Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 crkirst

crkirst

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 21 June 2011 - 02:40 PM

One of my computers is infected with the Google Redirect Virus and I'm unable to run TDSSKiller.exe not matter how I rename the file. I've ran MalwareBytes and that has come up clean. I've also run ESET scanner and that found one item and removed it. I've attached the GMER and DDS logs. Thanks in advance.




.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by ksilence at 12:42:39 on 2011-06-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1434 [GMT -7:00]
.
AV: Trend Micro Security Agent *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Trend Micro\Security Agent\tmlisten.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.6.1106\6.6.1045\TmIEPlg.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: C&all - c:\program files\cisco systems\unified personal communicator\click to call\add-ins\internet-explorer\en\iecontextmenu-call.htm
IE: Call with &Edit... - c:\program files\cisco systems\unified personal communicator\click to call\add-ins\internet-explorer\en\iecontextmenu-edit-and-call.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: saksfifthavenue.com\www
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://kenco01.kencosales.com:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {00134F72-5284-44F7-95A8-52A619F70752} - hxxps://kenco07.kencosales.com:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://kenco01.kencosales.com:4343/officescan/console/ClientInstall/setup.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://kenco01.kencosales.com:4343/officescan/console/ClientInstall/RemoveCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211406976593
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://teamkenco.webex.com/client/T27L/webex/ieatgpc.cab
TCP: DhcpNameServer = 10.0.0.2 10.0.0.10
TCP: Interfaces\{8B5BB685-1C84-44F4-A468-99A3B0B0E10E} : DhcpNameServer = 10.0.0.2 10.0.0.10
TCP: Interfaces\{A400181F-E0DF-4927-9287-FBB056437E62} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{AB14BCA3-CAA0-4AFB-8B99-EFB8496D343C} : DhcpNameServer = 10.0.0.10 10.0.0.2
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.6.1106\6.6.1045\TmIEPlg.dll
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - c:\program files\trend micro\security agent\uiframework\ProToolbarIMRatingActiveX.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-6-20 196320]
R2 Ndiscdp;Cisco CDP KMDF NDIS Protocol Driver;c:\windows\system32\drivers\Ndiscdp.sys [2011-6-2 22456]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-6-20 65296]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2008-5-22 88192]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-20 366640]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2010-1-7 114704]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
.
=============== Created Last 30 ================
.
2011-06-21 16:02:08 -------- d-----w- c:\program files\ESET
2011-06-21 15:27:12 -------- d-sha-r- C:\cmdcons
2011-06-21 15:24:55 98816 ----a-w- c:\windows\sed.exe
2011-06-21 15:24:55 518144 ----a-w- c:\windows\SWREG.exe
2011-06-21 15:24:55 256512 ----a-w- c:\windows\PEV.exe
2011-06-21 15:24:55 208896 ----a-w- c:\windows\MBR.exe
2011-06-20 22:16:19 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-06-20 22:16:13 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-06-20 22:16:13 65296 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-06-20 22:16:13 190736 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-06-20 21:48:09 -------- d-----w- c:\windows\pss
2011-06-20 20:17:57 -------- d-----w- c:\documents and settings\ksilence\application data\Malwarebytes
2011-06-20 20:17:50 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-20 20:17:50 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-20 20:17:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-15 15:52:47 551936 -c----w- c:\windows\system32\dllcache\oleaut32.dll
2011-06-15 15:52:44 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-09 16:40:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 21:05:29 -------- d-----w- c:\documents and settings\ksilence\local settings\application data\Cisco
2011-06-02 21:05:29 -------- d-----w- c:\documents and settings\ksilence\application data\Cisco
2011-06-02 21:04:18 42048 ----a-r- c:\windows\system32\ProtNotify.dll
2011-06-02 21:04:18 22456 ----a-r- c:\windows\system32\drivers\Ndiscdp.sys
2011-06-02 21:04:18 1419232 ----a-r- c:\windows\system32\wdfcoinstaller01005.dll
2011-06-02 21:03:05 -------- d-----w- c:\program files\common files\Cisco Systems
2011-06-02 21:03:05 -------- d-----w- c:\program files\Cisco Systems
2011-06-02 21:01:42 -------- d-----w- c:\documents and settings\ksilence\local settings\application data\Downloaded Installations
2011-05-23 18:13:09 -------- d-----w- c:\documents and settings\ksilence\application data\Catalina Marketing Corp
.
==================== Find3M ====================
.
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 12:43:10.13 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 crkirst

crkirst
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 22 June 2011 - 03:47 PM

I was able to fix this myself and get rid of the Volsnap.sys Rootkit infecting my laptop by installing Kaspersky Rescue Disk 10 to a USB flash drive and then booting to the USB drive. I followed the directions in the link below to create the bootable USB drive. Thanks.

http://support.kaspersky.com/viruses/rescuedisk/main?qid=208282163

#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:59 AM

Posted 24 June 2011 - 12:12 PM

As this issue appears to be resolved, this thread will now be closed.

Thread Closed.

Kindest Regards,
SweetTech.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users