Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE7 Randomly Redirects to Wrong URL


  • This topic is locked This topic is locked
2 replies to this topic

#1 colorist48

colorist48

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 29 December 2009 - 03:47 AM

IE Randomly Google results to the wrong page. Googling 'google' takes 6 seconds on my machine, but 1/2 seconds on my wife's identical hardware and XP3 machine on the same router. I'm infected, but ESET Standard scan finds nothing. Does anyone recognize these symptoms?

Here's what happened. I searched in Google and picked an Amazon in top 2 results. I selected an Amazon URL in the list and to my surprise was redirected to hxxp://rootalar.com/ which then posted a Windows IE false alarm window with following text and moving computer scan: "The PC remains infected by spyware. They can seriously harm your private data or files, and should be healed immediately. Return to Cyber Security and download it secure to your PC". This might not have been the first redirection, so maybe infection occurred slightly earlier. But that one got my attention.

On the rootalar site, ESET Smart Security immediately logged two virus attacks and quarantined two items, log below. Apparently Eset disconnected //rootalar, and stopped the Trojan, but IE 7 is now still randomly redirecting some Google searches (from the IE search pane). When I try to search for the text of the alarm message to identify, I usually get my URL redirected to random innocuous Web search URL, not the one I selected. Cute trick, but not fun. This is not a pure performance problem-- I did the Internet tuning list. This is a new quad-core 2.5Ghz machine with 4GB memory on XP3.

Slowdown seems to mostly be related to IE tool. I see 5 seconds elapse before Windows Task Manager network monitor spikes to 4%. I run a two-user system, both for me but for different tasks. This attached data is from the USER account where I first detected the threats, but I also use a second ADMIN account often.

Appreciate any help, this is way beyond me.

ESET Log files:

12/28/2009 9:02:43 PM HTTP filter file hxxp://cfkrdbfplrla.com/nte/gnh13
.asp/eHffe8177bV0100f070006Rff70633f102Tb4d1662a201l0409K2e3a2ce2303J050006010 a variant of Win32/TrojanDownloader.Mebload.T trojan connection terminated - quarantined WADE\Dell Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
12/28/2009 9:02:40 PM HTTP filter file hxxp://cfkrdbfplrla.com/nte/gnh13
.asp/oHffe8177bV0100f070006Rff70633f102Tb4d1662a201l0409K2e3a2ce2317 JS/Exploit.Pdfka.ASD trojan connection terminated - quarantined WADE\Dell Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.

DDS.TXT

DDS (Ver_09-12-01.01) - NTFSx86
Run by Dell at 0:17:27.92 on Tue 12/29/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2690 [GMT -6:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\IOGear\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lenovo\UltraNav Keyboard\SkdUNav.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\IOGear\Bluetooth Software\BTTray.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\Program Files\Common Files\Acronis\TrueImageHome\TrueImageHomeNotify.exe
C:\Program Files\Common Files\Acronis\TrueImageHome\TrueImageHomeService.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dell\Desktop\Rootkit Chase\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080616
uStart Page = hxxp://photo.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeBridge]
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [UltraNav Keyboard] c:\program files\lenovo\ultranav keyboard\SkdUNav.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
dRun: [StartUp This] "c:\program files\laplink\pcmover\LaunchSt.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\iogear\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logoca~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\calibrationloader\CalibrationLoader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\pro imaging powertoys\microsoft color control panel applet for windows xp\WinColor.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\iogear\bluetooth software\btsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\iogear\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215833563093
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dell\applic~1\mozilla\firefox\profiles\uv5dsluq.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [2009-8-8 902592]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2008-6-10 468224]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2009-4-4 14416]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-7-22 1373480]
S2 gupdate1c95c4aab5ec0be;Google Update Service (gupdate1c95c4aab5ec0be);c:\program files\google\update\GoogleUpdate.exe [2008-12-12 133104]
S3 BTIAUSB;Generic Bluetooth Device;c:\windows\system32\drivers\btiausb.sys [2008-7-30 23808]
S3 BTPROT;Generic Bluetooth Filter;c:\windows\system32\drivers\btprot.sys [2008-8-2 453120]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2009-4-4 44344]
S3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [2009-4-5 44344]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2005-8-3 4736]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2005-8-3 8960]

=============== Created Last 30 ================

2009-12-28 21:20:21 82432 -c--a-w- c:\windows\system32\dllcache\ws2_32.dll
2009-12-26 01:36:15 0 d-----w- c:\docume~1\alluse~1\applic~1\ZoomBrowser

==================== Find3M ====================

2009-11-09 01:28:23 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLbx.DAT
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-27 04:46:46 30 ----a-w- c:\program files\Exiferupdate.ini
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2008-04-15 14:58:44 8390 ----a-w- c:\program files\common files\IssProcLanguage.ini
2008-04-15 14:58:44 188918 ----a-w- c:\program files\common files\IssProc.dll

============= FINISH: 0:18:27.51 ===============

Attached Files


Edited by Orange Blossom, 29 December 2009 - 07:40 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 colorist48

colorist48
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 08 January 2010 - 01:04 AM

Fixed. This was indeed a rootkit problem which posted all sorts of wrong URLs and Internet Explorer 7 warning windows.

I received no reply in this forum after a week, but since 200 folks have read this post, I'll say that the Combofix tool corrected the rootkit problem. It was downloaded from this site via instructions provided in the long MajorGeeks.com pinned post whose URL is below. Combofix is not the first step by far.

While the full process was lengthy and contained the similar warnings to BleepingC pinned posts about getting expert guidance, and not using Combofix yourself, it did the job for me when nobody else responded. If you follow this path, follow all the instructions and be very patient as some tools stop for 5-10 minutes or more at a time with no activity apparent. Just wait.

http://forums.majorgeeks.com/showthread.php?t=35407


BC forum administrator, please feel free to delete this post, since I found no way to correct or delete it myself.

Happy New Y

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:36 AM

Posted 08 January 2010 - 02:55 PM

Hello,

With well over 600 logs waiting for an answer at any given time, and very few of us volunteers helping everyone for free, it does cause a longer wait time.

While ComboFix may have helped colorist48's immediate problem, since help was not waited for and this was done unattended, colorist48 now has no way of knowing if there are still bad or damaged files on the computer. colorist48's computer could very well be compromised by a hacker or infostealer, or even have caused further damage to the system because colorist48 does not know how to properly use ComboFix. colorist48 is also lucky that the problem did not cause the computer to be turned into a very expensive door stop.

So to all who view this I ask you........Is this machine really safe and trustworthy now? We may never know............

Always wait for help, please....we don't want anyone to unknowingly stay infected, or to cause further damage from the misuse of ComboFix.


===============================

Since this issue appears resolved according to colorist48 ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users