Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Results Being Redirected


  • Please log in to reply
16 replies to this topic

#1 Sixthelement

Sixthelement

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 07 July 2009 - 10:56 PM

Hello! First I'd like to say that I am semi knowledgable with computers, but I can't seem to completely clear this infection. I was having those fake antivirus notifications and stuff but I was able to remove them. The only symptom I currently have is search results being redirected (on google). The page itself appears normal (I've had an infection before where it actually changed what results came up) but when I click on a link for instance to bleepingcomputer.com, it redirects me to various sites like wargamesfree.com, shopica.com, advertising-search.com, ct.yellowbrowser.com. When I initially get to google.com, the first time I click a link it works fine... if I click back and click the same link again it redirects to one of those websites.

I have run Spybot, Malwarebytes, and fixwareout but the problem continues to come back. When I first got the infection malwarebytes picked up a few things and cleaned them, now the scan comes up clean, but at least the damage that was done is still there.

Another thing I noticed (not sure if its related or not) In My Computer... I now have duplicates of my DVD-Rom drives (I have two). They were D and E drives... (HD is partitioned into C, F, G, H and K) and nw I have L and M drives as well and whatever I put in the drive shows up on the D and L drives. Its wierd.

Any help on clearing this annoyance would be appreciated. Thanks!

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:40 AM

Posted 07 July 2009 - 11:01 PM

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Sixthelement

Sixthelement
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 08 July 2009 - 05:45 AM

Here is the log you requested. It said it found 65 things... but the window and this log only shows a few. Looks like some fishy stuff in there...

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/08 06:43
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\hjgruibmfgsnsy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiewivpete.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruirccjkxny.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruivxjxylki.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\TEMP\hjgruicxtlidatar.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\TEMP\hjgruiiirpnqqfti.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\TEMP\hjgruiwmcrelfbop.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\TEMP\hjgruiyfufwbwtis.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruijlnypifm.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jimster\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jimster\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:40 AM

Posted 08 July 2009 - 04:19 PM

Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINDOWS\system32\drivers\hjgruijlnypifm.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Sixthelement

Sixthelement
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 08 July 2009 - 05:01 PM

Ok, I did what you said. Here is the report.

Malwarebytes' Anti-Malware 1.38
Database version: 2396
Windows 5.1.2600 Service Pack 3

7/8/2009 5:47:01 PM
mbam-log-2009-07-08 (17-46-51).txt

Scan type: Quick Scan
Objects scanned: 92688
Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Jimster\protect.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService\protect.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\config\systemprofile\protect.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\config\systemprofile\start menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\TEMP\bvtopjlhjx.exe (Trojan.Dropper) -> No action taken.
c:\WINDOWS\TEMP\msb.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\Jimster\start menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\Jimster\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\Jimster\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
C:\WINDOWS\TEMP\nsrbgxod.bak (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\hjgruibmfgsnsy.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\drivers\hjgruijlnypifm.sys (Trojan.Agent) -> No action taken.


I allowed it to do the removal process and it was unable to remove \system32\autochk.dll, so I allowed it to remove on reboot. Now here I am.

Right before I did that, I took note that my homepage would not load, and i could not get to your forum here. I don't know if it has something to do with my infection or if its my antivirus acting up. I have Norton 360, and when I disabled everything to run rootrepeal, the transaction security portion of Norton will not turn back on no matter what I try. The other thing is those extra CD-Rom drives I mentioned before are now gone and my actual drives are named properly again (DVD-Rom/DVD-RAM). Also I just checked (was half afraid to) and it seems the redirect problem is gone.

Is there anything else that you think should be done before we consider this "cleaned"? :thumbsup:

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:40 AM

Posted 08 July 2009 - 05:08 PM

Run another Malwarebytes scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 Sixthelement

Sixthelement
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 08 July 2009 - 06:57 PM

Malwarebytes' Anti-Malware 1.38
Database version: 2396
Windows 5.1.2600 Service Pack 3

7/8/2009 7:50:23 PM
mbam-log-2009-07-08 (19-50-23).txt

Scan type: Full Scan (C:\|F:\|G:\|H:\|)
Objects scanned: 328825
Time elapsed: 1 hour(s), 15 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{cc056029-6c71-4883-9a8e-0cbcfa50dfcb}\RP1146\A0093961.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:40 AM

Posted 08 July 2009 - 07:06 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 Sixthelement

Sixthelement
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 08 July 2009 - 07:16 PM

In Add/Remove Programs I have

Java™ 6 Update 13
Java™ 6 Update 5
Java™ 6 Update 7

From what I can remember... this actually started getting bad when I noticed qttask.exe (quicktime) was continuously using at least 50% of my CPU (and I have a 2.4 C2D). And I don't even use quicktime...

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:40 AM

Posted 08 July 2009 - 07:31 PM

Thoso Java are out of date. Remove them and get the latest:

http://java.com/getjava/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 Sixthelement

Sixthelement
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 08 July 2009 - 07:41 PM

Do you recommend any other anti-virus and/or malware protection? I've just about had it with Norton.

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:40 AM

Posted 08 July 2009 - 07:52 PM

I use Comodo anti-virus and firewall, Spywareblaster and Malwarebytes, which are all free.

I'm not necessarily recommending Comodo though, as there are other good free anti-virus applications available, such as AVG, Avira, Avast etc.

Also, it's important to remember that all the protection in the world won't save you from infection if you don't practice safe internet habits.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 Sixthelement

Sixthelement
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 08 July 2009 - 09:08 PM

I'm going to assume this means I'm fixed. lol

Thanks for your help!

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:40 AM

Posted 08 July 2009 - 10:08 PM

You're welcome.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 Sixthelement

Sixthelement
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 09 July 2009 - 11:06 PM

Not sure if its related to something we did or not... but I installed AVG Free and turned on Windows Firewall (for now)... and my computer isn't recognizing my Zune when I connect it anymore :thumbsup: You know the little jingle that plays when you connect a USB device... well, a sound plays... but its different. Like... maybe a problem kind of jingle. It has the yellow exclamation point in device manager and says this: Windows successfully loaded the device driver for this hardware but cannot find the hardware device. (Code 41)

Thats a little weird.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users