Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect in IE, Firefox, Chrome


  • This topic is locked This topic is locked
2 replies to this topic

#1 MZXG

MZXG

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 26 May 2011 - 03:26 PM

I've been perusing the forums here looking for a solution to this so I wouldn't have to ask something that's already been answered but I'm out of options at this point. I've run Ad-Aware, MBAM, and Hitman, (no luck anywhere), and HijackThis/DDS isn't popping anything out to me as strange. Hopefully you guys can see something I don't. The problem is that whenever I click on a link on a Google search result page, I get redirected to a redirect farm which offshoots my search to some other website (at random). The hover text on the link looks correct, and I have no proxy settings showing up in either Chrome, IE, or FF. I've already cleared my DNS cache as well to look for poisoning, but there's nothing apparent. It appears the redirects are being passed through hxxp://64.111.211.154/c.php?[a bunch of php variables]

Here's the log from DDS, as requested by the prep instructions:



.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by MZXGiant at 16:23:53 on 2011-05-26
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.12279.9418 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files (x86)\Trillian\trillian.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskhost.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\MZXGiant\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\MZXGiant\Downloads\dds.scr
C:\Windows\SysWOW64\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MIF5BA~1\Office12\GR469A~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
TB: NuSphere ToolBar: {0f62d223-9206-4ea3-9ea8-d0f3c7c82aca} - C:\Program Files (x86)\NuSphere\PhpED\NuSphereIEBar.dll
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
uRun: [DS3 Tool] C:\Program Files\MotioninJoy\ds3\DS3_Tool.exe -mini
uRun: [KiesHelper] C:\Program Files (x86)\Samsung\Kies\KiesHelper.exe /s
uRun: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Everything] "C:\Program Files (x86)\Everything\Everything.exe" -startup
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
StartupFolder: C:\Users\MZXGiant\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\MZXGiant\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\MZXGiant\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Trillian.lnk - C:\Program Files (x86)\Trillian\trillian.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: NuSphere PhpED :: Debug this page - C:\Program Files (x86)\NuSphere\PhpED\NuSphereIEBar.dll/1000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MIF5BA~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MIF5BA~1\Office12\GRA32A~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MIF5BA~1\Office12\GR469A~1.DLL
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
TB-X64: NuSphere ToolBar: {0F62D223-9206-4EA3-9EA8-D0F3C7C82ACA} - C:\Program Files (x86)\NuSphere\PhpED\NuSphereIEBar64.dll
mRun-x64: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
mRun-x64: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
mRun-x64: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\MZXGiant\AppData\Roaming\Mozilla\Firefox\Profiles\7mbcclm0.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: C:\Users\MZXGiant\AppData\Local\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv91xx;mv91xx;C:\Windows\system32\DRIVERS\mv91xx.sys --> C:\Windows\system32\DRIVERS\mv91xx.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-2-23 363344]
S3 AccessGainDriver;AccessGainDriver;C:\Windows\system32\DRIVERS\accgain.sys --> C:\Windows\system32\DRIVERS\accgain.sys [?]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;C:\Windows\system32\Drivers\ssadadb.sys --> C:\Windows\system32\Drivers\ssadadb.sys [?]
S3 DrvAgent64;DrvAgent64;C:\Windows\SysWOW64\drivers\DrvAgent64.SYS [2011-2-23 21712]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\3F81.tmp --> C:\Windows\system32\3F81.tmp [?]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\system32\DRIVERS\MijXfilt.sys --> C:\Windows\system32\DRIVERS\MijXfilt.sys [?]
S3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;C:\Windows\system32\DRIVERS\netr7364.sys --> C:\Windows\system32\DRIVERS\netr7364.sys [?]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\ssadbus.sys --> C:\Windows\system32\DRIVERS\ssadbus.sys [?]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\system32\DRIVERS\ssadmdfl.sys --> C:\Windows\system32\DRIVERS\ssadmdfl.sys [?]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\system32\DRIVERS\ssadmdm.sys --> C:\Windows\system32\DRIVERS\ssadmdm.sys [?]
