Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with many Trojans, search engines seem to be hijacked


  • This topic is locked This topic is locked
2 replies to this topic

#1 DevJade

DevJade

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 13 July 2009 - 12:07 AM

My operating system is Windows XP Service Pack 3

Over the past few days I seem to have been infected by a multitude of Trojans, or at least that is what my anti-virus program has told me. I have tried running Avira Anti-virus after rebooting on several occasions, and every time I do so it seems to have found new and different Trojans. They have had a variety of different names such as

Crypt
TDss
HEUR
Dldr
Alureon

I know this is a big NONO here, but I have successfully removed viruses from my system in the past and thought I could do this myself, so I tried deleting suspicious recently-created files and running the ComboFix program (had to rename it to run it, as my system would not let me without renaming, even after shutting down/uninstalling Avira). It reported that it had discovered rootkit activity, and proceeded to do it's thing. This actually seemed to fix some, but not all, issues.

These are the problems I was encountering before running ComboFix, and that do NOT appear to be occurring any longer:

- The iexplore.exe process would start to run invisibly (I noticed this using Task Manager and the Process Explorer program) without any action taken by me to cause it to start. When I would use Task Manager or Process Explorer to kill the process, it would usually start itself again within a moment or so (not immediatly) [this appears to have been fixed]

- I would occasionally hear sounds that sounded like a TV or radio program running when I had no programs or browser windows open that should have caused this. I am guessing this was caused by the iexplore.exe that kept running in the background, but I am not sure [this appears to have been fixed]

- Every instance of svchost.exe and my explorer.exe had a file running in them that started with UAC that was not there before I was infected [this appears to have been fixed]

These are the issues that are still occurring since I discovered these infections:

- Every time I try to do a search with any major search engine website, the results that appear show links to legitimate results, but when the links are clicked they take me to different and usually unrelated websites.

- I have two internal CD/DVD drives in my computer. Ever since I was infected, two drive letters appear in My Computer for each drive, instead of one each. I can tell this due to the fact that when I insert a CD in either drive, two drive letters report that CD in their name after I refresh My Computer. This is not a major problem for me, but seeing as I noticed this the same day I noticed this infection, I thought it might be useful/relevant information.

- I am not sure if this is a problem, but when checking my firewall status it states "For your security, some settings are controlled by Group Policy. Seeing as my "network" consists of only 2 computers (mine and my wife's) physically connected together with a router and I do not recall having changing any settings that might cause this, I am concerned my firewall may have been tampered with by a Trojan(s).

- My System Restore appears to have had all it's restore points wiped at the time of the infection, as when I attempted to restore to a previous state it reported no restore points were available, and I have had system restore activated for some time now.

As I imagine any helper who reads this will probably be frustrated with the fact that I've already attempted to do things here that I am not qualified to do, please let me state the fact that I have personally accepted that I am out of my league here, and I will not delete anything else or perform any more scans of any sort with any program until if/when I have been instructed to do so by a helper here. Any assistance that can be provided would be appreciated.

As per the instructions in this forum's Preperation Guide post, I will now post the DDS.txt file provided by the DDS program and attach the Attach.txt file.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Worknation at 0:42:48.01 on Mon 07/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.383 [GMT -5:00]

AV: AVG 7.5.503 *On-access scanning disabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Worknation\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\workna~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google talk\googletalk.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\workna~1\applic~1\mozilla\firefox\profiles\hn4rsaod.default\
FF - prefs.js: browser.startup.homepage - about:blank

============= SERVICES / DRIVERS ===============

R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-11-13 3968]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-11 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-11 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-11 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-11 55640]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-11-13 821856]
S2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe --> c:\progra~1\grisoft\avg7\avgamsvr.exe [?]
S2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe --> c:\progra~1\grisoft\avg7\avgupsvc.exe [?]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2005-7-25 348352]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2005-7-25 43392]
S3 ercmnd5;Ericsson USB networking driver (NDIS);c:\windows\system32\drivers\ercmnd5.sys [2003-3-16 17680]
S3 ercmunic;PipeRider™ WDM Driver;c:\windows\system32\drivers\ercmunic.sys [2003-3-16 69120]
S3 gbalink;GBA Link Driver (gbalink.sys);c:\windows\system32\drivers\gbalink.sys [2007-3-6 19677]
S3 npkeyc;npkeyc;c:\windows\system32\npkeyc.sys [2003-2-14 46656]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]
S3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-25 24652]

=============== Created Last 30 ================

2009-07-11 15:48 636,088 ac------ c:\windows\system32\dllcache\iexplore.exe
2009-07-11 15:48 69,120 ac------ c:\windows\system32\dllcache\iedw.exe
2009-07-11 15:38 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-11 14:51 <DIR> a-dshr-- C:\cmdcons
2009-07-11 14:45 161,792 a------- c:\windows\SWREG.exe
2009-07-11 14:45 155,136 a------- c:\windows\PEV.exe
2009-07-11 14:45 98,816 a------- c:\windows\sed.exe
2009-07-11 03:48 968 a------- c:\windows\Active Setup Log.BAK
2009-07-11 03:45 <DIR> --d----- c:\program files\Avira
2009-07-11 03:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-11 02:44 304 a---h--- C:\aaw7boot.cmd
2009-07-11 00:11 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-10 22:22 13,312 a--sh--- c:\windows\system32\drivers\Thumbs.db
2009-07-06 05:17 90,112 a------- c:\windows\unvise32.exe
2009-07-06 05:16 <DIR> --d----- c:\program files\The Rosetta Stone
2009-07-06 04:52 116,736 a------- c:\windows\system32\drivers\mcdbus.sys
2009-07-06 04:52 <DIR> --d----- c:\program files\MagicDisc
2009-06-25 08:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore

==================== Find3M ====================

2009-07-10 21:53 5,632 a--sh--- c:\program files\Thumbs.db
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 23:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-09-25 09:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092520080926\index.dat

============= FINISH: 0:45:43.79 ===============

Attached Files


Edited by DevJade, 13 July 2009 - 01:59 AM.


BC AdBot (Login to Remove)

 


#2 DevJade

DevJade
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 14 July 2009 - 10:28 AM

Nevermind, just decided to reformat, this topic can be closed.

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 14 July 2009 - 06:38 PM

Thank you for letting us know DevJade. :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users