Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search result redirect hijack


  • This topic is locked This topic is locked
2 replies to this topic

#1 mmSeven

mmSeven

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 18 January 2010 - 06:20 AM

Picked up a really nasty infection on Sat. Everything was locked down... no taskman, no msconfig, all exe's disabled, etc. Managed to crack it after 3 hours with the help of a BartPE boot disc and a backup copy of my registry I happened to make last week before installing a new motherboard. Got everything cleaned up, re-installed the hardware drivers for the new board of course, cleaned up all the traces of the virus I could find. Everything is running good... except my damn google search results are getting redirected. The sites I'm being redirected arent even really malicious.... sometimes it's yellowbook.com, got the scooterstore.com once. Usually it's generic sites with a page full of google content ads. Anyway, I have thrown everything at this thing and it's still going. AVG, Ad-aware, MalwareBytes, and UnHackMe all show 100% clean. They're missing it, I'm missing it.

The initial virus by the way left me with the fake InternetSecurity2010. The raw exe was something like 7845.exe, can't remember exactly. That all seems to be gone though, just the search result redirect remains.

Any help would be appreciated. I'm using IE8, which I uninstalled and went back to IE7 to see if that would help (it didn't). I may be able to run Firefox and not have the problem, but that won't satisfy me... I'll reformat/reinstall windows out of spite first if I have to!

mmSeven

DDS (Ver_09-12-01.01) - NTFSx86
Run by 7 at 4:44:04.25 on Mon 01/18/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3316.2572 [GMT -6:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\7\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DownloadAccelerator] "c:\program files\dap\DAP.EXE" /STARTUP
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [sclauncher] c:\program files\simplecenter\bin\win\sclauncher.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
Trusted Zone: shopzilla.com\merchant
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-1-16 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-1-16 161800]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-17 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-16 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-16 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-16 360584]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-16 285392]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-1-16 5832712]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-1-16 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-1-16 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-1-16 25736]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-4-23 33792]
R3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-1-18 34760]
S2 gupdate1c99f11a0fa30c2;Google Update Service (gupdate1c99f11a0fa30c2);c:\program files\google\update\GoogleUpdate.exe [2009-3-7 133104]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-13 1684736]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-4-30 25244]

