Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Links from search engine results get hijacked!


  • This topic is locked This topic is locked
2 replies to this topic

#1 Talligen Systems

Talligen Systems

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 07 October 2010 - 02:47 PM

Whenever I click a link to a website listed in google, bing, or any other search engine result, I get redirected to random commerce sites. If I enter the address directly, I go to the correct site.

I ran McAfee, MalwareBytes, and AdAware but found nothing.

The Attach.txt and ark.txt are attached. Here are the DDS.txt...


DDS (Ver_10-10-05.01) - NTFSx86
Run by administrator at 10:40:45.81 on Thu 10/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3579.2413 [GMT -7:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
svchost.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\CA\SC\Csam\SockAdapter\bin\csampmux.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\CA\SC\Systems Performance LiteAgent\bin\casplitegent.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\CA\SC\Systems Performance LiteAgent\bin\rtaAgent.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\CA\DSM\Bin\rcHost.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\administrator\Desktop\Repair Tools\DDS Tool\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.bing.com
uSearch Bar = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
mSearchAssistant = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [File Sanitizer] c:\program files\hewlett-packard\file sanitizer\CoreShredder.exe
mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
mRun: [<NO NAME>]
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [CAF_SystemTray] "c:\program files\ca\dsm\bin\cfSysTray.exe"
mRun: [DsmSxplog] "c:\program files\ca\dsm\bin\sxpstub.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://attewc.webex.com/client/T26L10NSP49EP10-attewc/event/ieatgpc.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: ackpbsc - c:\program files\actividentity\activclient\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
Notify: DeviceNP - DeviceNP.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: LMIinit - LMIinit.dll
Notify: rcHostExt - c:\program files\ca\dsm\bin\rcLoginExt.dll
Hosts: 172.20.100.1 dsps dsps.dsp.co.il
Hosts: 172.20.100.40 webshield webshield.dsp.co.il
Hosts: 172.20.100.83 dspbck01 dspbck01.dsp.co.il
Hosts: 172.20.110.14 nt2ksrv05 nt2ksrv05.dspg.com nt2ksrv05.dsp.co.il
Hosts: 172.20.110.17 helpdesk helpdesk.dspg.com helpdesk.dsp.co.il

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\administrator\applic~1\mozilla\firefox\profiles\mvi2guo2.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-7 64288]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-3-16 343920]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2009-10-5 110520]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2009-10-5 51800]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2009-10-5 13256]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2009-10-5 40088]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400]
R2 CA-MessageQueuing;CA Message Queuing Server;c:\program files\ca\sc\cam\bin\cam.exe [2010-4-9 181512]
R2 CA-SAM-Pmux;CA Connection Broker;c:\program files\ca\sc\csam\sockadapter\bin\CSAMPmux.exe [2009-1-23 159744]
R2 caf;CA DSM r11 Common Application Framework.;c:\program files\ca\dsm\bin\CAF.exe [2009-10-3 195848]
R2 CASPLiteAgent;CA Systems Performance LiteAgent;c:\program files\ca\sc\systems performance liteagent\bin\casplitegent.exe [2009-2-12 135168]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2009-10-5 277096]
R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\hewlett-packard\file sanitizer\HPFSService.exe [2009-8-11 293376]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1357464]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-4-9 47640]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-1-6 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2010-6-1 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-1-6 147472]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-1-6 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-4-9 70728]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2010-3-16 635416]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-3-16 2066968]
R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2009-10-15 46824]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-3-16 160424]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-12-18 44800]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
R3 MfeAVFK;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-16 91832]
R3 MfeBOPK;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-16 43288]
R3 rcSmCard;rcSmCard;c:\windows\system32\drivers\rcSmCard.sys [2007-10-28 26128]
R3 rcVidCap;rcVidCap;c:\windows\system32\drivers\rcVidMpt.sys [2007-10-28 9872]
S2 0160821270565706mcinstcleanup;McAfee Application Installer Cleanup (0160821270565706);c:\docume~1\administrator\locals~1\temp\016082~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\administrator\locals~1\temp\016082~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2009-9-8 32312]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2009-9-8 362040]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-9 66600]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2010-3-16 34248]
S3 OracleClientCache80;OracleClientCache80;c:\orant\bin\ONRSD80.EXE [2009-8-12 101136]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Oracle ADI Service;Oracle ADI Service;c:\orant\bin\ADISRV.EXE [2009-8-12 86016]

=============== Created Last 30 ================

2010-10-07 17:35:37 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-10-07 17:35:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-07 17:27:39 -------- d-----w- c:\docume~1\administrator\locals~1\applic~1\Sunbelt Software
2010-10-07 17:27:08 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-07 17:26:53 -------- d-----w- c:\program files\Lavasoft
2010-10-07 17:07:56 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache
2010-10-07 16:54:34 -------- d-----w- c:\program files\Trend Micro
2010-10-07 16:51:04 -------- d-----w- c:\docume~1\administrator\applic~1\McAfee
2010-10-06 16:59:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-06 16:59:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-06 16:59:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-06 16:59:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-06 15:59:03 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 22:14:33 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-09-15 22:14:32 293376 ------w- c:\windows\system32\dllcache\winsrv.dll
2010-09-15 22:14:29 406016 ------w- c:\windows\system32\dllcache\usp10.dll

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 09:42:29 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 10:41:30.48 ===============

As I was troubleshooting, I found some additional info:

I see this problem regardless of the browser I use (i.e. Firefox, Mozilla, IE), so I'm guessing it's probably not a BHO.
I see this problem regardless of the user account that I log in with, so it's not profile specific.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 09 October 2010 - 12:34 AM.


BC AdBot (Login to Remove)

 


#2 Talligen Systems

Talligen Systems
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:33 AM

Posted 12 October 2010 - 01:51 PM

Well, it looks like I resolved this one myself. Thanks to all the great and plentiful information on BleepingComputer.com (and other sites), I was able to successfully identify and remove the Win32/Bamital.EB infection.

I'm not sure if that was the only infection, but here's what I did (as best as I can recall):

After running McAfee, AdAware, and Malwarebytes, without any indications, I decided to run Combofix.

I removed all antivirus/antispyware programs except McAfee (which I completely disabled), ran Defrogger, then ran Combofix. Combofix identified infections in c:\windows\explorer.exe and c:\windows\system32\winlogon.exe.

I turned off system restore and rebooted the computer, then ran combofix again. I forgot to turn off McAfee this time, and the computer rebooted in the middle of the scan. sad.gif

It never finished rebooting, though. Each time it was about to get to the logon screen, it would reboot again. I suspected combofix or mcafee corrupted or deleted the winlogon.exe file, so I went back to the internet and found an article for xPUD. xPUD is a Linux based bootable cd image that allows you to access and replace windows files because they're not in use (system is running from the CD).

I created the xPUD boot cd as instructed, grabbed the winlogon.exe and explorer.exe files from my laptop (same version and service pack as the infected computer) and put them on a USB flash drive, then booted the system.

Unfortunately, the problem was still there. I found another article that suggested running ESET online-scanner, which I did, and it found c:\documents and settings\all users\application data\microsoft\network\downloader\hlp.dat. was infected.

I booted back inot the xPUD cd, deleted the file, replaced winlogon and explorer again, and rebooted.

It worked perfectly. Combofix didn't find any infections, nor did ESET.

I checked to see if the browser redirects were still there and they were gone!

Problem solved smile.gif

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 PM

Posted 12 October 2010 - 04:12 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users