Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with Google redirector malware

  • This topic is locked This topic is locked
5 replies to this topic

#1 VVC


  • Members
  • 4 posts
  • Local time:10:51 AM

Posted 21 December 2010 - 06:27 AM

Recent google searches have been redirecting me to other sites. Thought it was a google issue at first, but after searching elsewhere for more details on "infomash" (one of the sites I was redirected to) I came upon this site and learned it was likely my computer was infected. Seems many others have registered similar complaints and you've helped 'em. Hoping you can do the same for me. :)

DDS (Ver_10-12-12.02) - NTFSx86
Run by staff at 5:17:02.45 on Tue 12/21/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.253.130 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\staff\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
uRun: [DtxQuickLaunch.exe] c:\program files\dentrix\DtxQuickLaunch.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [LibUserspl] rundll32.exe "c:\documents and settings\staff\local settings\application data\nsauthenticationapi\LibUserspl.dll",eventGLaudio AppPadVdm
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [<NO NAME>]
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

S2 SAR3KLDR;AFP Imaging SAR3K-USB Root Device Driver (sar3kldr.sys);c:\windows\system32\drivers\sar3kldr.sys --> c:\windows\system32\drivers\sar3kldr.sys [?]
S2 SAR3KUSB;AFP Imaging SAR3K-USB Driver (sar3kusb.sys);c:\windows\system32\drivers\sar3kusb.sys --> c:\windows\system32\drivers\sar3kusb.sys [?]

=============== Created Last 30 ================

2010-12-14 17:41:27 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-12-14 17:41:24 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-12-14 17:41:20 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-12-14 17:41:16 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-12-14 17:41:12 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-12-14 17:39:58 11935 -c--a-w- c:\windows\system32\dllcache\wadv11nt.sys
2010-12-14 17:38:59 224802 -c--a-w- c:\windows\system32\dllcache\usr1807a.sys
2010-12-14 17:37:57 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2010-12-14 17:36:59 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2010-12-14 17:35:57 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2010-12-14 17:34:58 35913 -c--a-w- c:\windows\system32\dllcache\smcirda.sys
2010-12-14 17:33:59 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll
2010-12-14 17:32:56 75392 -c--a-w- c:\windows\system32\dllcache\s3savmxm.sys
2010-12-14 17:31:56 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2010-12-14 17:30:59 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2010-12-14 17:29:59 30495 -c--a-w- c:\windows\system32\dllcache\pc100nds.sys
2010-12-14 17:28:55 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-12-14 17:27:59 128000 -c--a-w- c:\windows\system32\dllcache\n100325.sys
2010-12-14 17:26:57 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-12-14 17:25:57 4992 -c--a-w- c:\windows\system32\dllcache\loop.sys
2010-12-14 17:24:58 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-12-14 17:23:58 141056 -c--a-w- c:\windows\system32\dllcache\icam3.sys
2010-12-14 17:22:58 19456 -c--a-w- c:\windows\system32\dllcache\hr1w.dll
2010-12-14 17:21:59 322432 -c--a-w- c:\windows\system32\dllcache\g400m.sys
2010-12-14 17:20:58 43008 -c--a-w- c:\windows\system32\dllcache\esucm.dll
2010-12-14 17:19:56 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2010-12-14 17:18:59 117760 -c--a-w- c:\windows\system32\dllcache\d100ib5.sys
2010-12-14 17:17:59 74240 -c--a-w- c:\windows\system32\dllcache\camexo20.dll
2010-12-14 17:16:59 73216 -c--a-w- c:\windows\system32\dllcache\atintuxx.sys
2010-12-14 17:15:29 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-12-12 15:22:08 -------- d-----w- c:\windows\system32\LogFiles
2010-12-07 20:08:28 -------- d-----w- c:\docume~1\staff\locals~1\applic~1\nsAuthenticationapi
2010-12-05 05:56:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-05 05:56:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-11-25 17:04:54 244024 ----a-w- c:\windows\system32\MsFlxGrd.ocx
2010-11-25 17:04:43 126976 ----a-w- c:\windows\system32\ovsBooleanControls.ocx

==================== Find3M ====================

2010-10-18 00:20:57 1409 ----a-w- c:\windows\QTFont.for

============= FINISH: 5:17:50.89 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:51 PM

Posted 21 December 2010 - 04:04 PM

Good evening. :)

There are a number of issues that I have with your PC that unfortunately render the existing installation of Windows somewhat terminal, i'm afraid.

Your log shows neither entries for an anti-virus nor a third-party software firewall. In fact the only piece of security software I can see is Spybot - Search & Destroy, which is nowhere near sufficient.
Given the lack of basic security programs onboard and the amount of time that this has probably been the case, the best suggestion I can offer is to back up any important files and then reformat and reinstall Windows.
It is going to be impossible to guarantee a clean computer at the end of the removal process, which makes it something of a non-starter in the first place. The possibility that legitimate files may have been infected or corrupted by the malware present on your PC, and also that security settings may have been lowered making your computer more liable to infection in the future, means that starting over is the easiest and most reliable solution to your problems.
You also need to be aware of the risk of identity theft if you have accessed bank accounts with this computer or shopped online. Keylogging software could have recorded details of these actions and a lack of an effective firewall means that there is nothing to stop this information being sent home. If this does apply to you, i'd monitor your accounts and perhaps consider getting credit/debit cards, passwords etc... changed - obviously not using this PC!

Next, both Adobe Reader 6.0 and Java 2 Runtime Environment, SE v1.4.2 are seriously out of date. Both programs have had security holes that have been patched in later versions, which unfortunately you don't have.

Penultimately, your PC doesn't have Service Pack 3 installed. Windows is regularly targeted by malware writers and not having the latest updates is another risk to your PC's security.

Finally, your installation of Windows has been online for a very long time - since 10/28/2005 apparently. Windows slows down over time simply due to installations/uninstallations and the normal Windows update process, and a reformat and reinstall is the only real solution to that situation - I do mine every twelve months or so.

While I can provide you with links to free security software to keep your machine clean, it is limited in these sorts of circumstances in what can be achieved and I repeat that my best advice is to back-up any important files and then reformat and reinstall Windows and start afresh.

If you have any questions, please ask them.

So long, and thanks for all the fish.



#3 VVC

  • Topic Starter

  • Members
  • 4 posts
  • Local time:10:51 AM

Posted 21 December 2010 - 10:38 PM

Reinstalled windows as advised. A whole host of new issues have come up. First and most notably, I was unable to change the screen resolution. Google search leads me to believe that running Windows Update will solve this issue. However, the computer is also unable to connect to the internet. Attempts to repair the LAN connection say it "failed to query TCP/IP settings". Again, this appears to be fixable with an update. but being unable to connect to the internet makes this rather difficult.

Any help or advice you can provide would be greatly appreciated. I'm at a loss as to how to proceed. Thanks in advance.

#4 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:51 PM

Posted 22 December 2010 - 03:17 PM

Good evening. :)

My best advice is to start a fresh thread here and somebody better able to help will be along as soon as they can - it's where the Windows geeks hang out.

So long, and thanks for all the fish.



#5 VVC

  • Topic Starter

  • Members
  • 4 posts
  • Local time:10:51 AM

Posted 22 December 2010 - 03:25 PM

Okay, thanks.

#6 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:51 PM

Posted 23 December 2010 - 03:18 PM

As this issue appears to have been resolved, at least as far as malware is concerned, this thread is now closed.

So long, and thanks for all the fish.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users