\c:\windows\system32\drivers\RapDrv.sys [2007-8-27 104968]
R3 RapFile;RapFile;\??\c:\windows\system32\drivers\RapFile.sys [2007-8-27 36644]
R3 RapNet;RapNet;\??\c:\windows\system32\drivers\RapNet.sys [2007-8-27 24344]
R4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2007-8-27 229331]
S2 USBHSB;GeneLink File Transfer Driver;c:\windows\system32\drivers\usbhsb.sys [2007-8-27 18690]

=============== Created Last 30 ================

2009-01-02 19:30 <DIR> --d----- c:\program files\Trend Micro
2009-01-02 19:20 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-02 19:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-01 13:55 666,112 -c------ c:\windows\system32\dllcache\wininet.dll
2009-01-01 13:55 619,520 -c------ c:\windows\system32\dllcache\urlmon.dll
2009-01-01 13:55 1,499,136 -c------ c:\windows\system32\dllcache\shdocvw.dll
2009-01-01 13:55 3,067,904 -c------ c:\windows\system32\dllcache\mshtml.dll
2009-01-01 13:53 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-01-01 13:53 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-01-01 13:53 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-01-01 13:53 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2009-01-01 13:53 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-01 13:53 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-01 13:53 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-01 13:53 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-01 13:52 138,496 -c------ c:\windows\system32\dllcache\afd.sys
2009-01-01 13:52 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2009-01-01 13:52 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-01-01 13:51 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-01-01 13:39 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-01 13:39 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-01-01 12:45 <DIR> --d----- c:\windows\system32\scripting
2009-01-01 12:45 <DIR> --d----- c:\windows\l2schemas
2009-01-01 12:45 <DIR> --d----- c:\windows\system32\en
2009-01-01 12:45 <DIR> --d----- c:\windows\system32\bits
2009-01-01 12:42 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-01 12:40 <DIR> --d----- c:\windows\network diagnostic
2009-01-01 12:28 327,040 -------- c:\windows\system32\drivers\ati2mtaa.sys
2009-01-01 10:56 <DIR> --d----- c:\windows\system32\PreInstall
2009-01-01 10:56 <DIR> --d-h--- c:\windows\$hf_mig$
2009-01-01 10:11 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-01-01 10:11 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-01-01 10:11 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-01-01 10:11 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-01-01 10:11 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2008-12-07 21:15 <DIR> --d----- c:\program files\iPod
2008-12-07 21:15 <DIR> --d----- c:\program files\iTunes
2008-12-07 21:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2009-01-01 12:48 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-29 17:58 410,976 a------- c:\windows\system32\deploytk.dll
2008-10-23 23:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 12:00 666,112 a------- c:\windows\system32\wininet.dll

============= FINISH: 22:14:25.37 ===============

Attached Files


If you do not tell the truth about yourself you cannot tell it about other people.
Virginia Woolfe

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 11 January 2009 - 10:55 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 MsDecember

MsDecember
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:09:01 AM

Posted 11 January 2009 - 07:23 PM

Hi Panda

Let me say up front - thank you for your help! I am in the dark when it comes to computers most of the time so your time and expertise is very appreciated!

Since my first post there have been a couple of minor changes. I downloaded an update for AVG and ran a couple of system scans which did actually find a couple of Trojans (or the same Trojan in two place???) as follows:

Trojan horse Rootkit - Agent.CI
C:\windows\system32\wdmaud.sys

Trojan horse Rootkit - Agent.CI
C:\system\Volume Information\_restore{6E37AA9C-6398-4F11-97EF-A5CCA04DDC4A}\RP201\A0039558.sys

Files were quarantined and removed to the vault.

I also removed uTorrent (after reading some advice to other members with similar programs).

I have now run ComboFix and a new DDS and attached below. The system did not shut down after running ComboFix - does that mean that there were no further viruses found? Also, while any malware is a concern – how nasty are these (i.e. should I be calling my bank)?

