Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random hijacks and redirects, spybot & similar blocked


  • This topic is locked This topic is locked
6 replies to this topic

#1 Daklin

Daklin

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 09 August 2009 - 11:20 PM

Hello,

I am running Windows XP. For the past few days, I've been getting randomly redirected both from following links and directly from the address bar. The most common way, though, is via a link from a Google search. I'll search for anything - "spyware removal" or "orange julius" - click the link, and bounce through several redirects and wind up at a bogus ad page that often tries to download something to my computer. If I go back to the original google search, then I can (usually) successfully click the link.

I've tried both running and reinstalling Spybot pro and HijackThis!, without success. Whatever bug has infected this computer is blocking both programs. I cannot connect to safer-networking.org at all (cannot find server), and cannot connect to update servers for HijackThis or AVG Antivirus. I've tried reverting to a backup of my hosts file, without any apparent change.

Other things I've tried: 1. Trendmicro's Housecall antivirus found a bunch of infections, but couldn't do much about them. 2. ClamAV's memory scan didn't find anything actively running. 3. I ran SDFix.exe, with no trojans found (to the best of my knowledge) and nothing changed. 4. It looks like ComboFix won't run, but I didn't try more than once out of curiosity since I realized it's recommended against without specific direction. 5. I ran ATFCleaner, and don't think it found anything yet.

Another note: my firewall (Sunbelt Personal Firewall) keeps on detecting code injection intrusion events. They seem to be directed from a Logitech Quickcam driver folder. "Injector application: G:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe, Description: Logitech LVPrcSrv Module." This may be irrelevant, but I found it surprising.

My logs are attached. Thank you for the help! This is driving me nuts, as it's the first time I've caught anything that has stymied my methods.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Andy at 23:47:14.23 on Sun 08/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.580 [GMT -4:00]


============== Running Processes ===============

G:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
G:\WINDOWS\System32\svchost.exe -k netsvcs
G:\Program Files\Intel\Wireless\Bin\EvtEng.exe
G:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
G:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
G:\WINDOWS\System32\WLTRYSVC.EXE
G:\WINDOWS\System32\bcmwltry.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
G:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
G:\WINDOWS\system32\svchost.exe -k imgsvc
G:\Program Files\TightVNC\WinVNC.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\wscntfy.exe
G:\WINDOWS\system32\WLTRAY.exe
G:\WINDOWS\system32\igfxpers.exe
G:\WINDOWS\system32\taskswitch.exe
G:\Program Files\VirtuaWin\VirtuaWin.exe
G:\Program Files\Launchy\Launchy.exe
G:\Program Files\VirtuaWin\modules\WinList.exe
G:\WINDOWS\System32\svchost.exe -k HTTPFilter
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Documents and Settings\Andy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "g:\documents and settings\andy\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Broadcom Wireless Manager UI] g:\windows\system32\WLTRAY.exe
mRun: [igfxtray] g:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] g:\windows\system32\hkcmd.exe
mRun: [igfxpers] g:\windows\system32\igfxpers.exe
mRun: [CoolSwitch] g:\windows\system32\taskswitch.exe
mRun: [VirtuaWin] "g:\program files\virtuawin\VirtuaWin.exe"
mRun: [WinVNC] "g:\program files\tightvnc\WinVNC.exe" -servicehelper
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: g:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - g:\program files\launchy\Launchy.exe
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233241065765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: NameServer = 85.255.112.110,85.255.112.229
TCP: {D0FC4FAA-40BD-43BB-A909-EC35B05FB132} = 85.255.112.110,85.255.112.229
TCP: {FDC91E87-175C-4B5D-B182-9F4B45E0B18E} = 85.255.112.110,85.255.112.229
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - g:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - g:\docume~1\andy\applic~1\mozilla\firefox\profiles\8vadqolc.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - plugin: g:\documents and settings\andy\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
g:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
g:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
g:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
g:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
g:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
g:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
g:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R3 GTIPCI21;GTIPCI21;g:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]

