Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google searches are redirected to malware sites


  • Please log in to reply
10 replies to this topic

#1 Lich

Lich

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 20 July 2009 - 04:40 AM

Whenever I perform searches on google and click on links I get redirected to malwaresites such as kepko.net.

Eset shows 0 infections.

Maybe you can help me out :thumbsup:

BC AdBot (Login to Remove)

 


#2 Lich

Lich
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 20 July 2009 - 07:59 AM

MBAM log:
Malwarebytes' Anti-Malware 1.39
Database version: 2465
Windows 5.1.2600 Service Pack 3

20.07.2009 14:57:49
mbam-log-2009-07-20 (14-57-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 185165
Time elapsed: 53 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Userinit.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Edit: I deleted the registry entry, but the problem of redirecting still persists.
I also tried running Dr. Web CureIt in SafeMode and regular operation and always get

8j68m.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

errors.

And the eset log:
Scan Log
Version of virus signature database: 4236 (20090712)
Date: 19.07.2009 Time: 13:32:48
Scanned disks, folders and files: C:\
...
Scan Log
Version of virus signature database: 4236 (20090712)
Date: 19.07.2009 Time: 13:32:48
Scanned disks, folders and files: C:\

Edited by Lich, 20 July 2009 - 08:56 AM.


#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:53 AM

Posted 20 July 2009 - 11:00 AM

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Chewy

No. Try not. Do... or do not. There is no try.

#4 Lich

Lich
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 20 July 2009 - 11:28 AM

GooredFix by jpshortstuff (12.07.09)
Log created at 18:27 on 20/07/2009 (Admin)
Firefox version 3.5.1 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [16:21 20/07/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [19:57 03/04/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [19:57 03/04/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [23:15 11/04/2009]

-=E.O.F=-

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:53 AM

Posted 20 July 2009 - 12:06 PM

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Chewy

No. Try not. Do... or do not. There is no try.

#6 Lich

Lich
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 20 July 2009 - 04:55 PM

SmitFraudFix v2.423

Scan done at 23:48:48,95, 20.07.2009
Run from C:\Documents and Settings\Admin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\ICQ6.5\ICQ.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Admin\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts

hosts file corrupted !

127.0.0.1 mpa.one.microsoft.com

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Admin


C:\DOCUME~1\Admin\LOCALS~1\Temp


C:\Documents and Settings\Admin\Application Data


Start Menu


C:\DOCUME~1\Admin\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




DNS

Description: VIA Rhine II Fast Ethernet Adapter - Eset Personal Firewall Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0E4DEA20-2DA0-4CFF-AAEE-DA8026A83F9E}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0E4DEA20-2DA0-4CFF-AAEE-DA8026A83F9E}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0E4DEA20-2DA0-4CFF-AAEE-DA8026A83F9E}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:53 AM

Posted 22 July 2009 - 09:42 AM

Sorry for letting this slip by, I meant to search more later and got distracted, not much to go on, let's try a rootkit scan

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Chewy

No. Try not. Do... or do not. There is no try.

#8 Lich

Lich
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 22 July 2009 - 09:51 AM

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-22 16:50:53
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x62 ? 8676CBF8
INT 0x82 ? 8676CBF8
INT 0xA4 ? 86570BF8
INT 0xA4 ? 86570BF8
INT 0xA4 ? 86570BF8
INT 0xA4 ? 86570BF8
INT 0xA4 ? 86570BF8

Code 8645BA88 ZwEnumerateKey
Code 86459868 ZwFlushInstructionCache
Code 8645C15E ZwSaveKey
Code 8645BBFE ZwSaveKeyEx
Code 8645CC06 IofCallDriver
Code 8645D3EE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 8645CC0B
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 8645D3F3
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC4 5 Bytes JMP 8645986C
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB70 5 Bytes JMP 8645BA8C
PAGE ntkrnlpa.exe!ZwSaveKey 8061BDE4 5 Bytes JMP 8645C162
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8061BECA 5 Bytes JMP 8645BC02
? spwl.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F68ED8AC 4 Bytes JMP 865701D8

