Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Problems: Starting With Google Redirection


  • This topic is locked This topic is locked
3 replies to this topic

#1 WoMP156

WoMP156

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 22 January 2010 - 01:36 AM

Hello,

Two days ago (1/20/10) I noticed that my results in Google search were being redirected to other websites. I did some searching as to what the problem could be, and found that it could be related to a virus that took the form of an "overlay.xml" file in the Firefox add-ons folder. I did some more investigating and found out that this also occured in Internet Explorer, leading me to think this was system-wide as compared to Firefox specific.

I immediately shut down the PC and used a Ubuntu CD I had to make a full partition backup of my C:\ drive on a spare external hard drive. This was in addition to a drive which I keep my monthly backups on, the last one done at the end of December (12/28). Booting back into Windows, I found that Firefox would also now only connect to two or three websites (outside of Google searches) before running into problems. XP's netstat command told me that information was still being requested by the browser, but nothing was showing up in the window. I then closed Firefox, and found that the process would continue to run in the background. I would have to manually end the process before I could open Firefox again. This issue happens every time I try to use Firefox, and all of these problems persist even in Firefox Safe Mode. At this point I disconnected the Internet connection.

I then promptly ran a full system scan using Ad-Aware (which was already installed). It picked up several tracking cookies and an object that it tagged as "Win32BackdoorAgent." I then installed SUPER Anti-Spyware and Malwarebytes' Anti-Malware and ran complete scans with both. SUPER Anti-Spyware picked up some tracking cookies, and Malwarebytes picked up several things:
  • Worm.AutoRun
  • Rootkit.TDSS
  • Trojan.Dropper
  • Worm.Autorun
  • Generic.Bot.H
After all this was complete I completely uninstalled Firefox, removed the leftover Program Files folder, and cleaned the registry using CCleaner. I then reinstalled Firefox, reconnected the Internet and tested the Google redirection on some innocuous searches. The Google redirection appears to be gone, but I don't know for certain.

Now I've come to you for help. Firefox still has the aforementioned issues, and I really do not want to format and reinstall. I've followed the instructions from your "Preparation Guide" link, although trying to run a report through RootRepeal locks up my computer (and as such the log file for that step is not attached).

I appreciate any help you can provide me in this manner, thanks in advance.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Dave at 23:11:56.26 on Thu 01/21/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1476 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dave\Desktop\dds.scr

============== Pseudo HJT Report ===============

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\colorv~1.lnk - c:\program files\colorvision\utility\ColorVisionStartup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dave\applic~1\mozilla\firefox\profiles\10udmsej.default\
FF - prefs.js: network.proxy.type - 4
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-22 64160]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2008-8-6 216032]
R3 PinnacleMarvinAVS;Pinnacle AVStream Service for MovieBox Deluxe, 500-USB and 700-USB;c:\windows\system32\drivers\MarvinAVS.sys [2007-5-9 434176]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S1 17003;17003;c:\windows\system32\drivers\17003.sys [2010-1-20 72192]
S3 Spyder2;ColorVision Spyder2;c:\windows\system32\drivers\Spyder2.sys [2007-2-13 12288]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2006-10-13 50048]

=============== Created Last 30 ================

2010-01-21 08:54:04 0 d-----w- c:\docume~1\dave\applic~1\Malwarebytes
2010-01-21 08:54:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-21 08:54:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-21 08:54:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-21 08:54:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-21 08:53:21 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-21 08:53:11 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-21 08:53:11 0 d-----w- c:\docume~1\dave\applic~1\SUPERAntiSpyware.com
2010-01-20 19:48:22 72192 ----a-w- c:\windows\system32\drivers\17003.sys
2010-01-14 05:42:16 127 ----a-w- c:\windows\system32\MRT.INI
2010-01-12 19:30:04 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 20:06:56 0 d-----w- c:\docume~1\dave\applic~1\XnView
2010-01-10 20:06:38 0 d-----w- c:\program files\XnView
2010-01-03 03:25:59 0 d-----w- c:\program files\Defcon
2010-01-03 02:07:37 227 ----a-w- c:\windows\PowerReg.dat
2010-01-03 02:07:33 45568 ----a-w- c:\windows\UniFish3.exe
2010-01-03 02:05:52 0 d-----w- c:\program files\Hasbro Interactive
2010-01-01 05:37:20 0 d-----w- c:\program files\iPod
2010-01-01 05:37:17 0 d-----w- c:\program files\iTunes
2010-01-01 05:37:17 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-27 23:57:35 0 d-----w- c:\docume~1\dave\applic~1\ZombieDriver
2009-12-27 23:56:28 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-12-27 23:56:28 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-12-27 23:56:28 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-12-27 23:56:28 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-12-27 23:56:28 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-12-27 23:56:27 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-12-27 23:56:27 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-12-27 23:56:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-12-27 23:56:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-12-27 23:56:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-12-27 23:56:26 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-12-27 23:56:26 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-12-27 10:16:25 2506752 ----a-w- c:\windows\system32\pbsvc_new_5-9-08.exe
2009-12-27 10:16:19 0 d-----w- c:\program files\OpenAL
2009-12-26 16:42:20 0 d-----w- c:\windows\system32\NtmsData
2009-12-26 03:52:01 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-12-26 03:52:01 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-12-24 05:45:50 238343 ----a-w- c:\documents and settings\dave\AdobeFnt10.lst

==================== Find3M ====================

2010-01-02 16:56:27 138696 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-01-02 16:56:18 201816 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-01-01 19:24:27 22328 ----a-w- c:\docume~1\dave\applic~1\PnkBstrK.sys
2010-01-01 19:24:05 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-01-01 19:24:05 2250024 ----a-w- c:\windows\system32\pbsvc.exe
2009-12-27 23:56:31 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-12-27 23:56:31 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-19 03:16:04 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-19 01:15:32 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-06 15:59:54 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 15:59:54 13642888 ----a-w- c:\windows\system32\xlivefnt.dll

============= FINISH: 23:12:05.81 ===============

Attached Files


Edited by WoMP156, 22 January 2010 - 01:37 AM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:59 PM

Posted 28 January 2010 - 08:42 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 WoMP156

WoMP156
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 28 January 2010 - 10:10 PM

Thanks for the reply, but I needed the system up and running so I couldn't wait. I reformatted and reinstalled for peace of mind.

Thanks again for the offer.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:59 PM

Posted 28 January 2010 - 10:26 PM

Thanks for letting us know.

Preventing Infections in the Future


Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

Some of the main things you should consider to perform/read are:
  • Disabling Autorun/Play on Flash-Drive/Removable Drives
  • Avoid gaming sites, underground web pages, pirated software sites, and Peer to Peer Programs
  • Keep Windows Updated through going to Windows Updates
  • Updating Non-Microsoft Programs
  • Keeping Security softwares updated

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users