Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect virus - results5.google.com - plus other malware issues


  • This topic is locked This topic is locked
8 replies to this topic

#1 LucieV83

LucieV83

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 07 June 2010 - 04:27 PM

Hi there, I have a redirect virus issue plus other malware problems and hoping someone can help? It's defeating me!

My boyfriend first noticed when clicking on a search result in google, instead of the search result displaying, a new window opens which redirects to 'results5.google.com' - usually showing the google homepage (or another search engine) instead of the correct search result. Closing this new window and repeating the process 3 or 4 times tends to eventually get to the correct search result. Really annoying!

Also clicking on a link (eg. in the bleepingcomputer forums) will eventually take me to the link but also opens a new window 'http://search.google-analytics.com'.

Then the pc dumped its graphics drivers, so he turned it off and plugged in our other pc - which behaved in the same way as the 1st pc, except it didn't dump its graphics drivers. Same redirect issue.

So we turned back on the 1st pc, reinstalled graphics drivers and have run Malwarebytes several times - it finds and removes more bugs each time we run it! (Please see below)

Run tdsskiller and it finds nothing.

Followed instructions online to reset the router and flush the dns cache. Still got this redirecting issue.

I've run out of things to try and hoping someone can help? As we have the same issues on 2 computers which are never on at the same time, is this a router virus? I'm not a total novice computer user, but I'm in way over my head with this one and any help would be greatfully appreciated!

DDS log and part of Malwarebytes log are below, and Attach.txt is attached. I'm still running GMER (2 hours and counting ...) and will post log when (if?) it finishes.

Many thanks,

Lucie

------------------------

Malwarebytes issues that it says are quarantined and deleted successfully, but come back with each scan:

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

------------------------

DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by it at 20:24:45.66 on 07/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1044 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
svchost.exe "C:\WINDOWS\system32\1025n.exe"
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\it\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: quakelive.com\www
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265576996342
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265576983544
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-21 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-21 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-21 40384]
R2 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2009-11-24 135168]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-21 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-21 40384]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
S2 gupdate1ca28f9d68e29e0;Google Update Service (gupdate1ca28f9d68e29e0);c:\program files\google\update\GoogleUpdate.exe [2009-8-29 133104]
S2 NetmanSwPrv;Network Connections NetmanSwPrv;c:\windows\system32\1025n.exe srv --> c:\windows\system32\1025n.exe srv [?]

=============== Created Last 30 ================

2010-06-07 18:47:06 20 ----a-w- c:\documents and settings\it\defogger_reenable
2010-06-06 22:03:06 330 --s-a-w- c:\windows\system32\3805559209.dat
2010-06-06 22:03:00 4 ----a-w- c:\docume~1\it\applic~1\dhxiuw.dat
2010-06-06 20:38:35 186407 ----a-w- c:\windows\system32\nvapps.nvb
2010-06-04 13:43:09 0 d-----w- c:\program files\SystemRequirementsLab
2010-05-14 17:38:55 0 d-----w- c:\windows\system32\Adobe
2010-05-14 13:27:56 921872 ----a-w- c:\windows\system\MFC40.DLL
2010-05-14 13:27:56 326656 ----a-w- c:\windows\system\Msvcrt40.dll
2010-05-14 13:27:39 283648 ----a-w- c:\windows\uninst.exe

==================== Find3M ====================

2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 10:50:24 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-12-16 09:25:56 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-12-16 01:15:31 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-16 01:15:31 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-16 01:15:31 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 20:25:21.52 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 LucieV83

LucieV83
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 08 June 2010 - 01:28 PM

Here's the GMER log, hope this helps.

Lucie

Attached Files

  • Attached File  ark.log   14.32KB   6 downloads


#3 LucieV83

LucieV83
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 08 June 2010 - 03:05 PM

I've just swapped the router for an older crappy one - problems seem to have gone away!

Not an ideal solution as this router doesn't have wifi, but will do for now. Am I best off buying a new router?

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 10 June 2010 - 05:40 PM

QUOTE
Am I best off buying a new router?


That's tricky. If the one you're using is working then why buy a new one. If you need wi-fi then you need to buy a new one.

If you're hapy, can I close this topic?
Posted Image
m0le is a proud member of UNITE

#5 LucieV83

LucieV83
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 12 June 2010 - 03:36 PM

Hi, yes you can close this topic - the problem's gone away, so kinda fixed for now.

So you think it's possible that the router can store the virus in it, even when it's got no power to it? Do they have a 'hard drive' in there as such? I know very little about how they work.

Lucie


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 12 June 2010 - 05:44 PM

Routers can be hacked, see below.
  1. Please read this: Malware Silently Alters Wireless Router Settings

  2. Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

  3. Then reset your router to it's factory default settings:

    QUOTE
    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"


  4. This is the difficult part.
    First get to the routers server. To do that open Internet Explorer and type http:\\192.168.1.1 in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 14 June 2010 - 07:45 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#8 LucieV83

LucieV83
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 16 June 2010 - 02:56 PM

Hi, yes please do close this topic.

Many thanks for your help thumbup2.gif

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:43 AM

Posted 16 June 2010 - 03:20 PM

You're welcome thumbup2.gif

---------------------------------------------------------

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users