S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2010-3-18 68440]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
S3 wxpSvc;webcamXP Service;C:\Program Files (x86)\wLite\wService.exe [2010-4-28 5023232]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
S4 RsFx0103;RsFx0103 Driver;C:\Windows\system32\DRIVERS\RsFx0103.sys --> C:\Windows\system32\DRIVERS\RsFx0103.sys [?]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 427880]
.
=============== Created Last 30 ================
.
2011-05-26 19:56:48 -------- d-----w- C:\ComboFix
2011-05-26 19:38:05 34560 ----a-w- C:\Windows\SysWow64\drivers\Normandy.sys
2011-05-26 18:51:13 98816 ----a-w- C:\Windows\sed.exe
2011-05-26 18:51:13 89088 ----a-w- C:\Windows\MBR.exe
2011-05-26 18:51:13 256512 ----a-w- C:\Windows\PEV.exe
2011-05-26 18:51:13 161792 ----a-w- C:\Windows\SWREG.exe
2011-05-26 18:39:08 142296 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-05-26 17:39:21 6144 ------w- C:\Windows\System32\3F81.tmp
2011-05-26 17:39:01 6144 ------w- C:\Windows\System32\F3B1.tmp
2011-05-26 17:38:55 -------- d-----w- C:\Program Files (x86)\Sophos
2011-05-26 17:37:31 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-05-26 17:34:20 -------- d-----w- C:\Program Files (x86)\Lavasoft
2011-05-26 16:26:38 20040 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys
2011-05-26 16:26:38 -------- d-----w- C:\Program Files\Hitman Pro 3.5
2011-05-26 16:26:15 -------- d-----w- C:\ProgramData\Hitman Pro
2011-05-26 14:15:10 274432 --sha-r- C:\Windows\SysWow64\mfAACEncc.dll
2011-05-25 01:10:43 -------- d-----w- C:\Users\MZXGiant\AppData\Local\uTorrent
2011-05-24 06:29:59 8718160 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A21904EC-01DF-4909-9EDA-A75F535499EF}\mpengine.dll
2011-05-23 18:21:18 -------- d-----w- C:\Users\MZXGiant\Tracing
2011-05-23 18:20:57 -------- d-----w- C:\ProgramData\Applications
2011-05-05 03:01:48 -------- d-----w- C:\SAE
2011-05-05 02:35:41 -------- d-----w- C:\Program Files\Red Gate
2011-05-04 21:14:41 -------- d-----w- C:\Users\MZXGiant\AppData\Roaming\Mumble
2011-05-04 21:14:28 -------- d-----w- C:\Program Files (x86)\Mumble
2011-05-04 03:52:07 -------- d-----w- C:\ProgramData\Bluebit Software
2011-05-04 03:52:07 -------- d-----w- C:\Program Files (x86)\Bluebit Software
2011-05-04 03:26:56 -------- d-----w- C:\Program Files (x86)\JetBrains
2011-05-04 03:18:16 -------- d-----w- C:\Users\MZXGiant\AppData\Roaming\SmartBear
2011-05-04 03:17:07 -------- d-----w- C:\Program Files (x86)\Aladdin
2011-05-04 03:16:43 -------- d-----w- C:\Users\MZXGiant\AppData\Local\SmartBear
2011-05-03 16:54:09 -------- d-----w- C:\ProgramData\dbg
2011-05-03 01:08:32 -------- d-----w- C:\Program Files (x86)\Valve
2011-05-02 16:40:40 3412856 ----a-w- C:\Windows\procexp.exe
2011-04-28 02:06:16 -------- d-----w- C:\Program Files (x86)\AMD APP
.
==================== Find3M ====================
.
2011-05-24 21:32:31 591872 ----a-w- C:\Windows\md5.exe
2011-04-17 17:57:48 14336 ----a-w- C:\Windows\diruse.exe
2011-04-14 01:59:14 59904 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2011-04-14 01:59:02 51712 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2011-04-14 01:58:46 12385280 ----a-w- C:\Windows\SysWow64\amdocl.dll
2011-04-06 04:11:44 9323520 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-04-06 02:29:18 22623232 ----a-w- C:\Windows\System32\atio6axx.dll
2011-04-06 02:09:50 61952 ----a-w- C:\Windows\System32\OVDecode64.dll
2011-04-06 02:09:34 53760 ----a-w- C:\Windows\System32\OpenCL.dll
2011-04-06 02:09:22 16116224 ----a-w- C:\Windows\System32\amdocl64.dll
2011-04-06 02:07:18 17469952 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-04-06 02:03:24 147456 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-04-06 02:03:14 671744 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-04-06 02:02:00 788480 ----a-w- C:\Windows\System32\aticfx64.dll
2011-04-06 01:59:32 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-04-06 01:59:24 480256 ----a-w- C:\Windows\System32\atieclxx.exe
2011-04-06 01:58:48 203776 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-04-06 01:57:36 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-04-06 01:57:20 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-04-06 01:57:14 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-04-06 01:57:02 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-04-06 01:56:56 16384 ----a-w- C:\Windows\System32\atimuixx.dll