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[164] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[268] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04A1000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[292] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D000A
.text C:\WINDOWS\system32\ctfmon.exe[336] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\WINDOWS\system32\nvsvc32.exe[380] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0089000A
.text ...
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1072] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0078000A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1660] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0069000A
.text C:\WINDOWS\system32\SearchFilterHost.exe[1720] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0095000A
.text C:\WINDOWS\Explorer.EXE[1880] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1968] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006B000A
.text ...
.text C:\WINDOWS\system32\SearchIndexer.exe[2252] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2916] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0062000A
.text C:\WINDOWS\system32\wscntfy.exe[3292] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007C000A
.text C:\Program Files\iPod\bin\iPodService.exe[3496] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0091000A
.text C:\WINDOWS\system32\SearchProtocolHost.exe[3912] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003B000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F740E042] spwl.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F740E13E] spwl.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F740E0C0] spwl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F740E800] spwl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F740E6D6] spwl.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F741DE9C] spwl.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8676B1F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

Device \Driver\NetBT \Device\NetBT_Tcpip_{0E4DEA20-2DA0-4CFF-AAEE-DA8026A83F9E} 8648F500

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\sptd \Device\3144773152 spwl.sys

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8656F1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 867D91F8
Device \Driver\dmio \Device\DmControl\DmConfig 867D91F8
Device \Driver\dmio \Device\DmControl\DmPnP 867D91F8
Device \Driver\dmio \Device\DmControl\DmInfo 867D91F8
Device \Driver\usbuhci \Device\USBPDO-1 8656F1F8
Device \Driver\usbuhci \Device\USBPDO-2 8656F1F8
Device \Driver\usbehci \Device\USBPDO-3 8654D1F8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8676D1F8
Device \Driver\Cdrom \Device\CdRom0 865151F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8648F500
Device \Driver\NetBT \Device\NetbiosSmb 8648F500
Device \Driver\PCI_PNP1902 \Device\0000004f spwl.sys

AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

Device \Driver\usbuhci \Device\USBFDO-0 8656F1F8
Device \Driver\usbuhci \Device\USBFDO-1 8656F1F8
Device \Driver\usbuhci \Device\USBFDO-2 8656F1F8
Device \Driver\usbehci \Device\USBFDO-3 8654D1F8
Device \Driver\Ftdisk \Device\FtControl 8676D1F8
Device \Driver\aup34t2y \Device\Scsi\aup34t2y1 86445500
Device \Driver\aup34t2y \Device\Scsi\aup34t2y1Port3Path0Target3Lun0 86445500
Device \Driver\aup34t2y \Device\Scsi\aup34t2y1Port3Path0Target1Lun0 86445500
Device \Driver\aup34t2y \Device\Scsi\aup34t2y1Port3Path0Target0Lun0 86445500
Device \Driver\aup34t2y \Device\Scsi\aup34t2y1Port3Path0Target2Lun0 86445500
Device \FileSystem\Cdfs \Cdfs 86509500
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\Program Files\Common Files\Real\Update_OB\realsched.exe [164] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [268] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [292] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [336] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [368] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\nvsvc32.exe [380] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [476] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [656] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [708] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [720] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [800] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [892] 0x00ED0000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [992] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\SearchProtocolHost.exe [1004] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\Program Files\ESET\ESET Smart Security\ekrn.exe [1072] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1096] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1164] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [1244] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1364] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1556] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1604] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1628] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [1660] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\SearchFilterHost.exe [1720] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1880] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1968] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\Documents and Settings\Admin\Desktop\d1cz6e5h.exe [1996] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\Program Files\ESET\ESET Smart Security\egui.exe [2020] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2128] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\SearchIndexer.exe [2252] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2436] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe [2916] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\wscntfy.exe [3292] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\Program Files\iPod\bin\iPodService.exe [3496] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrmcnbappp.dll (*** hidden *** ) @ C:\WINDOWS\system32\SearchProtocolHost.exe [3912] 0x10000000

---- EOF - GMER 1.0.15 ----

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:53 AM

Posted 22 July 2009 - 10:02 AM

The good news

Gmer identified the infection

geyekrmcnbappp.dll (*** hidden *** )


The bad news

This is a new variant of the TDSS rootkit

One or more of the identified infections is a rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


Should you decide to try and have this removed you will need to post in our HJT forum

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Your post and log should go in this forum not here

http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Edited by DaChew, 22 July 2009 - 10:02 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#10 Lich

Lich
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 22 July 2009 - 10:06 AM

I will definitely format. IS there anything else I should know before doing so? i.e. would you suggest a specific set of protection software to install before reconnecting the PC to the internet?

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:53 AM

Posted 22 July 2009 - 04:01 PM

http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

How did I get infected?, With steps so it does not happen again!

That's been my method over the years, make all the mistakes and then try not to repeat them.

I got real good and very frustrated at reloading windows.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users