Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Google redirect malware


  • This topic is locked This topic is locked
4 replies to this topic

#1 Ekdahl

Ekdahl

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 06 June 2009 - 05:31 AM

A couple of days ago my dad started complaining that google results were sending him to sites that popped up a link warning him that he needed to download an anti-spyware app. Fortunately he realised that this was malicious and closed the browser process before any more harm could be done. I've had experience with this sort of thing before (a neighbour's machine that got WinFixer on it) but managed to fully disinfect. This one however is a real stubborn customer and just won't go away. I tried all the usual suspects like ComboFix, Spybot, MBAM, SAS, Antivirus etc. Spybot, MBAM, SAS and a virus scan with NOD32 all found files in need of removing, but the problem still persists. They now show the machine as clean, but the symptoms haven't really changed. Google links continue to redirect to malicious sites. The only thing that has changed is that something was disabling Windows Firewall on startup, but that appears to be fixed now, at least it hasn't happened since I started attacking the infection. I had Spybot available on the network and so it was the first on the scene. It found vundo/virtumonde and several different flavours of win32.agent.<something>. At this point I'm out of ideas and could use a fresh pair of eyes/somebody with a little more experience than me. Thanks for any help. Logs below:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 11:16:02.50 on 06/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2046.1473 [GMT 1:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Steam\Steam.exe
C:\PROGRA~1\MICROS~1\rapimgr.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mapsandmice.no-ip.com/rally/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl05a\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [Seagull Drivers] ssdal_nc.exe startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~1\INetRepl.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hxj5t478.default\
FF - prefs.js: browser.startup.homepage - hxxp://mapsandmice.no-ip.com/rally/

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-3-19 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-3-19 93848]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-3-19 731840]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]

=============== Created Last 30 ================

2009-06-05 23:51 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-05 23:31 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-05 17:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-05 17:07 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-05 17:07 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-06-05 16:57 <DIR> --d----- c:\program files\Trend Micro
2009-06-05 16:20 577,024 a------- c:\windows\system32\dllcache\user32.dll
2009-06-05 16:19 <DIR> --d----- c:\windows\ERUNT
2009-06-05 16:13 <DIR> --d----- C:\SDFix
2009-06-05 12:35 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-06-05 12:35 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-05 12:35 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-05 12:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-05 12:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-05 12:25 <DIR> --d----- c:\windows\system32\xircom
2009-06-05 12:25 <DIR> --d----- c:\windows\system32\wbem\snmp
2009-06-05 12:20 <DIR> a-dshr-- C:\cmdcons
2009-06-05 12:19 161,792 a------- c:\windows\SWREG.exe
2009-06-05 12:19 98,816 a------- c:\windows\sed.exe
2009-06-05 12:00 <DIR> --d----- C:\VundoFix Backups
2009-06-05 00:43 989,184 -------- c:\windows\system32\dllcache\kernel32.dll
2009-06-05 00:42 1,193,414 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-06-05 00:42 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-06-05 00:00 301 a------- c:\windows\wininit.ini
2009-06-04 23:50 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-04 23:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-03 19:43 87 a--s---- c:\windows\system32\2435038701.dat
2009-06-02 00:19 82,944 a------- c:\windows\system32\dllcache\ws2_32.dll

==================== Find3M ====================

2009-06-05 23:51 410,984 a------- c:\windows\system32\deploytk.dll
2007-11-19 00:35 22,328 a------- c:\docume~1\admini~1\applic~1\PnkBstrK.sys

============= FINISH: 11:16:07.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:20 AM

Posted 16 June 2009 - 07:54 AM

Hello, Ekdahl.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Also, you may want to consider tracking this topic by either adding it to your favourites or clicking the Options button at the top of this thread.

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • RSIT Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 Ekdahl

Ekdahl
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 16 June 2009 - 03:11 PM

Sorry about not replying to this sooner but the problem is now resolved. I figured that given how badly infected the machine was, even if I was able to stop the symptoms I probably wouldn't be able to trust the machine anymore. As a result, I formatted the disk. You can lock/close this thread now.

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:11:20 AM

Posted 16 June 2009 - 06:42 PM

Hello Ekdahl
Thanks for letting me know that the issue is resolved. I'll have this thread locked :thumbup2:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:20 AM

Posted 17 June 2009 - 07:04 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users