Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malware Probalem Started with Vundo - now getting redirects on Google

  • This topic is locked This topic is locked
3 replies to this topic

#1 Drewg22


  • Members
  • 3 posts
  • Local time:05:35 PM

Posted 25 January 2009 - 11:34 PM

My wife started getting all kinds of pop-ups on this computer last night. I downloaded MalwareBytes and cleaned up a lot of things one of which was Vundo.

Everything seemed fine, no more pop-ups but now on Google she will be redirected to a random URL when clicking on a link even if it is for something like CNN.com. The most common one seems to be: www.bestcatalogonline.com.

It can be avoided by right clicking and selecting open in another tab but I want to get whatever is causing this removed.

Here is DDS and I attached Attach.txt. Let me know if you need anyting else. Thanks.

DDS (Ver_09-01-19.01) - NTFSx86
Run by Owner at 23:20:30.26 on 01/25/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.517 [GMT -5:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe -k netsvcs
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VECTORVEST\Binn\sqlservr.exe
C:\WINNT\System32\svchost.exe -k imgsvc
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://bigcharts.marketwatch.com/default.asp?siteid=&avatar=seen&dist=ctbc
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar =
uInternet Settings,ProxyOverride = localhost;*.local
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\winnt\regedit /s c:\pav.reg,c:\winnt\system32\pavdr.exe,c:\winnt\system32\userinit.exe,
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: SpeedRunner Bar: {cafb2180-ba09-11dc-95ff-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [<NO NAME>]
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_7
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [SfKg6wIP] c:\documents and settings\owner\application data\microsoft\windows\awyhwo.exe
mRun: [Keyboard Preload Check] c:\oemdrvrs\keyb\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
mRun: [Jet Detection] c:\program files\creative\sbaudigy\program\ADGJDet.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunServices: [PANDA ANTISPAM SERVER SERVICE] "c:\program files\panda software\panda platinum 2005 internet security\PasSrv.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://members.vectorvest.com/sr2upgrade/download/setup.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131554588468
DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://www.pandasoftware.com/activescan/as5/asinst.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37573.6682060185
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} - hxxp://www.microsoft.com/security/controls/SassCln.CAB
DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - hxxp://www.systemrequirementslab.com/sysreqlab.cab
DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_01-win.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F46DBC27-03CB-4BDC-BD25-0B36EE2B2268} - hxxp://members.vectorvest.com/sr3upgrade/download/setup.exe
TCP: {254F605E-BF8E-40C8-9833-709F4CC686B1} =,
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp3.dll
Notify: efccayvt - efccayvt.dll
Notify: nnnnkLbC - nnnnkLbC.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-1-25 64160]
R1 Avg7Core;AVG7 Kernel;c:\winnt\system32\drivers\avg7core.sys [2007-6-4 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\winnt\system32\drivers\avg7rsw.sys [2007-6-4 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\winnt\system32\drivers\avg7rsxp.sys [2007-6-4 27776]
R1 AvgClean;AVG7 Clean Driver;c:\winnt\system32\drivers\avgclean.sys [2007-6-4 10760]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-6-4 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-6-4 49664]
R4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R4 MSSQL$VECTORVEST;MSSQL$VECTORVEST;c:\program files\microsoft sql server\mssql$vectorvest\binn\sqlservr.exe -svectorvest --> c:\program files\microsoft sql server\mssql$vectorvest\binn\sqlservr.exe -sVECTORVEST [?]
R4 tcaicchg;tcaicchg;c:\winnt\system32\TCAICCHG.SYS [2005-3-21 21233]
R4 TCAITDI;TCAITDI Protocol;c:\winnt\system32\drivers\TCAITDI.SYS [2005-3-21 19534]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S0 gpfmqfhb;gpfmqfhb;c:\winnt\system32\drivers\msvtxnod.sys []
S3 gAGP440p;gAGP440p;\??\c:\docume~1\owner\locals~1\temp\gagp440p.sys --> c:\docume~1\owner\locals~1\temp\gAGP440p.sys [?]
S3 PavSRK.sys;PavSRK.sys;\??\c:\winnt\system32\pavsrk.sys --> c:\winnt\system32\PavSRK.sys [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\qctest\pcdoc\pcdrdrv.sys --> c:\atf\qctest\pcdoc\PCDRDRV.sys [?]
S3 SQLAgent$VECTORVEST;SQLAgent$VECTORVEST;c:\program files\microsoft sql server\mssql$vectorvest\binn\sqlagent.exe -i vectorvest --> c:\program files\microsoft sql server\mssql$vectorvest\binn\sqlagent.EXE -i VECTORVEST [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 942416]

=============== Created Last 30 ================

2009-01-25 23:01 15,688 a------- c:\winnt\system32\lsdelete.exe
2009-01-25 22:20 64,160 a------- c:\winnt\system32\drivers\Lbd.sys
2009-01-25 22:17 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-25 22:00 <DIR> --d----- c:\program files\NoAdware
2009-01-25 21:38 <DIR> --d----- C:\fixwareout
2009-01-24 23:13 4 a------- c:\winnt\gpfmqfhb
2009-01-24 22:55 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-01-24 22:55 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2009-01-24 22:55 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-01-24 22:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-24 22:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-24 20:33 410,984 a------- c:\winnt\system32\deploytk.dll
2009-01-24 20:05 <DIR> --d----- c:\docume~1\owner\applic~1\Twain
2009-01-24 20:00 <DIR> --d----- c:\program files\WebShow
2009-01-24 19:53 <DIR> --d----- c:\docume~1\owner\applic~1\cogad
2009-01-24 19:44 1,434,061 ---sh--- c:\winnt\system32\urendgwo.ini
2009-01-24 19:43 407,513 a--sh--- c:\winnt\system32\jkSrYGgh.ini2
2009-01-24 19:43 407,513 a--sh--- c:\winnt\system32\jkSrYGgh.ini

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\winnt\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\winnt\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\winnt\system32\dllcache\srv.sys
2007-03-19 18:11 56,912 a------- c:\documents and settings\owner\g2mdlhlpx.exe
2004-11-01 14:02 1,052,672 a------- c:\documents and settings\owner\Hero Planner.exe
2002-09-07 12:59 100,856 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2006-10-06 22:24 10,022 a--sh--- c:\winnt\system32\KGyGaAvL.sys
2008-09-17 07:58 32,768 a--sh--- c:\winnt\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat

============= FINISH: 23:20:42.92 ===============

Attached Files

Edited by Drewg22, 25 January 2009 - 11:34 PM.

BC AdBot (Login to Remove)


#2 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:06:35 PM

Posted 31 January 2009 - 07:56 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

#3 Drewg22

  • Topic Starter

  • Members
  • 3 posts
  • Local time:05:35 PM

Posted 02 February 2009 - 01:33 PM

You can kill this thread.

The hard drive died and has been replaced.


#4 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:06:35 PM

Posted 02 February 2009 - 04:28 PM


Since this issue appears to be resolved, this topic is now closed killed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users