2011-04-06 01:56:52 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-04-06 01:56:48 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-04-06 01:53:34 4307968 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-04-06 01:44:52 5086208 ----a-w- C:\Windows\System32\atidxx64.dll
2011-04-06 01:42:14 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-04-06 01:42:12 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-04-06 01:42:04 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-04-06 01:42:02 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-04-06 01:41:50 7467008 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-04-06 01:38:50 6098432 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-04-06 01:35:00 4256768 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-04-06 01:34:38 1208320 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-04-06 01:34:16 1912832 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-04-06 01:34:04 3421184 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-04-06 01:29:00 5408256 ----a-w- C:\Windows\System32\atiumd64.dll
2011-04-06 01:28:02 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-04-06 01:26:40 3631616 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-04-06 01:22:20 361984 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-04-06 01:22:12 258048 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-04-06 01:22:04 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-04-06 01:22:00 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-04-06 01:22:00 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-04-06 01:21:56 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-04-06 01:21:50 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-04-06 01:21:42 304128 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-04-06 01:20:58 40448 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-04-06 01:20:52 31232 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-04-06 01:20:46 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-04-06 01:20:38 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-04-06 01:20:04 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-04-06 01:13:22 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2011-04-06 01:13:22 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-04-06 01:13:16 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-04-06 01:13:16 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-03-27 20:33:58 230352 ----a-w- C:\Windows\System32\drivers\truecrypt.sys
2011-03-21 00:35:48 6144 ----a-w- C:\Windows\System32\drivers\accgain.sys
2011-03-06 02:54:20 4659712 ----a-w- C:\Windows\SysWow64\Redemption.dll
2011-03-06 02:54:19 770912 ----a-w- C:\Windows\SysWow64\Msfdbqp.dll
2011-03-06 02:54:19 511328 ----a-w- C:\Windows\SysWow64\Synchronization2.dll
2011-03-06 02:54:19 397152 ----a-w- C:\Windows\SysWow64\Msfdbse.dll
2011-03-06 02:54:19 253280 ----a-w- C:\Windows\SysWow64\MetaStore2.dll
2011-03-06 02:54:19 230240 ----a-w- C:\Windows\SysWow64\Msfdb.dll
2011-03-06 02:54:19 189792 ----a-w- C:\Windows\SysWow64\SimpleProviders2.dll
2011-03-06 02:54:19 171360 ----a-w- C:\Windows\SysWow64\FileSyncProvider2.dll
2011-03-06 02:54:19 156512 ----a-w- C:\Windows\SysWow64\FeedSync2.dll
2011-03-03 18:40:51 521448 ----a-w- C:\Windows\System32\deployJava1.dll
2011-02-27 15:33:01 254528 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2011-02-26 12:59:56 419840 ----a-w- C:\Windows\System32\systemcpl.dll
2011-02-26 12:59:56 14848 ----a-w- C:\Windows\System32\slwga.dll
2011-02-26 12:59:56 13824 ----a-w- C:\Windows\SysWow64\slwga.dll
.
============= FINISH: 16:24:02.95 ===============

Attached Files


Edited by SweetTech, 27 May 2011 - 01:49 PM.
deactivated live link.--ST.


BC AdBot (Login to Remove)

 


#2 MZXG

MZXG
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 26 May 2011 - 11:31 PM

After spending another couple hours on this tonight, I think I got it.

It looks like it ended up being a Vundo variant -- one of the rundll32 processes was invoking a DLL which was similarly named to the mfAACenc.dll used to encode AAC audio (the virus name was mfAACencc.dll and was in System32 and SysWOW64) -- I killed those off and then found the seeming source of the infection, a hook that was placed in the Flash BHO for Chrome. Deleted that DLL and reinstalled Flash, and it looks like everything is working again. I'll give my system overnight, reboot in the morning, and see what comes of it.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 29 May 2011 - 05:00 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users