Jump to content

Google Redirect


Recommended Posts

Greetings,

When i click on a search result links in google i am frequently rediredted. I have run a MBAM scan and discovered and deleted several problems. Each subsequent MBAM scan finds at least one infected item and the search results continue to redirect. Posted below is the latest MBAM log. I have also attempted to grab ComboFix from bleepingcomputer.com but the site appears to be down at the moment. Any help will be greatly appreciated.

Thanks,

Josh

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8358

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/12/2011 3:00:43 PM

mbam-log-2011-12-12 (15-00-43).txt

Scan type: Quick scan

Objects scanned: 196091

Time elapsed: 9 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\fsquirt.exe (Trojan.Dropper.BCM) -> Quarantined and deleted successfully.

I'm currently compiling the two logs requested in one of the "pinned" topics - they will be available shortly.

Josh

Hello,

I was unable to run the dds.scr. My computer is regarding it as an AutoCad LT text file. If this step is necessary, please let me know how to produce this log. In the meantime, i was able to run ComboFix. Following is the log:

ComboFix 11-12-12.02 - Joshua Summerville 12/12/2011 15:33:14.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2320 [GMT -6:00]

Running from: c:\documents and settings\Joshua Summerville\Desktop\ComboFix.exe

AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\MicrosoftPolicyBackup.dll

c:\documents and settings\All Users\Application Data\WindowsPolicyManager.dll

c:\documents and settings\Joshua Summerville\Application Data\Mozilla\Firefox\Profiles\q9wpnjfr.default\extensions\{06620455-1833-4d9f-b17d-5ad6c20beee3}

c:\documents and settings\Joshua Summerville\Application Data\Mozilla\Firefox\Profiles\q9wpnjfr.default\extensions\{06620455-1833-4d9f-b17d-5ad6c20beee3}\chrome.manifest

c:\documents and settings\Joshua Summerville\Application Data\Mozilla\Firefox\Profiles\q9wpnjfr.default\extensions\{06620455-1833-4d9f-b17d-5ad6c20beee3}\chrome\xulcache.jar

c:\documents and settings\Joshua Summerville\Application Data\Mozilla\Firefox\Profiles\q9wpnjfr.default\extensions\{06620455-1833-4d9f-b17d-5ad6c20beee3}\defaults\preferences\xulcache.js

c:\documents and settings\Joshua Summerville\Application Data\Mozilla\Firefox\Profiles\q9wpnjfr.default\extensions\{06620455-1833-4d9f-b17d-5ad6c20beee3}\install.rdf

c:\documents and settings\Joshua Summerville\Application Data\Mozilla\Firefox\Profiles\q9wpnjfr.default\extensions\{6cee92f9-93cf-41e1-b5e8-81ca65d4f590}

c:\documents and settings\Joshua Summerville\Application Data\Mozilla\Firefox\Profiles\q9wpnjfr.default\extensions\{6cee92f9-93cf-41e1-b5e8-81ca65d4f590}\chrome.manifest

c:\documents and settings\Joshua Summerville\Application Data\Mozilla\Firefox\Profiles\q9wpnjfr.default\extensions\{6cee92f9-93cf-41e1-b5e8-81ca65d4f590}\chrome\xulcache.jar

c:\documents and settings\Joshua Summerville\Application Data\Mozilla\Firefox\Profiles\q9wpnjfr.default\extensions\{6cee92f9-93cf-41e1-b5e8-81ca65d4f590}\defaults\preferences\xulcache.js

c:\documents and settings\Joshua Summerville\Application Data\Mozilla\Firefox\Profiles\q9wpnjfr.default\extensions\{6cee92f9-93cf-41e1-b5e8-81ca65d4f590}\install.rdf

c:\documents and settings\Joshua Summerville\GoToAssistDownloadHelper.exe

c:\documents and settings\Joshua Summerville\WINDOWS

c:\windows\CSC\d6

c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google\GoogleUpdate\Googleupdt32.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-11-12 to 2011-12-12 )))))))))))))))))))))))))))))))

.

.

2011-12-12 19:59 . 2011-12-12 19:59 388096 ----a-r- c:\documents and settings\Joshua Summerville\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-12-12 19:58 . 2011-12-12 19:58 -------- d-----w- c:\program files\Trend Micro

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-10 14:22 . 2009-12-16 17:59 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 16:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 04:56 . 2011-09-26 04:56 406528 ----a-w- c:\windows\system32\ReWire.dll

2011-09-26 04:56 . 2011-09-26 04:56 338432 ----a-w- c:\windows\system32\REX Shared Library.dll

2011-11-27 16:48 . 2011-05-30 15:36 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"Spotify"="c:\documents and settings\Joshua Summerville\Application Data\Spotify\spotify.exe" [2011-10-18 6710912]

"Akamai NetSession Interface"="c:\documents and settings\Joshua Summerville\Local Settings\Application Data\Akamai\netsession_win.exe" [2011-12-07 3305248]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-26 8523776]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]