Thank you again
MD

ComboFix 09-01-10.03 - Desktop 2009-01-12 10:45:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1513 [GMT 11:00]
Running from: c:\documents and settings\Desktop\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\msrdo20.dll
c:\windows\system32\rdocurs.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-02 19:52 . 2009-01-02 19:52 0 --a------ c:\windows\nsreg.dat
2009-01-02 19:30 . 2009-01-02 19:30 <DIR> d-------- c:\program files\Trend Micro
2009-01-02 19:20 . 2009-01-02 19:23 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-02 19:20 . 2009-01-02 19:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-01 13:55 . 2008-12-13 04:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-01-01 13:55 . 2008-10-16 12:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2009-01-01 13:55 . 2008-10-16 12:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll
2009-01-01 13:55 . 2008-10-16 12:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll
2009-01-01 13:53 . 2008-08-14 21:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-01 13:53 . 2008-08-14 21:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-01 13:53 . 2008-08-14 20:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-01 13:53 . 2008-08-14 20:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-01 13:53 . 2008-09-05 04:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-01-01 13:53 . 2008-10-24 22:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-01 13:53 . 2008-10-16 03:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-01-01 13:53 . 2008-09-08 21:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2009-01-01 13:52 . 2008-09-15 23:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-01-01 13:52 . 2008-05-02 01:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-01-01 13:52 . 2008-08-14 21:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2009-01-01 13:51 . 2008-04-12 06:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-01-01 13:39 . 2008-06-13 22:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-01-01 13:39 . 2008-05-09 01:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-01-01 12:45 . 2009-01-01 12:45 <DIR> d-------- c:\windows\system32\scripting
2009-01-01 12:45 . 2009-01-01 12:45 <DIR> d-------- c:\windows\system32\en
2009-01-01 12:45 . 2009-01-01 12:45 <DIR> d-------- c:\windows\system32\bits
2009-01-01 12:45 . 2009-01-01 12:45 <DIR> d-------- c:\windows\l2schemas
2009-01-01 12:42 . 2009-01-01 12:42 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-01 12:28 . 2004-08-03 22:29 327,040 --------- c:\windows\system32\drivers\ati2mtaa.sys
2009-01-01 10:56 . 2009-01-01 14:09 <DIR> d--h----- c:\windows\$hf_mig$
2009-01-01 10:11 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2009-01-01 10:11 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-01-01 10:11 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-01-01 10:11 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-01-01 10:11 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 07:41 --------- d-----w c:\documents and settings\Desktop\Application Data\SolSuite
2009-01-02 06:55 --------- d-----w c:\documents and settings\Desktop\Application Data\Apple Computer
2009-01-02 06:48 --------- d-----w c:\program files\Bonjour
2008-12-14 08:45 --------- d-----w c:\documents and settings\Desktop\Application Data\uTorrent
2008-12-07 10:21 --------- d-----w c:\program files\QuickTime
2008-12-07 10:15 --------- d-----w c:\program files\iTunes
2008-12-07 10:15 --------- d-----w c:\program files\iPod
2008-12-07 10:15 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-07 10:13 --------- d-----w c:\program files\Common Files\Apple
2008-12-04 07:51 --------- d-----w c:\program files\Common Files\Adobe
2008-11-29 06:58 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-11-29 06:58 --------- d-----w c:\program files\Java
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 03:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 03:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 03:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 03:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 03:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 03:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 03:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-28 32768]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-07-23 341232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-29 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-10 113664]
BlackICE PC Protection.lnk - c:\program files\ISS\BlackICE\blackice.exe [2007-08-27 778240]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-07 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"aux2"= wdmaud.sys

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-08-29 97928]
R3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2007-08-27 36644]
R3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2007-08-27 24344]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
S0 black;black;c:\windows\system32\drivers\blackdrv.sys [2007-08-27 229331]
S3 RapDrv;RapDrv;c:\windows\system32\drivers\RapDrv.sys [2007-08-27 104968]
S4 BlackICE;BlackICE;c:\program files\ISS\BlackICE\blackd.exe [2007-08-27 1229430]
S4 USBHSB;GeneLink File Transfer Driver;c:\windows\system32\drivers\usbhsb.sys [2007-08-27 18690]
.
Contents of the 'Scheduled Tasks' folder

2008-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.smh.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0EFC744C-1FE8-417A-AE88-CADA5320A1C6} = 192.231.203.132,192.231.230.3
FF - ProfilePath - c:\documents and settings\Desktop\Application Data\Mozilla\Firefox\Profiles\tl8obfx3.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo!7
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 10:46:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-12 10:47:08
ComboFix-quarantined-files.txt 2009-01-11 23:47:06

Pre-Run: 65,432,698,880 bytes free
Post-Run: 65,510,043,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=alwaysoff /fastdetect /usepmtimer

169

Attached Files


Edited by PropagandaPanda, 11 January 2009 - 07:46 PM.