=============== Created Last 30 ================

2010-01-18 08:46:31 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-01-18 08:46:31 32480 ----a-w- c:\windows\system32\Partizan.exe
2010-01-18 08:46:06 2 --shatr- c:\windows\winstart.bat
2010-01-18 08:45:45 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-01-18 08:45:42 0 d-----w- c:\program files\UnHackMe
2010-01-18 08:05:02 0 d-----w- c:\program files\Wise Registry Cleaner
2010-01-18 08:01:22 0 d-----w- c:\docume~1\7\applic~1\Registry Mechanic
2010-01-17 15:23:28 0 d-----w- c:\program files\TrendMicro
2010-01-17 14:47:00 0 d-----w- c:\windows\OPTIONS
2010-01-17 14:05:26 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-01-17 14:04:07 0 d-----w- C:\TempEI4
2010-01-17 13:44:44 0 d-----w- c:\docume~1\7\applic~1\Malwarebytes
2010-01-17 13:44:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-17 13:44:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-17 13:44:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-17 13:44:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 12:15:09 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-17 10:51:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-17 10:50:17 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-17 10:49:55 0 d-----w- c:\program files\Lavasoft
2010-01-17 03:13:00 0 d--h--w- C:\$AVG
2010-01-17 03:12:49 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-17 03:12:48 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-01-17 03:12:48 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-01-17 03:12:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-17 03:12:40 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-17 03:12:35 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-17 03:12:21 0 d-----w- c:\program files\AVG
2010-01-17 03:12:18 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-16 00:34:04 1 ----a-w- C:\s
2010-01-13 19:38:57 98944 ----a-r- c:\windows\system32\drivers\Rtenicxp.sys
2010-01-13 19:01:48 2422 ----a-w- c:\windows\system32\wpa.dbl
2010-01-13 17:21:52 4444 ----a-w- c:\windows\system32\pid.PNF
2010-01-13 06:31:24 940794 ----a-w- c:\windows\system32\LoopyMusic.wav
2010-01-13 06:31:24 146650 ----a-w- c:\windows\system32\BuzzingBee.wav
2010-01-13 06:25:28 352256 ----a-w- c:\windows\vncutil.exe
2010-01-13 06:25:26 9715200 ----a-w- c:\windows\RTLCPL.EXE
2010-01-13 06:25:26 5934592 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-01-13 06:25:25 41984 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-01-13 06:25:25 122880 ----a-w- c:\windows\RtkAudioService.exe
2010-01-13 06:25:24 2170880 ----a-w- c:\windows\MicCal.exe
2010-01-13 06:25:24 18782720 ----a-w- c:\windows\RTHDCPL.EXE
2010-01-13 06:25:24 1389056 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2010-01-13 06:25:23 57344 ----a-w- c:\windows\ALCMTR.EXE
2010-01-13 06:25:23 2808832 ----a-w- c:\windows\ALCWZRD.EXE
2010-01-13 06:25:23 1684736 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2010-01-13 06:25:23 0 d-----w- c:\program files\Realtek
2010-01-13 06:25:15 831488 ----a-w- c:\windows\RtlExUpd.dll
2010-01-13 05:43:09 172032 ----a-r- c:\windows\system32\igfxres.dll
2010-01-13 05:41:13 920088 ----a-r- c:\windows\system32\igxpun.exe
2010-01-13 05:41:13 0 d-----w- c:\windows\system32\x64
2010-01-13 05:41:13 0 d-----w- c:\windows\system32\Lang
2010-01-13 05:41:05 48128 ----a-r- c:\windows\system32\SETE0.tmp
2010-01-13 05:40:59 319456 ----a-r- c:\windows\system32\difxapi.dll
2010-01-13 05:40:58 147456 ----a-r- c:\windows\system32\igfxCoIn_v4885.dll
2010-01-13 05:40:57 176128 ----a-r- c:\windows\system32\igfxrsky.lrc
2010-01-13 05:40:57 172032 ----a-r- c:\windows\system32\igfxrslv.lrc
2010-01-13 05:40:51 26960 ----a-r- c:\windows\system32\igxpxs32.vp
2010-01-13 05:40:51 2643968 ----a-w- c:\windows\system32\igxpdx32.dll
2010-01-13 05:40:51 2096 ----a-r- c:\windows\system32\igxpxk32.vp
2010-01-13 05:40:50 5851488 ----a-r- c:\windows\system32\drivers\igxpmp32.sys
2010-01-13 05:40:50 57344 ----a-w- c:\windows\system32\igxprd32.dll
2010-01-13 05:40:50 1668960 ----a-w- c:\windows\system32\igxpdv32.dll
2010-01-13 05:40:50 151040 ----a-w- c:\windows\system32\igxpgd32.dll
2009-12-29 17:31:15 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-27 06:05:51 0 d-----w- c:\program files\SyncToy 2.0
2009-12-24 09:32:29 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-24 09:26:13 23392 ----a-w- c:\windows\system32\nscompat.tlb
2009-12-24 09:26:13 16832 ----a-w- c:\windows\system32\amcompat.tlb
2009-12-24 02:33:40 18 ----a-w- C:\SYSREST

==================== Find3M ====================

2009-11-05 18:34:37 27024 ----a-w- c:\docume~1\7\applic~1\GDIPFONTCACHEV1.DAT
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2008-09-17 23:10:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat

============= FINISH: 4:44:51.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mmSeven

mmSeven
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 19 January 2010 - 07:42 PM

Hi Guys,

Please disregard/delete this thread, I have decided to reformat & reinstall windows instead of reparing it.... it's been a while since I've done it anyway so it needs it.

Thanks,

mmSeven

Edited by mmSeven, 19 January 2010 - 07:43 PM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:46 AM

Posted 22 January 2010 - 09:09 AM

Topic closed upon users request.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users