Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google results infection

  • This topic is locked This topic is locked
2 replies to this topic

#1 RFF


  • Members
  • 4 posts
  • Local time:01:39 AM

Posted 28 February 2009 - 09:38 AM

First of all, congrats, very good forum.

I believe my IE7.0.5730.13 has been infected and it is inserting bogus entries in all my searches in google. So far this is the only website that I see acting up. Attached is screen capture with bad entries marked in red square.

Per forum instructions, I downloaded DDS Tool, run and results are posted here I (attach.txt is attached):


DDS (Ver_09-02-01.01) - NTFSx86
Run by Roberto Fernandez at 14:16:31.65 on 28/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1448 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Roberto Fernandez\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Aim6]
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe"
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
dRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 6\PcSync2.exe" /NoDialog
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1234618603505
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195852569156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 N10;iriver Internet Audio Player N10;c:\windows\system32\drivers\N10.SYS [2008-1-6 14531]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-11-24 106586]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2003-3-6 233595]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2003-3-6 127050]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-3-6 84448]
S2 ThemesNtmsSvc;Themes ThemesNtmsSvc;c:\windows\temp\10a.tmp srv --> c:\windows\temp\10A.tmp srv [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-02-28 13:51 1,978 a------- c:\windows\system32\tmp.reg
2009-02-28 13:06 <DIR> --d----- c:\program files\trend micro
2009-02-28 10:07 <DIR> --d----- c:\docume~1\robert~1\applic~1\Malwarebytes
2009-02-28 10:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-28 10:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 10:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-28 10:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-28 09:21 <DIR> --d----- c:\windows\pss
2009-02-11 00:01 <DIR> --d----- c:\windows\SQLTools9_KB960089_ENU
2009-02-10 23:59 <DIR> --d----- c:\windows\SQL9_KB960089_ENU
2009-02-07 09:34 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-01-23 23:09 20,480 a--sh--- c:\windows\system32\AdobePDFp.dll
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2007-04-05 01:32 22 a--sh--- c:\windows\sminst\HPCD.SYS
2008-08-17 08:03 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081720080818\index.dat

============= FINISH: 14:17:20.26 ===============

Before doing this, so discard if not necessary, I had downloaded and executed Malwarebytes, with the following results:


Malwarebytes' Anti-Malware 1.34
Database version: 1812
Windows 5.1.2600 Service Pack 3

28/02/2009 11:35:12
mbam-log-2009-02-28 (11-35-12).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 211980
Time elapsed: 1 hour(s), 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\E404 Helper (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Spyware Remover.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Casino.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Free Online Dating.ico (Malware.Trace) -> Quarantined and deleted successfully.


Subsequent runs after reboot did not return any infection.


Malwarebytes' Anti-Malware 1.34
Database version: 1812
Windows 5.1.2600 Service Pack 3

28/02/2009 13:41:43
mbam-log-2009-02-28 (13-41-43).txt

Scan type: Quick Scan
Objects scanned: 78880
Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


During the execution of Malwarebytes my Viruscan activated alarms:


2/28/2009 9:42:52 AM Deleted RF\Roberto Fernandez C:\WINDOWS\system32\a.exe Generic PWS.y

2/28/2009 9:51:05 AM Statistics:
2/28/2009 9:51:05 AM Files scanned: 5301
2/28/2009 9:51:05 AM Files infected: 1
2/28/2009 9:51:05 AM Files cleaned: 0
2/28/2009 9:51:05 AM Files deleted: 1
2/28/2009 9:51:05 AM Files moved: 0

2/28/2009 10:49:13 AM Deleted RF\Roberto Fernandez C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP410\A0027826.exe Generic PWS.y


I will appreciate your help on this. I would prefer not to restore the system. I am an IT professional, not in the systems area, but can follow instructions.

Thank you very much.

Attached Files

BC AdBot (Login to Remove)


#2 RFF

  • Topic Starter

  • Members
  • 4 posts
  • Local time:01:39 AM

Posted 01 March 2009 - 05:14 AM

After a good amount of work yesterday, I got this fixed. The issue was related to WS2_32.dll being infected by malicious code (I think I can give you a copy if you want it) and more information about this can be found in topic http://www.bleepingcomputer.com/forums/t/207186/yahoo-messenger-crash-possible-infection-moved/, which I opened not really knowing if it was related.

Regular antivirus (McAfee, Kaspersky) did not protect me nor seem to detect/resolve the problem. After reading many topics in these forums I took the risk to run Combobox, which definitely pointed out the infection to this file. I simply obtained a clean copy from another one of my computers, restarted in safe mode, renamed the old copy in w/system (and deleted the rest) and placed the clean copy in there. Checks after next start are hopeful: Yahoo IM keeps open and alive, and my problems in Google are gone. I also had detected the same error in a radio website with sound plugins that I usually listen to, and that got fixed too.

The box seems a lot more fluid than these few past days, so i would not discard that i was being used as a bot for spam or worse. In any case, I would expect the hijackers to cover their steps better: the google intervention gave them away, if it had been only the Yahoo IM I would have thought that it was a pure system issue.

Please, close the topic, and thank you for your interest. Keep up the good work. This forum is an invaluable source of information. Cheers!

Edited by RFF, 01 March 2009 - 05:21 AM.

#3 KoanYorel


    Bleepin' Conundrum

  • Staff Emeritus
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:08:39 PM

Posted 01 March 2009 - 06:09 PM

Thank you for informing us what you have done.

Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users