"Panda Security URL Filtering"="c:\documents and settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2011-06-29 217256]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware2\mbam.exe" [2011-08-31 1047208]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzE2ODkxMDI1LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMi1MSUMrMi1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVVArNC1TUDFTNCsxLUREVCs1OTk3Mi1ERDEwRisxLVNUMTJGT0krMS1FVUxBKzEtU1QxMkZBUFArMQ∏=90&ver=2012.0.1796&mid=f99ec6fcd44147d6b092d16daecb5ff0-460829198e5711992ad8f8cb4c2f76757e3a6a8a" [?]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10m_ActiveX.exe" [2011-05-07 234656]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2011-08-29 22:51 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=

"c:\\Documents and Settings\\Joshua Summerville\\Application Data\\Spotify\\spotify.exe"=

"c:\\Documents and Settings\\Joshua Summerville\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server

"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server

"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

"1279:TCP"= 1279:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

.

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [4/28/2011 12:57 PM 129992]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 6:00 AM 14336]

R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 12:58 PM 140608]

R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [8/1/2011 5:23 AM 143752]

R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 12:57 PM 97096]

R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 12:57 PM 111688]

R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [4/28/2011 12:57 PM 112456]

R2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [8/26/2011 9:38 AM 4869488]

R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [8/26/2011 9:39 AM 416112]

S0 almltx;almltx;c:\windows\system32\drivers\lyls.sys --> c:\windows\system32\drivers\lyls.sys [?]

S0 cerc6;cerc6; [x]

S0 ewpayf;ewpayf;c:\windows\system32\drivers\mcsotmmt.sys --> c:\windows\system32\drivers\mcsotmmt.sys [?]

S0 ioevdxc;ioevdxc;c:\windows\system32\drivers\npbbg.sys --> c:\windows\system32\drivers\npbbg.sys [?]

S0 ltiocl;ltiocl;c:\windows\system32\drivers\sbfhdo.sys --> c:\windows\system32\drivers\sbfhdo.sys [?]

S0 noklwlb;noklwlb;c:\windows\system32\drivers\wtxcerkc.sys --> c:\windows\system32\drivers\wtxcerkc.sys [?]

S0 rsrdvhf;rsrdvhf;c:\windows\system32\drivers\pwonu.sys --> c:\windows\system32\drivers\pwonu.sys [?]

S0 sbhjlbla;sbhjlbla;c:\windows\system32\drivers\vbqrcn.sys --> c:\windows\system32\drivers\vbqrcn.sys [?]

S0 tlgf;tlgf;c:\windows\system32\drivers\uwpg.sys --> c:\windows\system32\drivers\uwpg.sys [?]

S0 uvfhda;uvfhda;c:\windows\system32\drivers\oycbpbx.sys --> c:\windows\system32\drivers\oycbpbx.sys [?]

S0 xqvcnqcr;xqvcnqcr;c:\windows\system32\drivers\pkcvgkck.sys --> c:\windows\system32\drivers\pkcvgkck.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2011 2:26 PM 136176]

S3 epppdt;EPSON 1394.3 Class;c:\windows\system32\drivers\epppdt.sys [3/23/2010 11:29 AM 31269]

S3 epppdtpr;EPSON 1394.3 Printer Class;c:\windows\system32\drivers\epppdtpr.sys [3/23/2010 11:29 AM 14457]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2011 2:26 PM 136176]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MBAMSWISSARMY

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-07 20:26]

.

2011-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-07 20:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Joshua Summerville\Application Data\Mozilla\Firefox\Profiles\q9wpnjfr.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=

FF - prefs.js: network.proxy.type - 0

.

.

------- File Associations -------

.

.scr=AutoCADLTScriptFile

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-nwiz - nwiz.exe

HKU-Default-Run-MicrosoftPolicyBackup - c:\documents and settings\All Users\Application Data\MicrosoftPolicyBackup.dll

SafeBoot-mcmscsvc

SafeBoot-MCODS

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-12 15:36

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]

"ServiceDll"="c:\program files\common files\akamai/netsession_win_d768ebc.dll"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,60,03,f1,f3,8c,b4,42,88,c8,42,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,60,03,f1,f3,8c,b4,42,88,c8,42,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(868)

c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll

.

Completion time: 2011-12-12 15:37:40

ComboFix-quarantined-files.txt 2011-12-12 21:37

.

Pre-Run: 111,256,301,568 bytes free

Post-Run: 113,944,145,920 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 810B2B6738883A986D6F49DA36E947FC

Let me know what you think the next step should be.

Thanks for your time,

Josh

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Hi and welcome to Malwarebytes.

Update MBAM, run a Quick Scan, and post its log.

Download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • Click Run Scan and let the program run uninterrupted.
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

Link to post
Share on other sites

  • 1 month later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.