=============== Created Last 30 ================

2009-08-09 19:50 <DIR> --d----- g:\windows\ERUNT
2009-08-09 19:50 <DIR> --d----- G:\SDFix
2009-08-09 19:47 153,104 a------- g:\windows\system32\drivers\tmcomm.sys
2009-08-09 19:45 <DIR> --d----- g:\program files\Trend Micro
2009-08-09 19:31 <DIR> --d----- g:\docume~1\andy\applic~1\AVG8
2009-08-09 10:17 <DIR> --d----- g:\documents and settings\andy\.housecall6.6
2009-08-09 10:17 664 a------- g:\windows\system32\d3d9caps.dat
2009-07-22 08:36 70,656 a------- g:\windows\system32\yv12vfw.dll
2009-07-22 08:36 70,656 a------- g:\windows\system32\i420vfw.dll
2009-07-22 08:36 27,648 a------- g:\windows\system32\AVSredirect.dll
2009-07-22 08:36 <DIR> --d----- g:\program files\AviSynth 2.5
2009-07-22 08:33 <DIR> --d----- g:\program files\common files\SWF Studio
2009-07-19 17:32 444,952 a------- g:\windows\system32\wrap_oal.dll
2009-07-19 17:32 109,080 a------- g:\windows\system32\OpenAL32.dll
2009-07-19 17:32 <DIR> --d----- g:\program files\OpenAL
2009-07-13 22:23 <DIR> --d----- g:\docume~1\andy\applic~1\Subversion
2009-07-13 22:20 <DIR> --d----- g:\program files\Subversion

==================== Find3M ====================


============= FINISH: 23:47:46.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 10 August 2009 - 02:13 AM

Hi,

I will handle your log. As I am in training all my answers have to be approved by my Coaches.
I hope you understand.

I'll get back to you as soon as is possible.

#3 Daklin

Daklin
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 10 August 2009 - 10:39 PM

Some more information. I ran f-prot virus scan from my linux partition, scanning the entire windows partition. The output report is attached, but it looks like it's infected with ESQUL and another Trojan. Relevant parts are pasted in:

[Found trojan] <W32/Trojan2.IGQP (exact)> /media/disk/WINDOWS/system32/drivers/ESQULltxelyacsrtqqyddkjyyahndoflmcutt.sys
[Found security risk] <W32/SuspPack.AB.gen!Eldorado (generic, not disinfectable)> /media/disk/WINDOWS/system32/ESQULrnamoojlkietltpvghownxkwyatjojhc.dll
[Found security risk] <W32/SuspPack.AB.gen!Eldorado (generic, not disinfectable)> /media/disk/WINDOWS/system32/ESQULtbnlawtycswgrvpkleamvblirpyjerqs.dll

Attached Files


Edited by Daklin, 10 August 2009 - 10:39 PM.


#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 11 August 2009 - 02:47 AM

Hi,

Download ComboFix from here

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#5 Daklin

Daklin
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 11 August 2009 - 08:24 AM

After running the scan in Linux, I've since been able to run Malwarebytes and Spybot. They both found a number of things, which were deleted, including the ones I posted about above. I've posted the log from malwarebytes.

I also ran ComboFix, and have posted that log.

Attached Files



#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 12 August 2009 - 04:58 AM

Hi,

1. Open Notepad.
Copy this code into the Notepad-file:

File::
g:\windows\system32\drivers\ESQULltxelyacsrtqqyddkjyyahndoflmcutt.sys.bak

Save the file as CFScript.txt

Now drag CFScript.txt into ComboFix.exe
Posted Image
ComboFix will restart.
When ComboFix is finished, this could be after a reboot, a logfile will open.
Post the contents of that logfile in your next reply.

2. Go to Virustotal.com
Upload the following file by copy/paste the following (so do not use "Browse"!)): g:\windows\system32\sfcfiles.dll
Wait untill the results appear, and post them in your next reply.

3. Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
If you need a tutorial, see here

#7 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland

Posted 18 August 2009 - 11:08 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users