Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by unknown malware redirecting search results


  • This topic is locked This topic is locked
2 replies to this topic

#1 ircelt

ircelt

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 10 June 2009 - 12:56 PM

I am usng windows xp sp3 and when I do a google or yahoo search AVG/yahoo
with either firefox3 or IE8 the results are redirected,

this is what i could capture while going to a result from a google search (search2 was not the link):

<http://search2.search.pro/xtr_new?q=sun+solaris&enc=WwK4AyOWBFWz9zGf+LU0vXNNiuvbaDfejN/Z4BgPiGs=>

this one ended up here:
<http://www.blinkx.com/category/entertainment?adid=02-100-202-300-404&ref=0128AEB8-B5E0-433C-BB03-0F224A7CB405&p=1>

this is a common destination for the redirects im not sure if this helps at all.

I have already cleaned up the system a lot and it is now running much faster although it is still an issue with restarting the machine. some malware cleaning
I removed norton AV and am now running AVG and adaware. they have helped a lot but still no joy getting rid of whatever malware I have controling my system:
Have been unable to run some anti-malware software such as, Malwarebytes

The DDS results are as follows:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Eamon1 at 18:25:37.92 on 10/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1381 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VMware\Infrastructure\VIUpdate\VMwareUpdateServiceClient.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Eamon1\Desktop\dds.pif

============== Pseudo HJT Report ===============

mWinlogon: Shell=Explorer.exe "c:\windows\server.exe"
mWinlogon: Userinit=c:\windows\system32\userinit.exe,"c:\windows\server.exe",
mWinlogon: Taskman=c:\recycler\s-1-5-21-0674801960-5073488107-295592496-8583\rundll32.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe"
uRun: [VMware Update Service] c:\program files\vmware\infrastructure\viupdate\VMwareUpdateServiceClient.exe -monitor
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
uRun: [VoipBuster] "c:\program files\voipbuster.com\voipbuster\VoipBuster.exe" -nosplash -minimized
uRun: [Simp] c:\program files\secway\simplite-msn 2.2\SimpLite-MSN.exe
uRun: [Hotfix-KB5504305]
uRun: [BTAgile] c:\program files\bt broadband talk softphone\BTAgile.exe
uRunServices: [Hotfix-KB5504305]
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [RegistryMechanic]
mRun: [Nitro PDF Printer Monitor] "c:\program files\nitro pdf\professional\NitroPDFPrinterMonitor.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Hotfix-KB5504305]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunServices: [Hotfix-KB5504305]
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uExplorerRun: [server] c:\windows\server.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paloal~1.lnk - c:\program files\common files\palo alto software\9.0\PAS9_Update.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {338095E4-1806-4BA3-AB51-38A3179200E9} - hxxps://192.168.1.1/ui/plugin/msie/vmware-mks.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212512292187
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216514951968
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.23,85.255.112.126
TCP: {3214E01A-BF05-42F8-98C2-EBD938C011E5} = 85.255.112.23,85.255.112.126
TCP: {DC9A852E-CBB5-4C9D-93BF-D5E3EF82F0BD} = 85.255.112.23,85.255.112.126
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\eamon1\applic~1\mozilla\firefox\profiles\28fstvq4.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-25 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-9 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-9 108552]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-9 298776]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2008-6-2 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-6-2 36352]
S2 vstor2-converter;Vstor2 Converter Virtual Storage Driver;\??\c:\program files\vmware\infrastructure\converter enterprise\vstor2-converter.sys --> c:\program files\vmware\infrastructure\converter enterprise\vstor2-converter.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SolarWinds TFTP Server;SolarWinds TFTP Server;c:\program files\solarwinds\tftpserver\SolarWinds TFTP Server.exe [2008-7-25 61440]

=============== Created Last 30 ================

2009-06-09 17:29 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 17:29 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-09 17:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 17:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-09 17:19 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-09 17:19 <DIR> --d----- c:\docume~1\eamon1\applic~1\SUPERAntiSpyware.com
2009-06-09 17:19 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-09 17:02 1,342,151 a------- C:\MGtools.exe
2009-06-09 16:48 <DIR> --d----- C:\Good cleaninf tools
2009-06-09 16:27 <DIR> --d----- c:\program files\CCleaner
2009-06-09 16:19 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-09 15:57 <DIR> --d----- c:\windows\pss
2009-06-09 04:31 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-06-09 03:42 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-09 03:42 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-09 03:42 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-09 03:42 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-09 03:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-09 03:32 <DIR> --d----- c:\docume~1\eamon1\applic~1\AVGTOOLBAR
2009-06-04 08:06 <DIR> --d----- c:\program files\VideoTools
2009-06-01 11:01 <DIR> --d----- c:\docume~1\eamon1\applic~1\Skinux
2009-06-01 11:01 <DIR> --d----- c:\docume~1\eamon1\applic~1\BT
2009-06-01 11:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BT
2009-06-01 11:00 <DIR> --d----- c:\program files\BT Broadband Talk Softphone
2009-05-29 19:44 3,247 a------- c:\windows\system32\wbem\Outlook_01c9e08d73af6a7a.mof
2009-05-29 15:05 <DIR> --d----- c:\program files\common files\L&H
2009-05-29 15:03 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-05-29 14:56 <DIR> --d----- c:\windows\SHELLNEW
2009-05-29 14:46 268 a---h--- C:\sqmdata00.sqm
2009-05-29 14:46 244 a---h--- C:\sqmnoopt00.sqm
2009-05-24 00:21 <DIR> --d----- c:\docume~1\eamon1\applic~1\Windows Search
2009-05-22 02:07 <DIR> --d----- c:\docume~1\eamon1\applic~1\Windows Desktop Search
2009-05-22 01:11 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-05-22 01:11 <DIR> --d----- c:\program files\Windows Desktop Search
2009-05-18 15:25 <DIR> --d----- C:\KeyWords
2009-05-18 15:10 <DIR> --d----- c:\program files\Softnik Technologies
2009-05-15 23:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-13 07:05 <DIR> --dsh--- c:\documents and settings\eamon1\PrivacIE
2009-05-13 03:58 <DIR> --dsh--- c:\documents and settings\eamon1\IETldCache
2009-05-13 03:46 <DIR> --d----- c:\windows\ie8updates
2009-05-13 03:42 <DIR> -cd-h--- c:\windows\ie8
2009-05-12 07:36 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll

==================== Find3M ====================

2009-06-09 16:19 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-06 15:23 61,480 a------- c:\documents and settings\eamon1\bleep.exe

============= FINISH: 18:25:57.46 ===============

Thank you

Attached Files


Edited by Orange Blossom, 11 June 2009 - 12:58 AM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 ircelt

ircelt
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:27 AM

Posted 12 June 2009 - 03:58 PM

hey thanks anyway I decided after reading the forums further that I had to format the dam thing it was just too much grief and the machine is obviously comprimised same as some of the other posts that I have read had to change password to a lot of accounts.
Again thanks for all the hard work oyu guys are doing :thumbup2:

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 13 June 2009 - 11:27 AM

Thanks for letting us know ircelt. :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users