Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google/Yahoo! Redirect Problem [Moved]


  • This topic is locked This topic is locked
11 replies to this topic

#1 ForzaDC

ForzaDC

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 13 December 2009 - 09:46 PM

I am running Windows XP on my desktop computer and have recently (as of one day ago) encountered a problem where the majority of the links I click on any search engine will redirect me to a random site, regardless of whether I am using IE7 or Firefox (although I primarily use Firefox).

I have run MalwareBytes, Avira, SUPERAntiSpyware, ATF Cleaner, Smitfraud and Dr. Web CureIt and they have not been turning up much of anything, or at least what I'm looking for (some sort of Trojan). Attached below is my smitfraud report:

SmitFraudFix v2.424

Scan done at 21:34:49.62, Sun 12/13/2009
Run from C:\Documents and Settings\Jon\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\runservice.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jon\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Jon


C:\DOCUME~1\Jon\LOCALS~1\Temp


C:\Documents and Settings\Jon\Application Data


Start Menu


C:\DOCUME~1\Jon\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 71.252.0.12
DNS Server Search Order: 68.237.161.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E0D0CF9C-F118-484A-AB12-4AFBFF4069CF}: DhcpNameServer=71.252.0.12 68.237.161.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E0D0CF9C-F118-484A-AB12-4AFBFF4069CF}: DhcpNameServer=71.252.0.12 68.237.161.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E0D0CF9C-F118-484A-AB12-4AFBFF4069CF}: DhcpNameServer=71.252.0.12 68.237.161.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=71.252.0.12 68.237.161.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=71.252.0.12 68.237.161.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=71.252.0.12 68.237.161.12


Scanning for wininet.dll infection


End

Also, my most recent AVG scan from last night turned up these two items, but moved them to the Virus Vault:

"C:\WINDOWS\SYSTEM32\csrss.exe (628):\memory_00270000";"Trojan horse Vundo.JD";"Moved to Virus Vault"
"C:\WINDOWS\SYSTEM32\csrss.exe (628)";"Trojan horse Vundo.JD";"Reboot is required to finish the action"
(I have rebooted since the scan)

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:37 PM

Posted 13 December 2009 - 10:55 PM

I am moving this to the Am I Infected forum from the XP forum. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 ForzaDC

ForzaDC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 14 December 2009 - 01:59 AM

Typical. Sorry for the original mispost.

#4 ForzaDC

ForzaDC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 14 December 2009 - 02:11 PM

I did a manual full scan using AVG again last night and it didn't turn up anything. However, during the auto-full scan that runs nightly, AVG found the same two items. Upon reboot, however, all search engine links were still being redirected.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:37 PM

Posted 14 December 2009 - 08:41 PM

Hello please post your MBAm log
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 ForzaDC

ForzaDC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 15 December 2009 - 12:45 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/14 23:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9C37E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Program Files\WordReferenceItEn\Cache\ore.mpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7d5f144

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7d5f130

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7d5f135

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7d5f13f

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xf7d5f13a

==EOF==

#7 ForzaDC

ForzaDC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 15 December 2009 - 11:40 AM

Malwarebytes' Anti-Malware 1.42
Database version: 3354
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/15/2009 7:27:50 AM
mbam-log-2009-12-15 (07-27-50).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 240007
Time elapsed: 1 hour(s), 16 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:37 PM

Posted 15 December 2009 - 08:14 PM

Did you reboot after the AVG scan?
I am not seeing it, Are you having Redirects or pop ups?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 ForzaDC

ForzaDC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 15 December 2009 - 10:19 PM

The CPU did reboot after both AVG scans and I am still getting redirects.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:37 PM

Posted 15 December 2009 - 11:14 PM

We'lll need to go deeper here.
You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 ForzaDC

ForzaDC
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 16 December 2009 - 12:19 PM

I will do that right now. My AVG ran again last night and found the same two items and supposedly removed them. Still having redirects.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:37 PM

Posted 16 December 2009 - 01:26 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users