Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect for IE


  • This topic is locked This topic is locked
2 replies to this topic

#1 pelotoner

pelotoner

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 18 September 2010 - 09:59 PM

We had an attack from a certain website that attempted to download 4-5 trojans and virus. ZoneAlarm caught most of them. The Google Redirect remains. Microsoft Update will not run. I reinstalled IE.

The C: drive has no OS on it.
The D: drive is the boot drive.
The E: drive is a Raid mirrored data drive.

I have been researching bleepingcomputer and have run the following:
ZoneAlarm
Malwarebytes
Superantispyware
tdsskiller by Kaspersky
ESET online scanner

None of these found anything.

Thanks for your help!

DDS (Ver_10-03-17.01) - NTFSx86
Run by Van Nostrand Family at 14:21:28.90 on Sat 09/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1376 [GMT -4:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
D:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Flip Video\FlipShare\FlipShareService.exe
D:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\System32\svchost.exe -k HPZ12
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe -k HPZ12
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
D:\WINDOWS\system32\RunDLL32.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
D:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\Program Files\Logitech\Video\FxSvr2.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
D:\Program Files\CheckPoint\ZAForceField\ForceField.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\dds.scr

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - d:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - d:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - d:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - d:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - d:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [LogitechSoftwareUpdate] "d:\program files\logitech\video\ManifestEngine.exe" boot
mRun: [IAAnotif] "d:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [IntelAudioStudio] "d:\program files\intel audio studio\IntelAudioStudio.exe" BOOT
mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [AdobeCS4ServiceManager] "d:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [LVCOMSX] d:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] d:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] d:\program files\logitech\video\LogiTray.exe
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ZoneAlarm Client] "d:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - d:\program files\common files\autodesk shared\acstart16.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - d:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - d:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: wilsonstructural.com\mail
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.mpix.com/customer/uploading/activex/ImageUploader5.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://samsclubus.pnimedia.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - d:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - d:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\vannos~1\applic~1\mozilla\firefox\profiles\gxu0gg6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: d:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaDownload.dll
FF - component: d:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaExtensions.dll
FF - component: d:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: d:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;d:\windows\system32\drivers\kl1.sys [2010-9-4 128016]
R1 KLIF;Kaspersky Lab Driver;d:\windows\system32\drivers\klif.sys [2010-9-4 317072]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;d:\windows\system32\vsdatant.sys [2010-2-6 528128]
R2 ISWKL;ZoneAlarm ForceField ISWKL;d:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-4-17 26352]
R2 IswSvc;ZoneAlarm ForceField IswSvc;d:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-4-17 493032]
R2 vsmon;TrueVector Internet Monitor;d:\windows\system32\zonelabs\vsmon.exe -service --> d:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 icsak;icsak;d:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-4-17 35568]
S2 gupdate;Google Update Service (gupdate);d:\program files\google\update\GoogleUpdate.exe [2010-5-28 136176]
S3 epmntdrv;epmntdrv;d:\windows\system32\epmntdrv.sys [2010-7-2 13192]
S3 EuGdiDrv;EuGdiDrv;d:\windows\system32\EuGdiDrv.sys [2010-7-2 8456]

============== File Associations ===============

.scr=AutoCADLTScriptFile

=============== Created Last 30 ================

2010-09-18 18:09:56 0 ----a-w- d:\documents and settings\van nostrand family\defogger_reenable
2010-09-18 17:38:13 0 d-----w- d:\program files\Trend Micro
2010-09-17 19:30:27 0 dc-h--w- d:\windows\ie8
2010-09-17 01:35:53 423656 ----a-w- d:\windows\system32\deployJava1.dll
2010-09-16 09:49:04 16968 ----a-w- d:\windows\system32\drivers\hitmanpro35.sys
2010-09-16 09:47:50 0 d-----w- d:\program files\Hitman Pro 3.5
2010-09-16 09:47:50 0 d-----w- d:\docume~1\alluse~1\applic~1\Hitman Pro
2010-09-15 23:14:54 0 d-----w- d:\docume~1\vannos~1\applic~1\Malwarebytes
2010-09-15 23:12:35 0 d-----w- d:\docume~1\vannos~1\applic~1\SUPERAntiSpyware.com
2010-09-15 23:12:35 0 d-----w- d:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-15 23:12:23 0 d-----w- d:\program files\SUPERAntiSpyware
2010-09-15 22:54:19 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-09-15 22:54:18 0 d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-15 22:54:17 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-09-15 22:54:17 0 d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-09-04 12:26:03 128016 ----a-w- d:\windows\system32\drivers\kl1.sys
2010-08-28 00:15:54 0 d-----w- d:\docume~1\alluse~1\applic~1\IswTmp
2010-08-23 00:28:17 1015 ----a-r- D:\logFile.xsl
2010-08-23 00:25:34 0 d-----w- d:\program files\Flip Video
2010-08-23 00:25:33 0 d-----w- d:\docume~1\alluse~1\applic~1\Flip Video

==================== Find3M ====================

2010-09-18 18:16:29 4212 ---ha-w- d:\windows\system32\zllictbl.dat
2010-08-17 13:17:06 58880 ----a-w- d:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- d:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- d:\windows\system32\xpsp4res.dll
2010-07-21 01:22:56 72704 ----a-w- d:\windows\zllsputility.exe
2010-07-21 01:22:46 1238528 ----a-w- d:\windows\system32\zpeng25.dll
2010-06-30 12:31:35 149504 ----a-w- d:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- d:\windows\system32\wininet.dll
2010-06-24 02:52:05 106168 ---ha-w- d:\windows\system32\mlfcache.dat
2010-06-23 13:44:04 1851904 ----a-w- d:\windows\system32\win32k.sys

============= FINISH: 14:22:25.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pelotoner

pelotoner
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 23 September 2010 - 06:55 AM

Zone Alarm has found the virus and been treating it. However, my confidence of security for my OS is gone. I'm going to reformat. Thank God for separate Data Drives/Boot Drive.

Please lock or delete post.

This is a great site; I've learned a lot.

Cheers!

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:31 AM

Posted 23 September 2010 - 04:22 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users