Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Web search Redirect\Unknown Infection Type


  • This topic is locked This topic is locked
2 replies to this topic

#1 Technine22

Technine22

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:51 AM

Posted 02 February 2010 - 10:10 AM

The main infection was "Internet Security 2010" which was basically removed by Malwarebytes Anti-malware. What has been left behind is a hidden process that intermittently redirects web searches (possibly Google searches only) and generates pop ups.

*Any assistance with this issue will be greatly appreciated. Thanks in advance.*

*Note: I have attached the required logs per your instructions, but I'm a bit concerned about the RootRepeal report as it appears that the scan may have been interrupted by SUPERAntiSpyware even though it was shut down prior to running the scan.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Technine22 at 8:34:58.76 on Tue 02/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.202 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\S3tray2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kirkdrick Benson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uDefault_Search_URL = hxxp://ie.search.msn.com
uDefault_Page_URL = hxxp://www.msn.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uCustomizeSearch = hxxp://ie.search.msn.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {1028F737-81E7-452B-A860-E50CAD90A08C} - No File
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [YB7ERPc8j] vssvices.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [S3TRAY2] S3tray2.exe
mRun: [CHotkey] mHotkey.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autode~1.lnk - c:\program files\iconcepts music express\MEAutoDetect.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: msn.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1098307831390
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191809507484
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191809500359
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} - hxxp://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - c:\program files\common files\g7ps\shared files\g7psdll\G7PS.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~4\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kirkdr~1\applic~1\mozilla\firefox\profiles\uucm9u1m.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1808.5272\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {A520E0D6-3CFC-49D7-849B-549D9DE188E8} - c:\documents and settings\kirkdrick benson\local settings\application data\{a520e0d6-3cfc-49d7-849b-549d9de188e8}\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 EPPSCSIx;EPPSCSIx;c:\windows\system32\drivers\Eppscsi.sys [2003-4-30 47148]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-26 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-1-26 30192]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\d.tmp --> c:\windows\system32\D.tmp [?]
S3 WUSB54GSCV2;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\drivers\WUSB54GSCV2.sys [2003-1-1 198144]

=============== Created Last 30 ================

2010-01-30 01:15:40 0 ----a-w- c:\temp\RootRepeal.exe
2010-01-30 01:13:00 524288 ----a-w- c:\temp\dds.scr
2010-01-30 00:28:21 0 d-----w- c:\program files\CCleaner
2010-01-30 00:26:16 0 d-----w- c:\temp\CCleaner
2010-01-30 00:25:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-30 00:24:29 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-30 00:24:29 0 d-----w- c:\docume~1\kirkdr~1\applic~1\SUPERAntiSpyware.com
2010-01-30 00:22:02 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-30 00:20:31 7520288 ----a-w- c:\temp\SUPERAntiSpyware.exe
2010-01-30 00:01:07 0 d-----w- c:\program files\Trend Micro
2010-01-30 00:00:55 812344 ----a-w- c:\temp\HijackThisInstaller.exe
2010-01-29 23:54:35 0 d-----w- C:\32788R22FWJFW.0.tmp
2010-01-29 23:50:55 130 ----a-w- c:\windows\cfplogvw.INI
2010-01-28 20:31:39 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-01-28 20:27:52 0 d-----w- c:\program files\COMODO
2010-01-28 20:21:48 45174032 ----a-w- c:\temp\CIS_Setup_3.13.125662.579_XP_Vista_x32.exe
2010-01-28 16:11:34 556 ----a-w- c:\windows\system32\BDUpdateV1.xml
2010-01-28 03:39:24 81984 ----a-w- c:\windows\system32\bdod.bin
2010-01-28 03:18:27 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-01-28 03:17:35 0 d-----w- c:\program files\common files\BitDefender
2010-01-28 03:15:00 62010712 ----a-w- c:\temp\bitdefender_free_2009_32b.exe
2010-01-28 03:05:58 47066 -c--a-w- c:\windows\system32\dllcache\ksc.nls
2010-01-27 18:40:07 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-27 14:37:02 0 d-----w- c:\program files\Sophos
2010-01-26 18:12:15 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-01-26 18:12:15 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-01-26 18:11:58 0 d-----w- c:\windows\system32\IOSUBSYS
2010-01-24 09:46:33 0 d-----w- c:\docume~1\kirkdr~1\applic~1\Malwarebytes
2010-01-24 09:46:19 0 ----a-w- c:\windows\Yvalodobu.bin
2010-01-24 09:46:15 120 ----a-w- c:\windows\Fkuyulasejadaza.dat
2010-01-24 09:45:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-24 09:45:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-24 09:45:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-24 09:45:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 03:36:35 66594 ----a-w- c:\windows\system32\c_437.nls
2010-01-23 00:34:47 31744 ----a-w- C:\Team Exercise Worksheet(1).xls
2010-01-23 00:18:37 0 d--h--w- c:\windows\PIF
2010-01-21 04:55:07 0 ----a-w- c:\windows\system32\24464.exe
2010-01-21 04:35:05 0 ----a-w- c:\windows\system32\26962.exe
2010-01-21 04:15:04 0 ----a-w- c:\windows\system32\29358.exe
2010-01-19 20:18:10 1 ----a-w- C:\s
2010-01-16 00:01:05 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-29 22:30:44 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 8:36:25.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Technine22

Technine22
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:51 AM

Posted 05 February 2010 - 12:34 PM

thumbup.gif ***RESOLVED***clapping.gif

*Please be advised that as of Thursday 02/04/2010 7:04 PM CST this issue has been resolved. The main cause of the issue was determined to be due to a rootkit infection, which was detected and removed by TDSSKiller; rootkit removal tool by Kaspersky. thumbup2.gif

Honorable Mention: dance.gif

- Clean Up Crew -

Malwarebyte's Anti-Malware
Spybot Search & Destroy
CCleaner
RegSeeker


The TDSS Killer log has been attached for reference.

Attached Files


Edited by Technine22, 05 February 2010 - 12:44 PM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:51 PM

Posted 06 February 2010 - 07:59 AM

Since the issue seems to be resolved, this topic will now be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users