This topic is locked
My son browsed to a website this past weekend (October 17th @ 12:07am) that contained a malicious ad that attempted a driveby install of SmitFraud on our Dell laptop via an old Adobe Reader exploit (now updated to v9.2.0
). Even though our A/V blocked most of the installation, some damage was done. I've cleaned up the damage to the point where all of the tools that I run (MBAM, SAS, Spybot, MWMSRT, etc) report a completely clean system.But the system isn't clean.
A rootkit or browser hijack remains that usually redirects Google search results to A/V, spyware and search engine sites. Most of these redirects then proceed to attempt to connect to an "r3953724.cn" site (see attached url.txt file for the full address). This attempted connection is never successful.I've tried everything I can think of to cleanup this problem, and am now admitting defeat.
Anything you fine folks can do to help me out will be greatly appreciated!OS: WinXP/SP3 w/all patches
Browser: IE7 w/all patches
A/V: ZoneAlarm Security Suite v8.0.400.020 w/up-to-date signatures
Thanks in advance,
Propeller Head
Edit: For what it's worth, I just tested Yahoo and Bing and they also get redirected like Google does.
************ Contents of the DDS.txt log ************
DDS (Ver_09-10-13.01) - NTFSx86
Run by Owner at 19:02:48.51 on Tue 10/20/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.470 [GMT -5:00]
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ZoneAlarm Client] "c:\program files\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [NoActiveDesktopChanges] 00000000
mExplorerRun: [NoActiveDesktop] 0 (0x0)
mExplorerRun: [NoSaveSettings] 0 (0x0)
mExplorerRun: [ClassicShell] 0 (0x0)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193947031277
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {576B191F-974F-4789-BE69-A7F1F182075F} = 142.161.2.155,142.161.130.155
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
============= SERVICES / DRIVERS ===============
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 74480]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2008-7-7 2368]
S3 PD91Agent;PD91Agent;c:\program files\perfectdisk\PD91Agent.exe [2008-1-16 664840]
S3 PD91Engine;PD91Engine;c:\program files\perfectdisk\PD91Engine.exe [2008-1-16 894216]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
=============== Created Last 30 ================
2009-10-19 18:59 <DIR> --d----- c:\program files\ComboFix
2009-10-19 18:33 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-10-19 18:33 50,176 a------- c:\windows\system32\proquota.exe
2009-10-19 18:11 236,544 a------- c:\windows\PEV.exe
2009-10-19 18:11 161,792 a------- c:\windows\SWREG.exe
2009-10-19 18:11 98,816 a------- c:\windows\sed.exe
2009-10-18 11:12 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-18 11:12 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-18 00:09 <DIR> --d----- c:\program files\Sysinternals
2009-10-17 18:45 <DIR> --d----- c:\program files\SmitfraudFix
2009-10-17 18:44 <DIR> --d----- c:\program files\smitRem
2009-10-17 17:56 <DIR> --d----- c:\program files\BlackLight
2009-10-17 15:44 <DIR> --d----- c:\program files\CWShredder
2009-10-17 13:05 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-10-17 13:05 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-17 13:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-17 13:05 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-17 13:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-13 19:26 <DIR> --d----- c:\windows\system32\URTTEMP
2009-10-13 18:52 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-10-13 17:35 <DIR> --d----- c:\windows\system32\XPSViewer
2009-10-13 17:34 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-10-13 17:34 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-13 17:34 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-13 17:34 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-13 17:34 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-10-13 17:34 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-10-13 17:34 117,760 -------- c:\windows\system32\prntvpt.dll
2009-09-24 21:36 <DIR> --d----- c:\program files\VirtualDub
==================== Find3M ====================
2009-10-20 19:02 422,507,040 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-10-19 22:23 5,659,136 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-10-13 15:39 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 02:36 832,512 -------- c:\windows\system32\wininet.dll
2009-08-29 02:36 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-29 02:36 17,408 a------- c:\windows\system32\corpol.dll
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 09:20 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe
2008-06-30 21:50 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys
2007-11-02 17:44 92,064 a------- c:\documents and settings\owner\mqdmmdm.sys
2007-11-02 17:44 79,328 a------- c:\documents and settings\owner\mqdmserd.sys
2007-11-02 17:44 66,656 a------- c:\documents and settings\owner\mqdmbus.sys
2007-11-02 17:44 25,600 a------- c:\documents and settings\owner\usbsermptxp.sys
2007-11-02 17:44 22,768 a------- c:\documents and settings\owner\usbsermpt.sys
2007-11-02 17:44 9,232 a------- c:\documents and settings\owner\mqdmmdfl.sys
2007-11-02 17:44 6,208 a------- c:\documents and settings\owner\mqdmcmnt.sys
2007-11-02 17:44 5,936 a------- c:\documents and settings\owner\mqdmwhnt.sys
2007-11-02 17:44 4,048 a------- c:\documents and settings\owner\mqdmcr.sys
2008-07-01 00:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070120080702\index.dat
============= FINISH: 19:04:20.32 ===============
Attached Files
-
Attach.txt 4.21KB
4 downloads
-
ark.txt 7.8KB
4 downloads
-
url.txt 2.01KB
4 downloads
Edited by Propeller Head, 22 October 2009 - 08:08 AM.
Back to top
