Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google links re-directed


  • This topic is locked This topic is locked
3 replies to this topic

#1 dKingC2

dKingC2

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 19 January 2009 - 09:29 AM

Starting yesterday, Google searches are going crazy. I use IE7. I appear to go to the google web site OK, but the icon next to the address in the address bar and in the IE7 tab is not the Google icon, but some other multicolored icon. Also, if I do a search and click on the links in the search result, I get redirected to the wrong sites: sites that claim to be other search sites, sites claiming to detect viruses, etc. The formatting of the search results page is also a bit off (text too large).

Another symptom is that my anti-virus program (TrendMicro) can no longer update over the network. It always fails to connect.

Another symptom is that I am not able to navigate to bleepingcomputer.com and some other malware help sites using IE. (I'm using another computer to post this).

I ran a few full anti-virus scans with TrendMicro and its found a few things. A first scan found RTKT_TDSS.BB, which TM said it failed to quarantine; and PE_PATCHED.ET, which it said was cleaned successfully. A re-scan found BKDR.TDSS.V, TROJ_VUNDO.BCD, and BKDR_TDSS.T and reported all successfully quarantined. I ran a scan in Safe mode this morning and it found nothing.

Here is the dds.txt file:

DDS (Ver_09-01-18.01) - NTFSx86
Run by Dave at 8:52:13.25 on Mon 01/19/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1594 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\IDU\iptray.exe
C:\Program Files\Intel\IDU\awtray.exe
D:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Intel\IDU\IDUServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Documents and Settings\Dave\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ipTray.exe] "c:\program files\intel\idu\iptray.exe"
mRun: [awTray.exe] "c:\program files\intel\idu\awtray.exe"
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [USBToolTip] "d:\program files\pinnacle\shared files\\programs\usbtip\USBTip.exe"
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
Trusted Zone: verizonwireless.com\www
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2006-6-30 11113]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-6-17 648456]
R4 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2006-8-17 11018]
R4 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2006-8-17 8704]
R4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-6-17 52240]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-15 36368]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2006-6-30 216459]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

=============== Created Last 30 ================


==================== Find3M ====================

2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-26 17:42 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2008-11-26 17:42 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2008-11-26 17:39 1,195,384 a------- c:\windows\system32\drivers\vsapint.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-08-29 22:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 8:53:21.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 dKingC2

dKingC2
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 19 January 2009 - 01:37 PM

Just an update: I've tried re-scanning using TrendMicro a couple of more times while not in safe mode. Each time it scans the whole system in about an hour, then says it has found 5 bad things and is "cleaning up", and I should wait a few minutes. It stays in this state for much longer than a few minutes, then freezes the whole computer - mouse cursor and all. If I restart and look at the TrendMicro log it says it will have successfully quarantined the same three programs mentioned in my original post. I suppose trying to get rido of the remaining two is what is freezing my computer.

#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:04 PM

Posted 26 January 2009 - 05:45 AM

Hi

If you still need help with this please do following things:

Download GMER and save it your desktop:
  • Extract it to your desktop and double-click GMER.exe
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Download and install TrendMicro HijackThis
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:04 PM

Posted 30 January 2009 - 10:39 AM

Due to inactivity, this thread will now be closed. If you still have problems, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users