Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Misdirect and SAVE Boot Failure


  • Please log in to reply
2 replies to this topic

#1 Brawgates

Brawgates

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:21 PM

Posted 25 January 2010 - 07:56 PM

Hi there

I'm hoping I can call upon your collective experience to help clean up my XP Pro SP2 system.

Last night my Firewall reported an attack from worm.win32.netsky. Despite my attempts at recovery, listed below, I'm left with a situation where
  • Clicks on Google hits are misdirected to suspicious sites.
  • The system loops through F8 to SAFE Mode select, then back to F8, when attempting SAFE. White on black throughout.
  • I'm unable to scan or update in AD-Aware.
Below I list the recovery actions I've taken:

Running MBAM shortly after the attack gave produced the following report
.

=========================================================================

Malwarebytes' Anti-Malware 1.44
Database version: 3615
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

25/01/2010 03:04:27
mbam-log-2010-01-25 (03-04-26).txt

Scan type: Quick Scan
Objects scanned: 129516
Time elapsed: 15 minute(s), 12 second(s)

Memory Processes Infected: 7
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 9
Registry Data Items Infected: 13
Folders Infected: 1
Files Infected: 39

Memory Processes Infected:
C:\WINDOWS\odbn0.exe (Trojan.Clicker) -> Unloaded process successfully.
C:\WINDOWS\servicelayer.exe (Trojan.Clicker) -> Unloaded process successfully.
C:\WINDOWS\svw.exe (Trojan.Clicker) -> Unloaded process successfully.
C:\WINDOWS\lsass.exe (Trojan.Clicker) -> Unloaded process successfully.
C:\WINDOWS\ctfmon.exe (Trojan.Clicker) -> Unloaded process successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\svc.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odbny0 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servicelayer (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netw (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\odbn0.exe (Trojan.Clicker) -> Delete on reboot.
C:\WINDOWS\servicelayer.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\svw.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\lsass.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\ctfmon.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\tvojljf.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\wacxmuuh.exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\logon.exe (Worm.Emold) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\avto.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\avto1.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\5_odbn0.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\teste1_p.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\teste2_p.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\teste3_p.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\temp\5_odbn0.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\temp\q1.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\Temporary Internet Files\Content.IE5\DB151HQ4\dwgqq[1].html (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\Temporary Internet Files\Content.IE5\DB151HQ4\leoxyiissg[1].html (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\Temporary Internet Files\Content.IE5\HT2HNNE3\SetupIS2010[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\temp\0_11adwara.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
C:\Documents and Settings\Peter Field\Local Settings\temp\4_pinnew.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\temp\1your_exe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\temp\6_ldry3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\temp\60325cahp25ca0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\temp\60325cahp25ca1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\temp\60325cahp25ca2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\temp\60325cahp25caa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\temp\avto.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Field\Local Settings\temp\teste1_p.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IS15.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

=========================================================================

Sometime after the first MBAM run, I noticed the Google misdirect problem and ran MBAM again to produce the following report.

=========================================================================

Malwarebytes' Anti-Malware 1.44
Database version: 3615
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

25/01/2010 16:32:25
mbam-log-2010-01-25 (16-32-25).txt

Scan type: Quick Scan
Objects scanned: 122585
Time elapsed: 10 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

=========================================================================

I then checked out and deleted the following suspicious files that had arrived at about the time the infection was reported.
  • C:\xilsr.exe
  • C:\ycywnce.exe
  • C:\gcoiu.exe
  • C:\jndeguvm.exe
  • C:\Avenger\sdra64.exe
Googling some of these programs on an alternative system suggested running SAS and ATF Cleaner in SAFE Mode. This is when I encountered the SAFE loop problem.

At this point I tried to update and scan with AD-Aware. Both update and scan failed. After a lengthy period doing nothing, Update appeared to work before crashing. Scan just failed to start.

I then ran SAS and MBAM. Both appeared to run clean as the results below show. However, Google misdirect, SAFE loop and AD-Aware failure persist. Something's lurching in there somewhere!
:thumbsup:


=========================================================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/25/2010 at 10:30 PM

Application Version : 4.26.1002

Core Rules Database Version : 4484
Trace Rules Database Version: 2302

Scan type : Complete Scan
Total Scan Time : 02:53:48

Memory items scanned : 331
Memory threats detected : 0
Registry items scanned : 4695
Registry threats detected : 0
File items scanned : 87993
File threats detected : 0

=========================================================================

Malwarebytes' Anti-Malware 1.44
Database version: 3615
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

25/01/2010 23:09:05
mbam-log-2010-01-25 (23-09-05).txt

Scan type: Quick Scan
Objects scanned: 121626
Time elapsed: 8 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

=========================================================================

Move to AII from XP. ~ OB

Edited by Orange Blossom, 25 January 2010 - 09:40 PM.


BC AdBot (Login to Remove)

 


#2 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:21 PM

Posted 26 January 2010 - 12:07 PM

Hi

Just to add to my original post. Redirection from IE7 is not restricted to Google. It seems to occur somewhat randomly from any other site. I'm ususally able to kill the redirection before it completes. One consistent redirection feature seems to be the appearane of two Cookies, one from each of the following urls.
  • 64.111.212.229
  • feed.ndot.com
I delete these cookies following every redirection. srda64.exe is another unwelcome consequence of redirection. It's appearance seems to be related to the time it takes me to kill the redirection process. srda64.exe and associated files are removed by MBAM.

Hope these symptoms ring a few bells, and help focus in on the likely intruder.

Kind regards

#3 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:21 PM

Posted 26 January 2010 - 09:05 PM

Hi

I'd like to close this topic as I believe the topic I've opened here more succinctly describes the problem I'm experiencing.

Many thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users