Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinXP IE8 search results are redirected


  • This topic is locked This topic is locked
2 replies to this topic

#1 ezd

ezd

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 01 March 2010 - 06:32 PM

I'm running Windows XP and everything seems fine until I try to use IE8's built in search. The results take me to various sites some of which infect me with fake antivirus garbage which I'm able to remove with Malwarebytes but the problem of the hijacked search results remains. It doesn't make a difference if I set the provider to Bing or Google. The latest log from Malwarebytes shows no malicious items. Here are the logs I was instructed to post and attach, thanks again for all you do:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Bob at 16:18:36.81 on Mon 03/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.251 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoffi~1.lnk - c:\program files\hewlett-packard\hp officejet t series\bin\HPOstr05.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: turbotax.com
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-28 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-28 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-28 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-2-28 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-28 285392]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2010-2-12 14976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-16 38224]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

=============== Created Last 30 ================

2010-03-01 22:17:31 0 ----a-w- c:\documents and settings\bob\defogger_reenable
2010-03-01 13:23:43 20480 ----a-w- c:\windows\system32\tdlcmd.dll
2010-03-01 05:00:43 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-01 05:00:26 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-01 05:00:26 0 d-----w- c:\docume~1\bob\applic~1\SUPERAntiSpyware.com
2010-03-01 04:59:54 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-01 04:59:39 0 d-s---w- C:\ComboFix
2010-03-01 04:25:54 3874477 ----a-r- c:\temp\ComboFix.exe
2010-03-01 02:54:11 0 d-sh--w- c:\documents and settings\bob\IECompatCache
2010-03-01 01:25:58 0 d-----w- C:\$AVG
2010-03-01 01:25:41 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-01 01:25:41 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-01 01:25:31 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-01 01:25:12 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-01 01:24:47 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-03-01 01:09:04 389120 ----a-w- c:\windows\system32\CF1372.exe
2010-02-25 03:18:42 0 d-sha-r- C:\cmdcons
2010-02-25 03:17:13 98816 ----a-w- c:\windows\sed.exe
2010-02-25 03:17:13 77312 ----a-w- c:\windows\MBR.exe
2010-02-25 03:17:13 261632 ----a-w- c:\windows\PEV.exe
2010-02-25 03:17:13 161792 ----a-w- c:\windows\SWREG.exe
2010-02-25 03:16:03 389120 ----a-w- c:\windows\system32\CF7199.exe
2010-02-25 02:46:06 0 d-sh--w- c:\documents and settings\bob\PrivacIE
2010-02-25 02:24:56 0 d-sh--w- c:\documents and settings\bob\IETldCache
2010-02-22 01:41:19 0 d-----w- c:\program files\Trend Micro
2010-02-22 00:24:59 0 d-----w- c:\windows\ie8updates
2010-02-22 00:20:48 0 dc-h--w- c:\windows\ie8
2010-02-22 00:17:36 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-22 00:17:31 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-22 00:17:31 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-02-13 04:37:42 14976 ----a-w- c:\windows\system32\drivers\SBKUPNT.SYS
2010-02-13 04:37:42 13312 ----a-w- c:\windows\system32\DEVLOAD.EXE
2010-02-13 04:37:35 2799 ----a-w- c:\windows\SKLANG.INI
2010-02-12 23:21:48 0 d-----w- C:\~ErdUserProfile.$$$
2010-02-12 21:08:13 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-02-12 21:08:13 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-02-12 20:19:26 0 d-----w- c:\docume~1\bob\applic~1\Malwarebytes
2010-02-10 09:03:58 0 d-----w- C:\89c255d8cbffc6090c81

==================== Find3M ====================

2010-01-14 17:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:21 133120 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:14:05 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:14:04 5942784 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:14:04 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:14:03 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-21 19:14:03 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-21 19:14:03 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:14:03 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-12-21 19:14:03 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:14:02 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-12-21 19:14:01 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 09:23:28 474112 ----a-w- c:\windows\system32\SETFE.tmp
2009-12-08 09:23:28 474112 ----a-w- c:\windows\system32\SET33C.tmp
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ----a-w- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-04 20:18:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030420090305\index.dat

============= FINISH: 16:20:30.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 ezd

ezd
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 03 March 2010 - 04:23 PM

I would like all involved for the work you've done so far. I believe I have removed the rootkit (TDL3) causing my search result redirects. I failed to mention a critical bit of information. A few weeks ago a Microsoft patch caused this machine to BSD. The BSD appeared almost immediately after posting and I was sure it was hardware at first. However, it turned out I was able to use Microsoft ERD Commander to roll back and I isolated the bad update. Microsoft later pulled the update and I figured that was that. The only indication I had of anything being screwy was the search results (only from the IE8 toolbar) being redirected. After running GMER and finding:

CODE
C:\WINDOWS\system32\drivers\atapi.sys - suspicious modification


I remembered reading that this file was modified as well as the Windows NT kernel by the patch and was able to focus my search accordingly. It turns out the rootkit caused the problem but the update was pulled because the rootkit was so widespread.

More info here: http://www.prevx.com/blog/143/BSOD-after-M...-apologize.html

Removal: Here

Again thank you for your time.

#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:48 PM

Posted 06 March 2010 - 06:01 PM

Thanks for informing us thumbup2.gif

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users