Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser redirect: rootkit suspected


  • This topic is locked This topic is locked
8 replies to this topic

#1 notthecraw

notthecraw

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 14 July 2012 - 06:46 AM

It's back!

Hello,

I had this problem (different rootkit I'm sure) about three years ago and you guys helped me fix it with Combofix; see that thread here in case it helps: http://www.bleepingcomputer.com/forums/topic270906.html/page__p__1496437__fromsearch__1#entry1496437

Same type of thing. When I select a Yahoo! result out of the list, I get redirected to some medical site 90% of the time. Here is the current data as requested...

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_31
Run by daniel at 21:29:54 on 2012-07-13
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120625182103.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [Apple Computer] rundll32.exe "c:\documents and settings\daniel\local settings\application data\geckofx\apple computer\tvzjqlnhf.dll",CreateInstance
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CTSysVol] c:\program files\creative\sb live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector10\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector10" updatewithcreateonce "software\cyberlink\powerdirector\10.0"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
dRun: [Apple Computer] rundll32.exe "c:\documents and settings\daniel\local settings\application data\geckofx\apple computer\tvzjqlnhf.dll",CreateInstance
StartupFolder: c:\docume~1\daniel\startm~1\programs\startup\hostmo~1.lnk - c:\program files\remote control pc\apc_host.exe
StartupFolder: c:\docume~1\daniel\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office12\OUTLOOK.EXE
StartupFolder: c:\docume~1\daniel\startm~1\programs\startup\mozill~1.lnk - c:\program files\mozilla firefox\firefox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hostmo~1.lnk - c:\program files\remote control pc\apc_host.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: aol.com\free
Trusted Zone: intuit.com\ttlc
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233701022375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233792066875
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
TCP: Interfaces\{62BFE6BB-936A-4FC8-8664-B8329E8C3A9F} : DhcpNameServer = 192.168.0.1 192.168.0.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\daniel\application data\mozilla\firefox\profiles\ze2wmrpd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?src_id=30504&client_id=baa536c83e8888b86ec567c8&camp_id=3906&install_time=2012-05-11T16:05:28Z&pr=auto&tb_version=1.0.17000(G)&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\daniel\application data\mozilla\firefox\profiles\ze2wmrpd.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\progra~1\common~1\nero\browse~1\npBrowserPlugin.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-07-04 04:48:00 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2012-07-04 04:48:00 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2012-07-04 04:48:00 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2012-07-04 04:48:00 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-07-04 04:48:00 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-07-04 04:48:00 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-07-04 04:48:00 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-07-04 04:48:00 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-07-04 04:48:00 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-07-04 04:48:00 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2012-07-04 04:47:59 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2012-07-04 04:47:59 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2012-07-04 04:47:59 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2012-07-04 04:47:59 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2012-07-03 18:39:36 -------- d-----w- c:\documents and settings\all users\CyberLink
2012-07-03 00:48:40 -------- d-----w- c:\documents and settings\all users\application data\SmartSound Software Inc
2012-07-03 00:48:38 -------- d-----w- c:\program files\SmartSound Software
2012-06-26 01:21:02 29312 ----a-w- c:\program files\mozilla firefox\ScriptFF.dll
.
==================== Find3M ====================
.
2012-07-12 02:18:33 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-12 02:18:33 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 22:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 22:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 22:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 15:39:54 832512 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 17:12:03 21480 ----a-w- c:\windows\system32\mv2.dll
2012-05-11 17:12:03 11496 ----a-w- c:\windows\system32\drivers\mv2.sys
2012-05-04 13:16:13 2148352 ------w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ------w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 14:46:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-04-23 14:46:47 1830912 ------w- c:\windows\system32\inetcpl.cpl
2012-04-23 14:46:47 17408 ----a-w- c:\windows\system32\corpol.dll
2012-04-19 03:56:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 03:56:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 21:35:36.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:12:52 PM

Posted 15 July 2012 - 10:32 AM

Hi notthecraw,

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
Regards,
M-K-D-B

#3 notthecraw

notthecraw
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 15 July 2012 - 01:33 PM

Will do; thank you.

#4 notthecraw

notthecraw
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 16 July 2012 - 12:08 AM

When it rains it pours. Several other issues have popped up. Sorry to add info here but I don't know if I should post a new topic or if you want to tag them onto this one.

0. Just a placeholder as the redirect is still my number one issue. The other issues are prioritized below.

1. Adobe Reader will not open. I uninstalled version 9 and installed version 10. No .pdf files are accessible. Windows Explorer shows a thumbnail of the file in a little window on the side but nothing will open nor will the Adobe program itself.

2. Sometimes browser (Firefox) will not open. Usually it will open after one reboot of the PC.

3. Every so often (20 minutes or so, guessing) with no browser even open, the audio of an ad will play. It's sort of like a pop up but nothing pops up except the audio. So far I don't think it's doing any damage, just annoying to all of a sudden hear about stock market news or an ad for a quit smoking patch or smart phone.

4. Desktop icons rearrange themselves into left-justified columns. Just annoying to have to search for icons that I used to know where they were. I move them to where I want them but the next time Windows starts up, they're back on the left side.

Edited by notthecraw, 16 July 2012 - 01:09 AM.


#5 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:12:52 PM

Posted 16 July 2012 - 10:34 AM

Hi notthecraw,


:welcome: to BleepingComputer.

My name is M-K-D-B and I'll help you with the cleanup of your computer.

Please be aware of the following:
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 3 days, I am assuming that you don't need help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all malware. Formatting is usually faster and always the safest way.
  • If you decide to clean your PC, work with us until a team member tells you that you are clean.
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.





Backdoor Warning!
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
If you decide to clean your machine, please follow the instructions below.





Step 1
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.





What you should post with your next answer:
  • the logfile from ComboFix.

Regards,
M-K-D-B

#6 notthecraw

notthecraw
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 16 July 2012 - 11:41 AM

Thank you M-K-D-B. I have always avoided reformatting because I no longer have my Office 2007 SW. Looking on e-bay, I see that Office 2007 Pro is $150-$200 but Office 2010 Pro is ~$100. I like 2007 but maybe it's time to upgrade to 2010. However, I'm using XP Pro and am completely happy with that and don't want to upgrade to 7. Is there a reason to avoid Office 2010 if Office 2007 is available like there was a reason to avoid Vista when XP was still available?

#7 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:12:52 PM

Posted 16 July 2012 - 01:34 PM

Hi notthecraw,



Looking on e-bay, I see that Office 2007 Pro is $150-$200 but Office 2010 Pro is ~$100. I like 2007 but maybe it's time to upgrade to 2010. However, I'm using XP Pro and am completely happy with that and don't want to upgrade to 7. Is there a reason to avoid Office 2010 if Office 2007 is available like there was a reason to avoid Vista when XP was still available?

If I were you and want to avoid reformatting the machine as I have no Office 2007 SW, I would try to clean my computer.
To be honest, I don't see a reason why you should upgrade to Windows 7 or Office 2010 as you like Windows XP and Office 2007. I use Windows 7 + Office 2007 and I'm happy with both of them as well.
Just for your information: Windows XP will be supported until August 2014, Office 2007 until 2017.

Please let me know if my answer was helpful for you.
Moreover, please tell me if you want to clean your machine or not. :)
Regards,
M-K-D-B

#8 notthecraw

notthecraw
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 16 July 2012 - 03:14 PM

Thank you. I am currently considering a complete reformat as the best solution. Feel free to close the case if you wish as I can always recontact you should I change my mind. Thanks very much for your help and advice.

~Dan

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:52 PM

Posted 17 July 2012 - 04:52 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users