Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Rootkit (aka Google Re Direct)


  • This topic is locked This topic is locked
1 reply to this topic

#1 jfertic

jfertic

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tampa. FL
  • Local time:09:46 PM

Posted 20 October 2010 - 12:08 PM

Thanks for taking the time to read my post!

HP dv6648 Pavilion Notebook PC, 4GB RAM, 224HD
Windows Vista w/ Service Pack 2
Fire Fox 3.6.10


Starting about two weeks ago Fire Fox 3.6.10 starting re directing the browser during Google searches to sites like:

Tanzinga.com
Digiforest.com/ search.php
Mydealmatch.com
Mountolivenc.com/search.php

And many more. I used an add on for Fire Fox to block the sites as they appeared. They seem to appear in a loop, because after restarting they come up in the same order as before.

I also noticed a couple of things happening to my computer right before a redirect:

1. All the desktop icons go white and then slowly return to normal.
2. The display features change on my browser, window's explorer, Thunderbird, PhotoShop i.e. change from Vista classic to something like old Windows 98 256. All the smooth Windows display features are gone.
3. Firefox's speed slows down.
4. It does not appear to start immediately when I log on to the net. It will usually start within 30 minutes or so.


Things I have done to stop or remove the rootkit:

1. Enabled Windows Firewall
2. Downloaded, updated and ran Malwarebytes. Nothing.
3. Downloaded and ran TDSSKiller. Nothing.
4. Downloaded and ran Stinger 100186. Nothing.
5. Configuring NoScripts to block scripts. It got around it.
6. Downloaded, updated, and ran Stopzilla. Nothing.
7. Downloaded AVG Free, updated, and ran. Nothing.

Today, I followed the directions in the Prep Guide for requesting help. I downloaded and ran Defogger, DDS, and GMER. You will find the DDS Attach zipped to this post along with the GMER log also zipped. Below you will find the DDS text log. I also do have PROEXP running on this computer and send a screen shot of the processes running during the time of a re direct if you think it might help. Just let me know.

Here is the DDS TXT:


DDS (Ver_10-10-10.03) - NTFSx86
Run by John Fertic at 11:44:02.73 on Wed 10/20/2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1911 [GMT -4:00]

SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\ASTSRV.EXE
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\lxdwcoms.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\nlssrv32.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Users\John Fertic\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.google.com
mStart Page = hxxp://home.sweetim.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: {968631B6-4729-440D-9BF4-251F5593EC9A} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.3\IExifCom.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: {80E5D0A8-0251-464F-BDF0-4D776AA53D18} = 204.95.160.2,65.32.5.111
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\johnfe~1\appdata\roaming\mozilla\firefox\profiles\49qnd1fu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - search.google.com
FF - prefs.js: network.proxy.http - fe80::35ec:7dc:7aee:63ab%9
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\john fertic\appdata\roaming\mozilla\firefox\profiles\49qnd1fu.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\john fertic\appdata\roaming\mozilla\firefox\profiles\49qnd1fu.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\users\john fertic\appdata\roaming\mozilla\firefox\profiles\49qnd1fu.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\users\john fertic\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-2-24 173328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-30 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-30 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-7-30 243024]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 MSSQL$CMJ;SQL Server (CMJ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2010-3-11 63488]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2010-10-18 582992]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-10-18 206608]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 avg9emc;AVG Free E-mail Scanner;"c:\program files\avg\avg9\avgemc.exe" --> c:\program files\avg\avg9\avgemc.exe [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [2008-5-16 98984]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-26 21504]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-10-11 27192]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-10-18 206608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-10-20 13:08:59 388096 ----a-r- c:\users\johnfe~1\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-19 02:36:45 -------- dc-h--w- c:\progra~2\{13795121-80CF-4D45-9175-8FD79D18EF7E}
2010-10-19 02:36:21 -------- d-----w- c:\users\johnfe~1\appdata\local\PackageAware
2010-10-19 00:39:30 -------- d-----w- c:\program files\STOPzilla!
2010-10-18 19:05:34 -------- d-----w- c:\program files\Sophos
2010-10-18 18:53:58 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-10-18 18:53:58 -------- d-----w- c:\program files\Trend Micro
2010-10-18 17:53:02 -------- d-----w- c:\users\johnfe~1\appdata\local\temp
2010-10-18 17:50:47 -------- d-----w- C:\$RECYCLE.BIN
2010-10-12 02:23:03 -------- d-----w- c:\users\johnfe~1\appdata\local\VS Revo Group
2010-10-12 02:23:01 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-10-08 20:04:32 -------- d-----w- c:\program files\PhotomatixPro4
2010-10-07 14:05:19 29272 ----a-r- c:\windows\system32\AdobePDF.dll
2010-10-07 14:04:44 95672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-10-06 00:24:26 -------- d-----w- C:\Lotto Buster
2010-10-04 21:33:56 545 ----a-w- c:\windows\UC.PIF
2010-10-04 21:33:56 545 ----a-w- c:\windows\RAR.PIF
2010-10-04 21:33:56 545 ----a-w- c:\windows\PKZIP.PIF
2010-10-04 21:33:56 545 ----a-w- c:\windows\NOCLOSE.PIF
2010-10-04 21:33:56 545 ----a-w- c:\windows\ARJ.PIF
2010-10-04 21:33:56 2857 ----a-w- c:\windows\PKUNZIP.PIF
2010-10-04 21:33:56 2857 ----a-w- c:\windows\LHA.PIF
2010-10-04 21:33:56 -------- d-----w- c:\users\johnfe~1\appdata\roaming\GHISLER
2010-10-04 21:33:56 -------- d-----w- C:\totalcmd
2010-10-02 00:48:17 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-23 20:54:15 -------- d-----w- c:\program files\PhotoByte® v5.2
2010-09-23 17:53:52 -------- d-----w- c:\program files\Microsoft SQL Server

==================== Find3M ====================

2010-09-29 22:43:31 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-17 14:11:37 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-31 02:14:52 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-22 16:05:24 156160 --sha-r- c:\windows\system32\msdtctmm.dll
2009-07-07 22:12:01 245408 ----a-w- c:\program files\unicows.dll
2009-07-07 22:12:01 1822520 ----a-w- c:\program files\instmsiw.exe

============= FINISH: 11:45:13.04 ===============


Again, thanks for taking the time to read my post! And I really do appreciate any help I can get with this rootkit!

jfertic

Attached Files


John Fertic
Tampa, FL.

BC AdBot (Login to Remove)

 


#2 jfertic

jfertic
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tampa. FL
  • Local time:09:46 PM

Posted 21 October 2010 - 09:05 AM

Disregard. I figured it out this morning.

Thanks for taking the time!

John Fertic
John Fertic
Tampa, FL.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users