Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect trojan/rootkit


  • This topic is locked This topic is locked
2 replies to this topic

#1 skowhegan151

skowhegan151

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 16 December 2009 - 09:36 AM

Hi there, I'm running XP SP3 and have been suffering from nasty piece of malware, which re-directs me from google links to various spam sites, which then ask me to download their software. Additionally, since this all started, my PC has been restarting instead of hibernating. I have tried scanning/healing with the usual programs - Comodo, Spybot, AdAware, AntiMalware etc. but the issue has not been resolved.
I had a search around and I'm pretty sure I've got a rootkit problem. I tried using esage.com's Rootkit.Win32.TDSS remover, though I don't have my windows CD to repair the file it found as infected - windows/system32/drivers/atapi.sys
How dangerous is this, and should I still do banking using this computer? I want rid of the problem whatever, but I'd just like to know what you think I might be dealing with.

RootRepeal will not run on my computer, and crashes on starting the program. It created a crash report .txt file which I've included here as Ark.txt instead.

Many thanks in advance, here are the logs:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Tom at 14:06:08.04 on 16/12/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.google.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ASUSTPE] c:\windows\system32\ASUSTPE.exe
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Wireless Console 2] "c:\program files\wireless console 2\wcourier.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ATKHOTKEY] "c:\program files\atk hotkey\Hcontrol.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tom\applic~1\mozilla\firefox\profiles\dccvdqd8.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/#inbox
FF - component: c:\documents and settings\tom\application data\mozilla\firefox\profiles\dccvdqd8.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\tom\application data\mozilla\firefox\profiles\dccvdqd8.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\tom\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\tom\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-12-15 16:59:23 0 d-sh--w- c:\windows\system32\lowsec
2009-12-13 14:17:19 0 d-----w- c:\program files\Trend Micro
2009-12-13 06:29:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-13 06:29:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-13 06:29:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-13 06:09:50 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-13 06:09:38 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-13 06:09:38 0 d-----w- c:\docume~1\tom\applic~1\SUPERAntiSpyware.com
2009-12-13 06:09:10 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-13 05:44:14 159320 ----a-w- C:\cc_20091213_054400.reg
2009-12-13 04:53:54 0 d-----w- c:\docume~1\tom\applic~1\Uniblue
2009-12-13 04:47:37 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-12-13 04:35:58 0 d-----w- C:\32788R22FWJFW.0.tmp
2009-12-13 00:20:05 130 ----a-w- c:\windows\cfplogvw.INI
2009-12-12 18:48:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo
2009-12-12 18:48:39 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-12 18:48:39 171552 ----a-w- c:\windows\system32\guard32.dll
2009-12-12 18:48:39 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-12 14:45:55 0 d-----w- c:\docume~1\tom\applic~1\Malwarebytes
2009-12-12 14:45:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-11 16:22:40 212 ----a-w- c:\windows\wininit.ini
2009-12-11 15:12:32 0 d-----w- c:\docume~1\alluse~1\applic~1\afa4c1f

==================== Find3M ====================

2009-12-16 14:04:47 600096 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-15 23:47:57 9104 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-06 10:53:52 267264 ----a-w- c:\windows\PEV.exe
2009-10-25 06:11:34 77312 ----a-w- c:\windows\MBR.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 04:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 14:09:03.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 AM

Posted 28 December 2009 - 10:19 PM

Do you still desire help?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 AM

Posted 03 January 2010 - 02:01 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users