If you do not tell the truth about yourself you cannot tell it about other people.
Virginia Woolfe

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 11 January 2009 - 07:53 PM

Hello MD.

I have now run ComboFix and a new DDS and attached below. The system did not shut down after running ComboFix - does that mean that there were no further viruses found? Also, while any malware is a concern – how nasty are these (i.e. should I be calling my bank)?

I did not see an active infection in your logs.

However, the search engine redirects are often caused by a rootkit, which definately has enough control over your machine to steal banking information. If this computer has been used for banking since the infection, I would be on the safe side and at the very least change all your passwords, if you have not already.

By the way, are those symptoms still occuring?

F-Secure Online Scan
Let's check for anything remaining.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
With Regards,
The Panda

#5 MsDecember

MsDecember
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:09:01 AM

Posted 11 January 2009 - 09:13 PM

Hi Panda

I don't think we have used the computer for banking since the infection and changed all our passwords shortly after realising we had it.

Have just google - appears to be working fine in both IE and firefox.

Ran the F-Secure Online Scan - results below.

Scanning Report
Monday, January 12, 2009 12:34:04 - 13:00:23

Computer name: DESKTOP-2AA0C16
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 4 malware found
TrackingCookie.2o7 (spyware)

* System

TrackingCookie.Atdmt (spyware)

* System

TrackingCookie.Doubleclick (spyware)

* System

TrackingCookie.Imrworldwide (spyware)

* System

Statistics
Scanned:

* Files: 23481
* System: 2761
* Not scanned: 6

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 4
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2009-01-11
* F-Secure AVP: 7.0.171, 2009-01-11
* F-Secure Pegasus: 1.20.0, 2008-11-17
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

How is it all looking?

MD
If you do not tell the truth about yourself you cannot tell it about other people.
Virginia Woolfe

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 12 January 2009 - 08:15 AM

Hello.

Looks good. Unless you have any other problems, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#7 MsDecember

MsDecember
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:09:01 AM

Posted 13 January 2009 - 04:21 AM

Hi Panda

Have unistalled ComboFix but as soon as I did I had an error message advising the my AVG resident shield is not activated. I have opened AVG and clicked on resident shield, under the settings, the box stating Resident Shield active is checked but the program is still telling me it is not active.

Have I done something wrong?

Cheers
MD
If you do not tell the truth about yourself you cannot tell it about other people.
Virginia Woolfe

#8 MsDecember

MsDecember
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:09:01 AM

Posted 13 January 2009 - 04:26 AM

False alarm... Have been able to get it back up and running.

One last question though, well, really more advice based on your experience. If you had a simular infection on your PC, how confident would you be using the PC again for internet banking now that it appears to have been cleaned? Or would you subscribe to my fathers mantra that internet banking is never secure?

Of course, your advice is just that, advice and it is my responsibility as to where I use the interweb (particularly this PC) for banking in the future.

Cheers
MD
If you do not tell the truth about yourself you cannot tell it about other people.
Virginia Woolfe

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 13 January 2009 - 12:28 PM

Hello MD.

One last question though, well, really more advice based on your experience. If you had a simular infection on your PC, how confident would you be using the PC again for internet banking now that it appears to have been cleaned? Or would you subscribe to my fathers mantra that internet banking is never secure?

Some security experts feel that, once it computer is infected with a something capable of stealing info, it should not be trusted unless it is reformatted completely.

I feel the risk in your case is on the lower side because I did not see any active infection that specifically steals info.

With Regards,
The Panda

#10 MsDecember

MsDecember
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Australia
  • Local time:09:01 AM

Posted 14 January 2009 - 07:13 AM

One last question though, well, really more advice based on your experience. If you had a simular infection on your PC, how confident would you be using the PC again for internet banking now that it appears to have been cleaned? Or would you subscribe to my fathers mantra that internet banking is never secure?

Some security experts feel that, once it computer is infected with a something capable of stealing info, it should not be trusted unless it is reformatted completely.

I feel the risk in your case is on the lower side because I did not see any active infection that specifically steals info.


Will ponder on that.

Thank you for taking the time to help me, your advice and assistance is much appreciated. Please feel free to close this log.

Kind Regards
MD
If you do not tell the truth about yourself you cannot tell it about other people.
Virginia Woolfe

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 14 January 2009 - 12:03 PM

Glad I could help.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users