Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 Bmahan

Bmahan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 12 July 2011 - 06:51 PM

Hey all, i've gotten a bad case of the google redirect virus and have been unable to clear it off of a machine which we'd like to keep intact. I've tried numerous AV scanners and have replaced atapi.sys with a fresh copy from my install disc but have not been able to get any further along with it than when I had started. Here is the combofix log.

Infected file appears as Iexplore.exe and if left running unchecked will end up eating away nearly all of the available system resources.


ComboFix 11-07-12.09 - Administrator 07/12/2011 17:42:44.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2873 [GMT -5:00]
Running from: \\10.0.7.33\software\General\Antivirus_Internet Security_AntiSpam\ComboFix\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))
.
.
2011-07-12 22:14 . 2011-07-12 22:14 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FA2842C0-ED72-4869-9B1B-C9FB1FF991AF}\MpKsl574e45e5.sys
2011-07-12 22:04 . 2008-04-14 05:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-07-12 22:04 . 2008-04-14 05:10 96512 ----a-w- C:\atapi.sys
2011-07-12 15:30 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-07-12 15:30 . 2011-07-12 15:30 -------- d-----w- c:\program files\Panda Security
2011-07-12 15:26 . 2011-07-12 15:26 -------- dc-h--w- c:\windows\ie8
2011-07-11 16:12 . 2011-06-20 13:57 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FA2842C0-ED72-4869-9B1B-C9FB1FF991AF}\mpengine.dll
2011-07-11 16:10 . 2011-07-11 16:10 -------- d-----w- c:\program files\Microsoft Security Client
2011-07-11 15:37 . 2011-07-11 17:52 -------- d-----w- c:\documents and settings\prieton\Tracing
2011-07-08 22:23 . 2011-05-25 00:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-07-08 20:55 . 2008-04-14 12:00 79872 -c--a-w- c:\windows\system32\dllcache\rwia001.dll
2011-07-08 20:54 . 2008-04-14 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt0804.dll
2011-07-08 20:44 . 2011-07-08 21:08 559828 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-07-08 20:44 . 2008-04-14 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-07-08 20:44 . 2008-04-14 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-07-08 20:44 . 2008-04-14 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-07-08 20:44 . 2008-04-14 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-07-08 20:44 . 2008-04-14 12:00 16535 ----a-r- c:\windows\SET106.tmp
2011-07-08 20:44 . 2008-04-14 12:00 1088840 ----a-r- c:\windows\SETFA.tmp
2011-07-08 20:44 . 2008-04-14 12:00 1296669 ----a-r- c:\windows\SETF7.tmp
2011-07-08 20:01 . 2011-07-08 20:01 -------- d-----w- c:\documents and settings\prieton\Application Data\Malwarebytes
2011-07-08 19:15 . 2011-07-08 19:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-07-08 19:15 . 2011-07-08 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-08 19:15 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 19:15 . 2011-07-08 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-08 19:15 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-08 18:49 . 2011-07-12 15:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-07-08 15:37 . 2011-07-08 15:37 -------- d-----w- c:\windows\Dell
2011-06-22 18:24 . 2011-07-12 12:55 -------- d-----w- c:\program files\First Traders Option Suite
2011-06-22 18:24 . 2011-06-22 18:24 249856 ---h--w- c:\windows\Setup1.exe
2011-06-22 18:24 . 2011-06-22 18:24 73216 ---ha-w- c:\windows\ST6UNST.EXE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-16 12:56 . 2011-05-24 17:26 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-06 20:03 . 2011-05-20 18:16 209920 ---ha-w- c:\windows\system32\piaagent.exe
2011-04-18 18:18 . 2011-04-18 18:18 165648 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2010-9-1 745472]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=c:\windows\pss\Status Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 10:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2009-02-10 16:03 745472 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2007-10-30 20:05 77824 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-10-03 21:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-10-12 00:01 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSCRM]
2007-12-07 11:09 62488 ----a-w- c:\program files\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-10-28 02:07 13578240 ---ha-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-10-12 00:03 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-02-05 03:26 128232 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-09-12 01:58 1015808 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 14:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-11-21 02:12 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"MsMpSvc"=2 (0x2)
"McComponentHostService"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mitel\\5550 IP\\JRE\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/12/2011 10:30 AM 28552]
R1 MpKsl574e45e5;MpKsl574e45e5;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FA2842C0-ED72-4869-9B1B-C9FB1FF991AF}\MpKsl574e45e5.sys [7/12/2011 5:14 PM 28752]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 3:30 PM 79168]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2010 3:13 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2010 3:13 PM 136176]
S4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL574E45E5
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-26 20:13]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-26 20:13]
.
2011-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3023888713-3644291814-2217478681-1925Core.job
- c:\documents and settings\prieton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-14 20:18]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3023888713-3644291814-2217478681-1925UA.job
- c:\documents and settings\prieton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-04-14 20:18]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4206718606-3976867038-756281305-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-12 15:00]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4206718606-3976867038-756281305-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-12 15:00]
.
2011-07-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.1.30 10.0.1.31
DPF: {395E58B9-090C-461A-8F27-087D1C727945} - hxxp://mitelya.mitel.com/joinie.cab
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-JUaDAjhRvP - c:\documents and settings\All Users\Application Data\JUaDAjhRvP.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-12 18:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4206718606-3976867038-756281305-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,df,ef,cc,42,78,50,ef,43,8b,83,30,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,df,ef,cc,42,78,50,ef,43,8b,83,30,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(752)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-12 18:29:51
ComboFix-quarantined-files.txt 2011-07-12 23:29
.
Pre-Run: 62,565,265,408 bytes free
Post-Run: 63,438,819,328 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 7790E1191879702E49E5A809E8266ED4

Edited by Bmahan, 13 July 2011 - 08:21 AM.
Moved to log forum. ~BZ


BC AdBot (Login to Remove)

 


#2 Bmahan

Bmahan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 14 July 2011 - 01:52 PM

Problem fixed

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 14 July 2011 - 04:46 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users