Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Frequent Google redirects


  • This topic is locked This topic is locked
15 replies to this topic

#1 haggggler

haggggler

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 12 February 2011 - 01:13 PM

The machine had serveral unknown issues and a combination of the following seemed to have cleaned the machine:

1) turned off System restore
2) rebooted to AVG Rescue disk, then scanned, deleted and rebooted
3) installed Malwarebytes and ran full scan, reported clean scan
4) ran full scan with MS security essentials, report was clean

The OS is winXP pro, the redirects aren't everytime or to the same domains. Some examples are toseeka, grooveswish and thenewcar. I've run DDS with the following results, but GMER would not run correctly. It would start and then lockup scanning a random file



DDS (Ver_10-12-12.02) - NTFSx86
Run by User3 at 11:02:55.39 on Sat 02/12/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1426 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DSpro\Programs\ERIElink.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\Documents and Settings\User3\Desktop\Bleeping\dds\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ERIElink] c:\dspro\programs\ERIElink.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\user3\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1274822808937
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl3c3fd226;MpKsl3c3fd226;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{65cba24b-8378-41e1-881b-cc4cddf25d9d}\MpKsl3c3fd226.sys [2011-2-12 28752]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-15 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

=============== Created Last 30 ================

2011-02-12 15:46:41 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{65cba24b-8378-41e1-881b-cc4cddf25d9d}\MpKsl3c3fd226.sys
2011-02-11 14:18:26 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{65cba24b-8378-41e1-881b-cc4cddf25d9d}\mpengine.dll
2011-02-10 21:37:18 -------- d-----w- c:\docume~1\user3\applic~1\Malwarebytes
2011-02-10 21:37:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-10 21:37:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-10 21:36:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-10 21:36:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-10 20:36:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2011-02-10 20:35:58 -------- d-----w- c:\program files\McAfee Security Scan
2011-02-10 20:33:11 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-02-10 20:33:06 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-10 19:09:49 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-10 19:09:49 -------- d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos(2).dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

============= FINISH: 11:03:33.50 ===============


Thank you in Advance

Attached Files


Edited by haggggler, 12 February 2011 - 01:18 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:22 PM

Posted 12 February 2011 - 04:14 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you UNCHECK the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#3 haggggler

haggggler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 12 February 2011 - 05:22 PM

One found... saw that in the DDS report, but thought it wise to wait for your direction. Especially since I think there may be some other things going on. Most web pages are giving me the either a please install flash or java warning bar?


I humbly await your advice and thank you for the help.

C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:22 PM

Posted 12 February 2011 - 06:37 PM

Go to Start >> Run..., enter cmd and click OK.
Copy and paste the following into the Command Window that opens and hit <ENTER>:

attrib %SystemRoot%\system32\drivers\etc\HOSTS >> "%userprofile%\desktop\hostsfile.txt"
I'd like a copy of the file hostsfile.txt that should appear on your Desktop - you can close the Command Window once you've found the text file.

So long, and thanks for all the fish.

 

 


#5 haggggler

haggggler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 13 February 2011 - 11:39 AM

Sorry for the late responce. I'm at work now, so I'll be watching this most of the day.

Attached Files



#6 haggggler

haggggler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 13 February 2011 - 11:47 AM

On a related note, when I selected the Add Reply button I was forwarded to:

hxxp://www.guitarresources.net/mask.php?q=Frequent+Google+redirects+The+machine+had+serveral+unknown+issues+combination+following+seemed+have+cleaned+turned+off+System+restore+rebooted+AVG+Rescue&xrid=0430831715670418529&resultid=0&maskurl=http%3A%2F%2Fwww.guitarresources.net%2Fartist_F%2Ffury_in_the_slaughterhouse_guitar_tabs%2Fspit_into_the_fire_guitar_tabs.html

AND then to:

hxxp://www.guitarresources.net/artist_F/fury_in_the_slaughterhouse_guitar_tabs/spit_into_the_fire_guitar_tabs.html

And finally to this

hxxp://server2.mediajmp.com/surveys/cpv-index.html?sub=bleepingcomputer.com&aid=361

This was a survey claiming to be from bleepingcomputer. Pretty devious.

