Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google searches being redirected and also getting random pop ups to directrdr.com and bu520.com


  • This topic is locked This topic is locked
3 replies to this topic

#1 Jim1985

Jim1985

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 29 November 2009 - 10:23 PM

Hi there, I've been asked to post a DDS scan log in this forum. My original post can be found here: http://www.bleepingcomputer.com/forums/t/274425/google-search-results-redirecting-and-also-directrdrcom-pop-ups/

DDS Log:


DDS (Ver_09-11-29.01) - NTFSx86
Run by Jim at 3:11:36.06 on 30/11/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_16
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2813.1539 [GMT 0:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\CyberLink\Shared Files\brs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Power Mixer\pwmixer.exe
C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Nokia\NoA\nokiaaserver.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Jim\Downloads\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Power Mixer] "c:\program files\power mixer\pwmixer.exe" /m
uRun: []
uRun: [NokiaOviSuite2] c:\program files\nokia\nokia ovi suite\NokiaOviSuite.exe -tray
uRun: [svchost.exe] c:\users\jim\appdata\roaming\microsoft\svchost.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SataGD] c:\progra~1\appser~1\Remlive.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles startup
StartupFolder: c:\users\jim\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {5376972E-6339-481A-91DE-FA70114ADAFB} = 192.168.1.65,192.168.1.254
TCP: 244584F6D65684572623D293838383 = 192.168.1.65,192.168.1.254
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\jim\appdata\roaming\mozilla\firefox\profiles\4sdlotzy.default\
FF - component: c:\program files\nokia\nokia ovi suite\connectors\bookmarks connector\firefoxextension\components\FirefoxExtension.dll
FF - plugin: c:\users\jim\appdata\roaming\mozilla\firefox\profiles\4sdlotzy.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/10/13 17:15:50];c:\program files\cyberlink\powerdvd9\000.fcl [2009-8-28 87536]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-10-9 2477304]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-9 102448]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-3-19 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-3-19 8320]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2009-5-21 57984]

=============== Created Last 30 ================

2009-11-27 04:52:11 0 d-----w- c:\programdata\FLEXnet
2009-11-27 04:48:33 0 d-----w- c:\users\jim\appdata\roaming\GARMIN
2009-11-27 04:47:47 0 d-----w- C:\Garmin
2009-11-26 12:55:49 32377 ----a-w- c:\windows\system32\drivers\prodigy.sys
2009-11-26 12:55:42 0 d-----w- c:\program files\NSS
2009-11-26 12:53:39 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-11-26 10:46:13 0 d-----w- c:\programdata\Nokia
2009-11-26 10:40:44 0 d-----w- c:\users\jim\appdata\roaming\Nokia Ovi Suite
2009-11-26 10:39:46 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-11-26 10:39:19 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-11-26 10:37:11 0 d-----w- c:\programdata\PC Suite
2009-11-26 10:35:27 0 d-----w- c:\program files\common files\Nokia
2009-11-26 10:35:04 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-11-26 10:34:56 0 d-----w- c:\program files\PC Connectivity Solution
2009-11-26 10:34:31 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2009-11-26 10:33:30 0 d-----w- c:\programdata\OviInstallerCache
2009-11-26 10:33:30 0 d-----w- c:\program files\Nokia
2009-11-26 03:00:24 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 19:22:25 0 d-----w- c:\program files\common files\Macrovision Shared
2009-11-24 17:27:48 92672 ----a-w- c:\windows\svers.dll
2009-11-24 17:27:48 180224 ---h--w- c:\windows\hpvert.dll
2009-11-24 17:27:48 109248 ----a-w- c:\windows\system32\MSWINSCK.OCX
2009-11-24 17:27:48 0 d-----w- c:\program files\Accessories
2009-11-24 17:27:47 0 d-----w- c:\program files\AppServices
2009-11-23 21:51:32 0 d-----w- c:\program files\NewsLeecher
2009-11-20 12:36:44 0 d-----w- c:\users\jim\appdata\roaming\Power Mixer
2009-11-20 12:36:42 0 d-----w- c:\program files\Power Mixer
2009-11-20 00:04:32 0 d-----w- c:\program files\RemotePackages
2009-11-13 16:18:14 0 d-----w- c:\users\jim\appdata\roaming\abgx360
2009-11-11 11:37:18 2542458 ----a-w- c:\windows\system32\abgx360.exe
2009-11-06 20:46:25 3450 ----a-w- c:\windows\system32\tmp.reg
2009-11-06 11:15:18 0 d-----w- C:\Tony
2009-11-02 02:29:16 77312 ----a-w- c:\windows\MBR.exe
2009-11-02 02:29:15 98816 ----a-w- c:\windows\sed.exe
2009-11-02 02:29:15 267264 ----a-w- c:\windows\PEV.exe
2009-11-02 02:29:15 161792 ----a-w- c:\windows\SWREG.exe
2009-11-01 18:46:24 411368 ----a-w- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-11-06 20:50:33 691 ----a-w- c:\users\jim\appdata\roaming\GetValue.vbs
2009-11-06 20:50:33 35 ----a-w- c:\users\jim\appdata\roaming\SetValue.bat
2009-10-18 12:09:33 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-10-13 16:16:51 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-10-10 02:36:13 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-10-10 02:36:13 47360 ----a-w- c:\users\jim\appdata\roaming\pcouffin.sys
2009-10-09 01:34:02 149768 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2009-10-09 01:17:43 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-09 01:17:43 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-09 01:17:43 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-07 16:58:29 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-10-02 04:06:59 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-10-01 09:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-28 09:22:00 364544 ----a-w- c:\windows\system32\yk62x86.dll
2009-09-10 05:52:05 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 16:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 16:44:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 16:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 16:29:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 16:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 16:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 16:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 16:29:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-03 07:04:15 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 3:12:18.82 ===============



I was unable to produce a rootrepeal log as I received several errors when trying to run it. Please let me know if you require screen shots of the errors and I shall get some posted up :(

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:56 AM

Posted 11 December 2009 - 03:55 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Copy-paste following contents into custom scan -area:
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Jim1985

Jim1985
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 12 December 2009 - 12:30 AM

Hi there, thanks for your reply.

I forgot to mention I did finally get this sorted out. It turns out I had been infected with TDSS.y Rootkit
The particular infected file was atapi.sys


I successfully identified and removed the problem by using Esage Labs' Rootkit.Win32.TDSS remover


Everything seems to be solved now so this topic can now be closed :(

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:56 AM

Posted 12 December 2009 - 06:16 AM

Ok. Thanks for letting us know :(

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users