Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Suite and Google Redirect virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 RainingAgain

RainingAgain

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 16 August 2010 - 11:09 PM

I've gone through the process described at http://www.bleepingcomputer.com/virus-remo...-security-suite as well as the process described at http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller

I've run AntimalwareBytes, McAfee, and went ahead and tried SUPERAntiSpyware as well. All three found infected items. SUPERAntiSpyware even found trojans and malware.

Even after trying all of this, the Security Suite window still appears when I login normally (ie not safe mode). And the Google Redirect occurs as well.

I'm actually posting this while in Safe Mode b/c I'm unable to do much otherwise.


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Samreen at 23:54:49.35 on Mon 08/16/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.5.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3002.2716 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Samreen\Desktop\dds.scr

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Qyara] rundll32.exe "c:\windows\dcholps.dll",Startup
uRun: [070700Setup.exe] c:\documents and settings\samreen\application data\afc84bbde97c9ae936c95430ed4d829c\070700Setup.exe
uRun: [SUPERAntiSpyware] c:\program files\super\SUPERAntiSpyware.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AirCardEnabler]
mRun: [WatcherHelper] "c:\program files\sierra wireless inc\watcher\WaHelper.exe"
mRun: [Gnuyatagacu] rundll32.exe "c:\windows\ekebidov.dll",Startup
mRun: [sta] rundll32 "xciip.dll",,Run
mRun: [aijehxlo] c:\documents and settings\networkservice\local settings\application data\xhnsfadkh\qnqxxyishdw.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\tryingagain\mbam.exe" /runcleanupscript
dRun: [Qyara] rundll32.exe "c:\windows\dcholps.dll",Startup
dRun: [mcexecwin] rundll32.exe c:\windows\temp\t10vuq.dll, RestoreWindows
dRun: [hs38tughg8asegushgjfgd4f] c:\windows\temp\bihmrrlow.exe
dRun: [jhaefi8fioasghiusagu4huginfajgkhfig] c:\windows\temp\gdi32.exe
dRun: [aijehxlo] c:\documents and settings\networkservice\local settings\application data\xhnsfadkh\qnqxxyishdw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://attwm.webex.com/client/T25L10NSP41EP15-attwm/webex/ieatgpc.cab
TCP: NameServer = 93.188.162.61,93.188.161.201
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ACGina
mASetup: {4E90AD03-7AA2-462A-A792-A393C270ACED} - regedit.exe /s "c:\support\lotusbak\HKCU-cleanup.reg"
Hosts: 212.117.178.25 www.google.com

============= SERVICES / DRIVERS ===============

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-10-4 244368]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2009-10-27 24521]
S1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-1-27 31848]
S1 MpKsl4819f455;MpKsl4819f455;c:\windows\system32\mpenginestore\MpKsl4819f455.sys [2010-7-19 28752]
S1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-9 46144]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-10-9 103744]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-1-27 144704]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-1-27 54608]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-10-4 94208]
S2 SessionLauncher;SessionLauncher;c:\docume~1\admini~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\admini~1\locals~1\temp\dx9\SessionLauncher.exe [?]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-14 520192]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-9 253952]
S2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-10-4 2058776]
S2 VTingWinIe;VTingWinIe;c:\windows\system32\drivers\svchost.exe -a --> c:\windows\system32\drivers\svchost.exe -a [?]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\csc vpn client\Extranet_serv.exe [2009-10-27 811008]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2009-10-27 155184]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-10-9 73512]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-10-9 34408]
S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-10-9 177864]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-25 1120752]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]

=============== Created Last 30 ================

2010-08-17 03:38:48 2838 ----a-w- c:\windows\otepukogibuxidet.dll
2010-08-17 03:24:54 2838 ----a-w- c:\windows\uyebajoganisap.dll
2010-08-17 02:46:48 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-16 22:11:01 0 d-----w- c:\windows\system32\appmgmt
2010-08-16 21:41:11 0 d-----w- C:\TDSSKiller_Quarantine
2010-08-16 21:25:47 0 d-----w- c:\program files\TryingAgain
2010-08-16 19:21:43 5 ----a-w- C:\zrpt.xml
2010-08-16 19:21:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-08-16 19:11:12 0 d-----w- c:\program files\Candy
2010-08-16 19:03:12 0 d-----w- c:\docume~1\samreen\applic~1\SUPERAntiSpyware.com
2010-08-16 19:03:12 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-16 19:03:02 0 d-----w- c:\program files\Super
2010-08-16 19:02:57 0 d-----w- c:\program files\New Folder
2010-07-19 05:26:31 0 d-----w- c:\program files\Ice Cream
2010-07-19 05:23:11 0 d-----w- c:\program files\Trend Micro
2010-07-19 04:55:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-19 04:55:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-19 04:34:15 0 d-----w- c:\windows\system32\MpEngineStore

==================== Find3M ====================

2010-08-16 22:03:26 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2009-10-05 01:19:16 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2010-03-18 23:34:08 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010031820100319\index.dat
2010-04-27 23:08:30 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010042720100428\index.dat

============= FINISH: 23:55:20.32 ===============

Just an update to this...

The rest of our household computers have now become infected (all 5 - ugh!). Most of them only have the Google-Redirect issue but not the Security Suite one. I doubt that it is the USB drives that we use since we have not used the same USBs on all of the computers. Could it be the router?

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 22 August 2010 - 12:20 AM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:24 AM

Posted 24 August 2010 - 06:57 AM

Hello RainingAgain

Welcome to BleepingComputer smile.gif
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:24 AM

Posted 22 November 2010 - 07:49 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users