Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/ Google Redirect Virus


  • This topic is locked This topic is locked
7 replies to this topic

#1 tunisia

tunisia

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 22 September 2009 - 12:29 AM

Dear Awesome Volunteer,

I got a virus that loaded itself with a faux-virus protection program. Since then I haven't been able to load any search engine, especially Google and the background of my laptop has changed to to saying the copy of my Microsoft XP is counterfeit with a permanent symbol on time menu. Msn also seemed to take over my computer for awhile.



DDS (Ver_09-07-30.01) - FAT32x86
Run by user1 at 22:03:56.33 on Mon 09/21/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.318.54 [GMT -7:00]

AV: F-Secure Anti-Virus 2010 10.00 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\temp\F30_F50_2KXP_v40\USBDrv\Win2k\Disk1\MPSERVIC.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxredir.exe
C:\Program Files\AirPort\APAgent.exe
C:\temp\F30_F50_2KXP_v40\USBDrv\Win2k\Disk1\MPTBox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\WINDOWS\system32\sol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSHDLL32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Documents and Settings\user1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uWindow Title = Windows Internet Explorer provided by Comcast
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PowerArchiver Tray] c:\program files\powerarchiver\PASTARTER.EXE
mRun: [fxredir] c:\windows\system32\fxredir.exe
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [monitr32] c:\temp\f30_f50_2kxp_v40\usbdrv\win2k\disk1\monitr32.exe
mRun: [MPTBox] c:\temp\f30_f50_2kxp_v40\usbdrv\win2k\disk1\MPTBox.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [F-Secure Manager] "c:\program files\f-secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\f-secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
LSP: c:\program files\f-secure\fsps\program\FSLSP.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user1\applic~1\mozilla\firefox\profiles\rzurd1qr.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-9-21 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-9-21 80000]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\f-secure\hips\drivers\fshs.sys [2009-9-21 68064]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure\anti-virus\minifilter\fsgk.sys [2009-9-21 99960]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure\anti-virus\win2k\fsfilter.sys [2009-9-21 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure\anti-virus\win2k\fsrec.sys [2009-9-21 25184]

=============== Created Last 30 ================

2009-09-21 21:26 33,920 a------- c:\windows\system32\drivers\fsbts.sys
2009-09-21 21:24 80,000 a------- c:\windows\system32\drivers\fsdfw.sys
2009-09-21 21:20 <DIR> --d----- c:\program files\F-Secure
2009-09-21 21:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fssg
2009-09-21 17:11 <DIR> --d----- c:\program files\Trend Micro
2009-09-21 16:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\f-secure
2009-09-17 23:31 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-09-17 22:38 <DIR> --d-h--- c:\windows\ie8
2009-09-17 03:22 100,352 -------- c:\windows\system32\dllcache\iecompat.dll
2009-09-16 21:47 <DIR> --d----- c:\docume~1\user1\applic~1\McAfee
2009-09-16 18:51 <DIR> --d----- c:\program files\McAfee
2009-09-16 17:19 <DIR> --d----- c:\docume~1\user1\applic~1\MSNInstaller
2009-09-16 14:20 <DIR> --d----- c:\docume~1\user1\applic~1\Malwarebytes
2009-09-16 14:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-06 19:31 45 a------- c:\documents and settings\user1\jagex_runescape_preferences2.dat
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts
2009-08-28 09:25 <DIR> --d----- C:\.jagex_cache_32
2009-08-27 21:27 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-08-27 21:27 12,160 a------- c:\windows\system32\dllcache\mouhid.sys
2009-08-27 21:27 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-08-27 21:27 10,368 a------- c:\windows\system32\dllcache\hidusb.sys
2009-08-27 21:00 37 a------- c:\documents and settings\user1\jagex_runescape_preferences.dat
2009-08-27 20:59 <DIR> --d----- c:\windows\.jagex_cache_32

==================== Find3M ====================

2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-22 13:32 9,375,022 a------- C:\HomeBase23EN.EXE
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 06:19 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\dllcache\atl.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 06:27 1,315,328 a------- c:\windows\system32\dllcache\msoe.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 10:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 10:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 10:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 10:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 10:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 10:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 10:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 10:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 10:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 10:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 04:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 01:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 01:25 730,112 a------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 01:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 01:25 301,568 a------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 01:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 01:25 147,456 a------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 01:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 01:25 136,192 a------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 01:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 01:25 56,832 a------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 01:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 01:25 54,272 a------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 04:18 92,928 a------- c:\windows\system32\dllcache\ksecdd.sys

============= FINISH: 22:06:05.60 ===============

Attached Files

  • Attached File  ark.txt   6.13KB   20 downloads


BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 08 October 2009 - 12:58 PM

Hi,

I will handle your log. As I am in training all my answers have to be approved by my Coaches.
I hope you understand.

I'll get back to you as soon as is possible.

#3 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 10 October 2009 - 02:48 AM

Hi,

Download ComboFix from here

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply, together with a new DDS-log.

#4 tunisia

tunisia
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 10 October 2009 - 07:01 PM

Thank you very much please let me know if I uploaded incorrectly.

Attached Files



#5 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 11 October 2009 - 09:46 AM

Hi,

1. Go to Start > Control Panel > Add or Remove Programs.

Remove the following program, if it is present.
  • Java™ 6 Update 13
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer

2. Open Notepad.
Copy this code into the Notepad-file:

Folder::
C:\FOUND.002
C:\FOUND.001
C:\FOUND.000
Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\{327C2873-E90D-4c37-AA9D-10AC9BABA46C}]

Save the file as CFScript.txt

Now drag CFScript.txt into ComboFix.exe
Posted Image
ComboFix will restart.
When ComboFix is finished, this could be after a reboot, a logfile will open.
Post the contents of that logfile in your next reply.

3. Go to Virustotal.com
Upload the following file by copy/paste the following (so do not use "Browse"!)): c:\windows\system32\sfcfiles.dll
Wait untill the results appear, and post them in your next reply.

4. Please post a new DDS logfile in your next reply, together with the logfile from ComboFix and the results from Virustotal.

#6 tunisia

tunisia
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 13 October 2009 - 01:59 PM

My computer is under constant threat of viruses now as I don't have anything loadedto protect and I can't complete the last steps of the last instruction. I have had to run Combo fix once outside of instruction. Please advise.

Edited by tunisia, 13 October 2009 - 02:00 PM.


#7 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 14 October 2009 - 01:20 PM

Hi,

Which problems do you get exactly?

Please post the logs as far as you have them. :(

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:53 AM

Posted 22 October 2009 - 08:13 AM

This thread will now be closed due to lack of activity.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users