Thread: Google Redirect, Probably a Rootkit Issue
View Single Post
Old 04-29-2009, 01:44 PM   #1 (permalink)
FreeFal311
Registered User
 
Join Date: Apr 2009
Posts: 9
OS: Windows XP


Google Redirect, Probably a Rootkit Issue
Hi,
I'm in need of help. I recently suffered a malware attack, and I think it left me with a rootkit that is hijacking IE and redirecting all of my Google search links. I've run 5 different anti-virus/anti-malware programs exhaustively, and they are all returning clean at this point. The programs I have run include,

1. Spybot Search and Destroy
2. Malwarebytes Anti-Malware
3. SuperAnti-Spyware
4. Adaware SE
5. AVG Free

I believe all are up to date (or close). At this point, my system appears stable, except that as soon as I open IE and begin browsing, my searches are redirected, and my system is reinfested with all sorts of malware that the programs above detect all over again. I've seen files such as protect.dll, autochk.dll, ChkDsk.dll, srda64.exe, /lowsec in my system32 folder, user32.ds (which I believe is a stolen data file?), etc. At one point, immediately after infection, I experienced a proliferation of random 456637823.EXE processes in task manager. I think my rundll32.exe file even showed up as a virus during an AVG scan. I deleted this file, replaced it with a copy from my Service Pack folders, and am currently experiencing no instability. Like I said, I think I've cleaned up many of these issues with my anti-virus and anti-malware programs alone. But, I'm certain I have a low-level rootkit that is mantaining some degree of control over my system, and at this point, I could really use ya'lls help removing it. My system is currently unplugged from my router, and I won't dare hook it up again or launch IE until ya'll give me the "all ok." I'm opperating from a laptop and have a USB key to transfer files/utilities.

Also note, I am able to use FireFox. It doesn't appear that FireFox has been hijacked.

The contents of my DDS file are as follows,


DDS (Ver_09-03-16.01) - NTFSx86
Run by Matthew at 13:08:11.07 on Wed 04/29/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.486 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\AVG8\avgrsx.exe
C:\AVG8\avgnsx.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\AVG8\avgemc.exe
C:\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\MXOALDR.EXE
C:\Maxtor\OneTouch\Utils\OneTouch.exe
C:\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\AVG8\avgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matthew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\quicktime\qttask.exe" -atboottime
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~1\mimboot.exe
mRun: [MaxtorOneTouch] c:\maxtor\onetouch\utils\OneTouch.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [iTunesHelper] "c:\itunes\iTunesHelper.exe"
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [AVG8_TRAY] c:\avg8\avgtray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187475355340
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187476362093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} - hxxp://www.instantaction.com/download/iaplayer.cab
Filter: text/html - {e1475f08-2194-4545-8903-a49a49772d53} - c:\windows\system32\
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\avg8\avgpp.dll
Notify: !SASWinLogon - c:\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matthew\applic~1\mozilla\firefox\profiles\1avju18g.default\
FF - component: c:\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-18 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-11-11 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-18 108552]
R1 SASDIFSV;SASDIFSV;c:\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\avg8\avgemc.exe [2009-4-18 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\avg8\avgwdsvc.exe [2009-4-18 298264]
S2 qkpwczbr;Logical Disk Manager Monitor;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]
S3 SASENUM;SASENUM;c:\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-04-29 11:29 33,280 a------- c:\windows\system32\rundll32.exe
2009-04-29 11:29 33,280 a------- c:\windows\system32\dllcache\rundll32.exe
2009-04-29 11:23 69,632 a------- c:\windows\system32\dllcache\umaxu12.dll
2009-04-29 11:22 57,856 a------- c:\windows\system32\dllcache\EXCH_scripto.dll
2009-04-29 11:21 132,695 a------- c:\windows\system32\dllcache\netwlan5.sys
2009-04-29 11:20 18,432 a------- c:\windows\system32\dllcache\jupiw.dll
2009-04-29 11:19 43,520 a------- c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-04-29 11:18 248,064 a------- c:\windows\system32\dllcache\cl546xm.sys
2009-04-29 11:17 382,592 a------- c:\windows\system32\dllcache\atidrab.dll
2009-04-28 11:36 43,136 a------- c:\windows\system32\drivers\sbp2port.sys
2009-04-28 11:36 43,136 a------- c:\windows\system32\dllcache\sbp2port.sys
2009-04-28 00:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-28 00:21 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-27 23:29 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 22:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-27 22:36 <DIR> --d----- C:\SUPERAntiSpyware
2009-04-27 22:36 <DIR> --d----- c:\docume~1\matthew\applic~1\SUPERAntiSpyware.com
2009-04-27 21:44 388,608 a------- c:\windows\system32\CF24344.exe
2009-04-27 21:44 <DIR> --d----- C:\ComboFix
2009-04-27 20:27 <DIR> --d----- c:\docume~1\matthew\applic~1\Malwarebytes
2009-04-27 20:27 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-27 20:27 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 20:27 <DIR> --d----- C:\Malwarebytes' Anti-Malware
2009-04-27 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-26 21:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-26 20:23 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-26 20:23 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-26 20:23 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-26 20:23 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-26 18:59 <DIR> --d----- c:\windows\ERUNT
2009-04-26 18:53 <DIR> --d----- C:\SDFix
2009-04-18 15:16 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-18 13:09 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-18 13:09 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-18 13:09 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-18 13:09 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-18 13:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-18 13:08 <DIR> --d----- C:\AVG8

==================== Find3M ====================

2009-04-03 18:18 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-04-03 18:12 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-27 22:28 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-03-21 09:18 986,112 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 09:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-06 09:44 283,648 a------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 23:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 05:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 00:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 05:20 723,456 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:20 723,456 a------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 05:20 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:20 399,360 a------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 05:20 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:20 714,752 a------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 05:20 616,960 a------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 05:20 616,960 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:20 473,088 a------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 05:20 453,120 a------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 12:24 2,180,480 a------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 12:22 2,136,064 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 12:22 2,136,064 a------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 12:14 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:14 110,592 a------- c:\windows\system32\dllcache\services.exe
2009-02-06 11:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 11:54 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 11:49 2,057,728 a------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 11:49 2,015,744 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:49 2,015,744 a------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 11:39 227,840 a------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:08 55,808 a------- c:\windows\system32\secur32.dll
2009-02-03 15:08 55,808 a------- c:\windows\system32\dllcache\secur32.dll
2007-11-18 20:24 22,328 a------- c:\docume~1\matthew\applic~1\PnkBstrK.sys
2007-08-17 19:20 246 a------- c:\program files\common files\lavu
2007-08-17 18:37 6,473 ---sh--- c:\windows\system32\ybeeg.bak1

============= FINISH: 13:08:35.40 ===============

Thanks in advance for your help!
Attached Files
File Type: zip Attach.zip (6.0 KB, 3 views)
FreeFal311 is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here