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:22 PM

Posted 13 February 2011 - 03:41 PM

Good evening. :)

This is somewhat experimental, but not in a bad way - it will either work, or it won't! Yours is the second case of this general issue that i've seen in the last couple of days and i'm not on top of it yet. All being well this is a simple nasty and we won't have to get mad with the PC. :whistle:


Open a Command Window as before and copy and paste the following into it:

attrib -r -a -s -h %SystemRoot%\system32\drivers\etc\HOSTS

Hit <ENTER> and then work through the following:

Download HostsXpert by FunkyToad from here and save it to your Desktop.

You will need to extract the file(s):
Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see the HostsXpert folder - open it and double click HostsXpert.exe
  • In the top left hand corner of the new window, ensure that the button says "Make ReadOnly?"
    If it says "Make Writable?", click it and it should change to the above.
  • Click on Restore MS Hosts File.
  • In the confirmation window, click on OK.
  • Finally, click the button mentioned above to make it read "Make Writable?".

Let me know how you get on.

So long, and thanks for all the fish.

 

 


#8 haggggler

haggggler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 13 February 2011 - 03:50 PM

And a fine Good evening to you,

When I attempt to run the command I recieve a "Access Denied" error:

C:\Documents and Settings\User3>attrib -r -a -s -h %SystemRoot%\system32\drivers
\etc\HOSTS
Access denied - C:\WINDOWS\system32\drivers\etc\hosts

C:\Documents and Settings\User3>
C:\Documents and Settings\User3>

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:22 PM

Posted 13 February 2011 - 04:11 PM

I had the feeling you weren't going to play nicely! <_< OK, open yet another Command Window and run the following:

cacls %SystemRoot%\system32\drivers\etc\HOSTS > "%userprofile%\desktop\hostsfile.txt"
I'll have the contents of the text file, as usual.

So long, and thanks for all the fish.

 

 


#10 haggggler

haggggler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 13 February 2011 - 04:14 PM

here ya go

Attached Files



#11 haggggler

haggggler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 13 February 2011 - 05:10 PM

Noviciate

I hope I haven't stepped to far out of bounds. I saw where you were going with the hosts file and edited out over 100 additions leading to two IP address. 74.125.45.100 was for a bunch of fake anti-virus sites and 64.46.36.163 was for multiple search engine re-directs. localhost is all that remains.

Again, I hope I haven't jumped a step. I wanted to go home for the day and I just know the secretary would have a fit if she couldn't work tomorrow morning. I did save the original hosts file and would like to ask if you would help me verify nothing else is hokie on this machine. Thank you VERY much for all your help so far, I'm not sure if I would have ever looked at the hosts file. You saved my bacon.

I ran CACLS again, here is a copy of the latest. Please advice.

Attached Files


Edited by haggggler, 13 February 2011 - 05:14 PM.


#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:22 PM

Posted 13 February 2011 - 05:16 PM

Out of interest, what did you do... run cacls to gain rights to the file?

So long, and thanks for all the fish.

 

 


#13 haggggler

haggggler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 13 February 2011 - 05:23 PM

I thought about that but didn't fully understand the command so I didn't want to do anything I couldn't easily change back. Access was denied to the hosts file for delete, rename or overwrite, so:

I rebooted to safe mode and saved a copy of the hosts file to the desktop.
Renamed the bad hosts file to hosts.bak
Then edited the copy and moved it back to C:\WINDOWS\system32\drivers\etc

Edited by haggggler, 13 February 2011 - 05:27 PM.


#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:22 PM

Posted 14 February 2011 - 02:22 PM

Good evening. :)

Given that nothing has showed on the scans that you've run, it may be that the Hosts hijack was the only issue on your machine.
Run the PC for 24 hours, rebooting at least once, and then let me have a fresh DDS log and description of the PC's behaviour and we'll take it from there.

So long, and thanks for all the fish.

 

 


#15 haggggler

haggggler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 14 February 2011 - 02:48 PM

Will do and thank you. I was a bit worried that I had offended you by jumping forward, this of course would be the last thing I would want to happen. I also understand the need to follow instructions to the letter, I have a lot of people in the store that make my work far more difficult than it needs to be.

Again, thank you for your understanding and continued help. I look forward to helping other bleeping members as well.

</excessive+apology>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users