Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google searches being redirected


  • Please log in to reply
7 replies to this topic

#1 nova52

nova52

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 02 December 2009 - 04:36 PM

Whenever I click links on a google search page, the majority of the links are redirected to ad sites or other search sites with my original query entered. I am also getting a few pop-up ads (but google chrome blocks them). In addition, adult ad banners are appearing on many sites I browse that obviously do not belong (i.e. University of California with a large banner ad for adultfriendfinder.com) and I frequently get a flash-based (?I think?) popup in the lower right corner of my browser that has a picture of a woman and says something like "Hey cutie, I'm in <city>. wanna hook up?" Sometimes this says Irvine, sometimes Seattle.

I am currently running windows XP pro SP3, I use google chrome as my browser. Sometimes I use browser-based proxies. On an unrelated note, I cannot seem to install the microsoft .NET framework update to 3.5. Windows tries to download it, but the installation always fails.

Thanks in advance for helping me sort this out :thumbsup:

BC AdBot (Login to Remove)

 


#2 nova52

nova52
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 10 December 2009 - 06:18 PM

I would really like some help

#3 nova52

nova52
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 11 December 2009 - 04:00 AM

here's the log. I run Malwarebytes whenever I suspect an infection, and it has detected the Spyware.Banker entry before, but it always seemed to return after I rebooted.

Malwarebytes' Anti-Malware 1.42
Database version: 3344
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/10/2009 11:43:27 PM
mbam-log-2009-12-10 (23-43-27).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 302415
Time elapsed: 2 hour(s), 15 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdvdr (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msdvddrv (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\xmldm (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\AcroIEHelpe.dll (Spyware.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msdvdr.pif (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\msdvdr.dat (Backdoor.HacDef) -> Delete on reboot.
C:\WINDOWS\system32\msdvdr.sys (Backdoor.HacDef) -> Delete on reboot.

#4 nova52

nova52
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 11 December 2009 - 06:12 PM

okey dokey now i have two techs helping me. should I do what both of you say or should I ignore one of you?

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:10 PM

Posted 11 December 2009 - 07:26 PM

Hello to help clear things up.. First did you do the needed reboot after the MBAm scan? If not reboot normally now.

That log indicates the probable presence of Rootkits, backdoor trojans and infostealers..
Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


I would like to see a Rootkit scan. So I will repost the RooRepeal instructions.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 nova52

nova52
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 12 December 2009 - 05:52 AM

Update: Computer crashed hard this afternoon, but I have recovered a bit of functionality. I was using the command prompt to check what connections were being made to my computer and had just begun a tracert on an IP address that had no business being connected to me. Suddenly I received several error messages informing me that winupdate86.exe, winlogon, and windows explorer had all experienced errors and needed to be closed. A second later, Windows System Defender (the hoax application) started opening repeatedly about 9 times, at which point the computer simply rebooted. I tried to boot into safe mode, but each time the computer only restarted. I finally discovered that if i ignored the errors that popup upon logging in (simply drag them off the screen) that I can operate somewhat normally, though all my desktop icons are missing, task manager is disabled and I cannot open the control panel; Instead I receive the error "Windows cannot find "(null)". Make sure it is spelled correctly...", etc. Fortunately I usually have "expand Control Panel" enabled in my taskbar settings, so I can still access most of the Control Panel functions. Network Settings returns the same error message previously stated. I opened regedit and re-enabled the task manger by changing HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr to 0 from 1. I checked the task manager and found a.exe running again; I am fairly certain this is a virus file. Most of my quick access icons have been changed, but the shortcuts are intact.

The IP addresses that I believe have no business being connected to me are located in Arizona, Los Angeles CA, and Prague, Czech Republic. I have contacted my ISP and they are going to compile a log of all activity related to my MAC and IP addresses going back to November 5. This is the last date my antivirus software updated on. I normally have the software update automatically every 24 hours but it was disabled on the 6th and I did not notice for several weeks. Since then, I have been combating things like hoax software and viruses by running Malwarebytes repeatedly. It generally removed everything except the Trojan.Banker. When I could not remove that and my google searches started being redirected I came here.

Hopefully all this helps. Now I have a few more questions before I continue.

1. Root Repeal does not give me a series of checkboxes, but has a seperate tab for each box boopme listed. Should I run a scan on each tab and post each of those logs?

2. I have had three separate techs post replies to my topic. Is that the standard protocol now? Last time I came here, one person helped me through the whole process. Should I do what all of you say, or is one person going to take over, or are all three handles the same person? Please let me know before giving me more instructions. I am very capable and comfortable doing deep magick on my computer but I need to know who I am supposed to listen to.

3. As far as personal data and financial information go, I do banking and buying/selling online (ebay, amazon, etc.), but I never save sensitive personal or financial data like Credit Card or Pin numbers on my hard drive. I recently (2 days ago) cleared all of my browsing data in Google Chrome. My ISP told me that if my financial data gets involved, they need to report it to the FBI, who will also get involved in the case. What level of compromise am I at, and who do I need to inform of what?

Thanks for continuing to help.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:10 PM

Posted 13 December 2009 - 03:07 PM

Hello as a forum Mod, I will handle this for the sake of easing your life.
Run the Files only for now in Rootrepeal...

OK Financials.. Do you enter passwords? Some of these contain keyloggers. These copy all keystrokes. Such info is sent back to the host of the infection for analyzing. One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 nova52

nova52
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 18 December 2009 - 09:08 PM

sorry for not replying sooner, i was out of town for a few days. This thing sounds pretty serious, so I am going to use it as an excuse to upgrade my stuff and have a fresh PC with a new OS. Thanks for helping me! one final question:

I run three hard drive partitions that windows treats as separate drives, One that holds windows and programs, and two that holds music, movies, pictures, etc. would it be safe for me to only reformat the drives holding my OS and leave the others as-is?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users