Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects to ecata.info!


  • Please log in to reply
4 replies to this topic

#1 SteelSlasher

SteelSlasher

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 02 January 2009 - 01:00 PM

Recently I have noticed many people not being able to use Google Web Search because it has suddenly become embedded in a frame and smothered in javascript so most links lead to some kind of advertising.

Now, I am probably the last person you'd want infect with ad-ware mainly because I know what comes in and what goes in my network and I tracked this domain to its owner (http://whois.net/whois_new.cgi?d=ecata&tld=info). The address is real and the owner is well known in his neighbourhood. From my "research" I found that he runs/works at a computer store so he probably has the know how on how to pull this off.

While researching the symptoms of my PC I figured out a few possibilities:
  • A virus has set my HOSTS file to redirect google to ecata.info
  • My ISP hates me
  • Some application has been run on my PC which alters the DNS
  • Or my routers gone crazy
Now thinking intelligently it can't be my HOSTS file since there is no entry for ecata.info, my ISP would have cut me off if they hated me, my router has been working perfectly since I bought it and is completely secure because no-one on this planet knows the password (not even me and its my router). All that's possible is the new application which to be honest could have been anything that was installed in the past week or so.

I have been able to reduce the effects of the pop-ups by using NoScript which has been brilliant but occasionally I will get the odd hiccup or so.

Thanks in advance for any help.

P.S. I have not been able to use any other solution given by other users on this forum, I am running WinXP SP2 MCE on a Acer Aspire (I thought it might be useful).

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 AM

Posted 02 January 2009 - 01:09 PM

Hello SteelSlasher. Welcome to BC.

Let's see what we can find.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run SmitFruadFix Scan
DNS checking is one of the features of this tool.
  • Please download SmitFraudFix by S!Ri to your desktop.
  • Double click the icon to run it.
  • Select Option 1 by typing 1 and hitting Enter.
  • When the scan is complete, a log file will appear. Please copy the contents of the log into your next post.
Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

With Regards,
The Panda

#3 SteelSlasher

SteelSlasher
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 02 January 2009 - 03:05 PM

HALLELUJAH!!!! :trumpet: I would have eventually :flowers:!!! Malwarebytes found a Trojan DNS Changer which came in with a video codec (Quicktime :thumbsup: )

One more question? When I do "ipconfig" in command prompt it gives out a lot of hexadecimal as my ip!?
Posted Image


Even though my problem was solved I will still post the logs here because they will probably be of use to someone else or there might be another piece of malware on my machine.

MBAM Log

Malwarebytes' Anti-Malware 1.31
Database version: 1571
Windows 5.1.2600 Service Pack 2

02/01/2009 19:39:37
mbam-log-2009-01-02 (19-39-37).txt

Scan type: Quick Scan
Objects scanned: 71181
Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\winhost_app.winhost_appdll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5e06398e-3017-467b-a399-18425a20f655} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5e06398e-3017-467b-a399-18425a20f655} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e06398e-3017-467b-a399-18425a20f655} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PostInstallC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\XPdefender (Rogue.XPDefender) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\PerfInfo (Rogue.WinPerformance) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\winhost_app.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msqpdxxurqmrns.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\msqpdxldlrgsal.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\explorer.vbk (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


SmitfraudFix Log:

SmitFraudFix v2.388

Scan done at 19:30:03.73, 02/01/2009
Run from C:\Documents and Settings\Sameh\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in normal mode

Process


hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Sameh


C:\DOCUME~1\Sameh\LOCALS~1\Temp


C:\Documents and Settings\Sameh\Application Data


Start Menu


C:\DOCUME~1\Sameh\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


RK



DNS

Description: Generic Marvell Yukon Chipset based Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0969D6DE-7DCB-498E-8BF7-FD507F406D55}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0969D6DE-7DCB-498E-8BF7-FD507F406D55}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0969D6DE-7DCB-498E-8BF7-FD507F406D55}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 AM

Posted 02 January 2009 - 03:25 PM

Hello SteelSlasher.

One more question? When I do "ipconfig" in command prompt it gives out a lot of hexadecimal as my ip!?

I'm not sure. You can try posting in the Networking forum about that.

Was that MalwareBytes scan the second one? Please run that scan again, just to make sure the items stay gone.

With Regards,
The panda

#5 doughey

doughey

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 11 January 2009 - 03:47 PM

Not sure if you got an answer or not, but this is your IP6 address.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users