Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Google redirect


  • This topic is locked This topic is locked
No replies to this topic

#1 miss.ink

miss.ink

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:14 AM

Posted 31 August 2010 - 04:47 PM

When I search Google using the text box at the top right-hand corner of Firefox it returns webpages like:

hxxp://search.search-go.net/?s=stuff&sid=10101055100 redirects to: hxxp://search.search-go.net/index.php?cx=!partner-pub-8451664467457009%3Ai6rz7g-p5db&cof=FORID%3A10&ie=utf-8&q=stuff&siteurl=search.search-go.net%2F%3Fs%3Dstuff%26sid%3D10101055100

It also has the wrong icon (a G in a box).

So far I've tried Hitman Pro (repeatedly), Malwarebytes, TDSSKiller, Microsoft Windows Malicious Software Removal Tool, and the instructions at hxxp://www.make-a-website-with-traffic.com/2010/04/my-battle-with-the-fakerean-trojan-tdl3-rootkit.html

I've done the preparation for posting to Bleeping Computer forums at http://www.bleepingcomputer.com/forums/topic34773.html. I think my Windows version has a slightly different firewall dialog box, but I managed to find all the same settings.

(Also - I don't know if this is important, but my computer does not have Internet access when run in Safe Mode with Networking. And when I start Windows, I also get a dialog box saying RUNDLL in the title bar, with a white cross in a red circle, saying "Error loading C:\WINDOWS\msdmsanf.dll The specified module could not be found. [OK]")

Background information: Actually a lot of things hit me all together yesterday. I managed to get rid of the biggest problems, which were fake anti-virus programs (Anti Malware Doctor and Security Suite). They gave me a lot of popups and stopped a lot of programs from running (e.g. Symantec, Spybot, msconfig, rkill). I did a lot of things to get rid of them, but I think the crucial step was paying for Hitman Pro. However, it didn't get rid of the Google redirect. I'm currently backing up my files and hoping I'm not also backing up the rootkit.

Here's the DDS file. My computer hung when I tried to save the Gmer log, but I'll try again tonight. Thank you so much for your help!

E-Ching


DDS (Ver_10-03-17.01) - NTFSx86
Run by E-Ching at 11:55:01.64 on Tue 08/31/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1340 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\GlidePoint\glidesvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Tavultesoft\Keyman Engine 7.0\keyman.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\E-Ching\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [desktop_pro.pxx] "c:\program files\tavultesoft\keyman desktop professional 7.1\kmshell.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Ntiqeja] rundll32.exe "c:\windows\msdmsanf.dll",Startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [wmrsnxecao.tmp] "c:\docume~1\e-ching\locals~1\temp\wmrsnxecao.tmp"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\e-ching\applic~1\mozilla\firefox\profiles\ailxbnsv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101055100&s=
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {CA29E490-000C-4BBF-BD23-C827F2F4BD69} - c:\documents and settings\e-ching\local settings\application data\{CA29E490-000C-4BBF-BD23-C827F2F4BD69}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101055100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 GlidePoint;GlidePoint Touchpad Client;c:\program files\glidepoint\glidesvc.exe [2007-3-29 176128]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-10-9 493248]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100830.002\naveng.sys [2010-8-30 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100830.002\navex15.sys [2010-8-30 1362608]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-1-28 16512]
S3 glideusb;GlidePoint USB Touchpad Filter;c:\windows\system32\drivers\glideusb.sys [2010-1-17 44928]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]

=============== Created Last 30 ================

2010-08-31 15:54:40 0 ----a-w- c:\documents and settings\e-ching\defogger_reenable
2010-08-31 13:44:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-31 13:44:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 01:42:04 2843 ----a-w- c:\windows\itemamum.dll
2010-08-30 22:56:06 1765 ----a-w- c:\windows\lsrslt.ini
2010-08-30 22:55:54 2843 ----a-w- c:\windows\ocenuhogajim.dll
2010-08-30 22:51:09 0 d-----w- c:\windows\system32\wbem\Repository
2010-08-30 22:50:50 0 d-----w- c:\docume~1\e-ching\applic~1\8A1E84C5A17AF5C35AED3463442BDE03
2010-08-30 22:45:32 2843 ----a-w- c:\windows\igalayizajo.dll
2010-08-30 22:08:49 0 d-----w- c:\docume~1\e-ching\applic~1\Malwarebytes
2010-08-30 22:08:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-30 22:08:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-30 13:13:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-30 12:53:26 2843 ----a-w- c:\windows\Bluno.dat
2010-08-30 12:53:26 0 ----a-w- c:\windows\Vcuwutunagecagu.bin
2010-08-14 18:35:20 68359 ----a-w- c:\windows\system32\MSCAL.HLP
2010-08-14 18:35:20 106496 ----a-w- c:\windows\system32\MSCAL.OCX
2010-08-10 09:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 09:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-08-31 10:01:01 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-04 08:44:36 37812 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

============= FINISH: 11:55:36.39 ===============

Here is the Gmer log. Once again my computer lagged horribly after running Gmer. I had to turn the computer off by hitting the power button (after twenty minutes of waiting for the Start Menu to appear). But after restarting it seems back to fairly normal speed.

E-Ching

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 01 September 2010 - 04:56 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users