Google Redirect to cs102175 in Firefox

[sundev2]

I read the "I'm infected, what do I do now" post, and now I'm here. So far, I've

1. Ran Maleware Bytes and scanned (log attached)

2. Disable CD Rom Emulation

3. Ran DDS (log files attached)

4. Tried Running GMER Rootkit TWICE, but both times caused a system failure (blue screen).

DDS.txt is below. The other three logs (attach, mbam and hijack) are attached as zip.

DDS (Ver_09-12-01.01) - NTFSx86

Run by Rick at 21:50:00.76 on Mon 01/04/2010

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_17

Microsoft

Log_Files_1_4_2009.zip

[sundev2]

Can someone please help me with this issue?? It was originally posted on January 4th, 5 days ago and still has gotten no response. The redirect is getting worse and I am out of options for a fix. Thanks!!

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, then post its log (don't attach it).

After that, post a fresh DDS log and we'll take it from there.

-screen317

[sundev2]

Malwarebytes' Anti-Malware 1.42

Database version: 3429

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

1/9/2010 6:25:09 PM

mbam-log-2010-01-09 (18-25-09).txt

Scan type: Quick Scan

Objects scanned: 112793

Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS LOG:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Rick at 18:24:50.72 on Sat 01/09/2010

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_17

Microsoft

[screen317]

Malwarebytes' Anti-Malware 1.42

Your version of MBAM is considerably out of date. Please update to the latest version (1.44), then run another Quick Scan and post its log.

-screen317

[sundev2]

Oops....sorry about that. Updated and re scanned. Found one infected file. Removed and rebooted.

Malwarebytes' Anti-Malware 1.44

Database version: 3531

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

1/9/2010 6:48:19 PM

mbam-log-2010-01-09 (18-48-19).txt

Scan type: Quick Scan

Objects scanned: 114627

Time elapsed: 3 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Rick\AppData\Local\temp\~DFED78.tmp (Backdoor.Bot) -> Delete on reboot.

[sundev2]

Is that it? No reply?

[screen317]

Hi,

My apologies for the delay.

Are you still experiencing redirects?

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
  

-screen317

[sundev2]

Yes, I am still experiencing the problem. Logs are below. Thank you.

ComboFix 10-01-13.07 - Rick 01/13/2010 17:16:00.3.2 - x86

Microsoft

[screen317]

Hi,

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\System32\shsvcs.dll

Post the results in your reply.

[sundev2]

Antivirus Version Last Update Result

a-squared 4.5.0.41 2009.11.22 -

AhnLab-V3 5.0.0.2 2009.11.20 -

AntiVir 7.9.1.72 2009.11.20 -

Antiy-AVL 2.0.3.7 2009.11.20 -

Authentium 5.2.0.5 2009.11.21 -

Avast 4.8.1351.0 2009.11.22 -

AVG 8.5.0.425 2009.11.22 -

BitDefender 7.2 2009.11.22 -

CAT-QuickHeal 10.00 2009.11.21 -

ClamAV 0.94.1 2009.11.22 -

Comodo 2996 2009.11.22 -

DrWeb 5.0.0.12182 2009.11.22 -

eSafe 7.0.17.0 2009.11.19 -

eTrust-Vet 35.1.7133 2009.11.20 -

F-Prot 4.5.1.85 2009.11.21 -

F-Secure 9.0.15370.0 2009.11.20 -

Fortinet 3.120.0.0 2009.11.22 -

GData 19 2009.11.22 -

Ikarus T3.1.1.74.0 2009.11.22 -

Jiangmin 11.0.800 2009.11.22 -

K7AntiVirus 7.10.901 2009.11.20 -

Kaspersky 7.0.0.125 2009.11.22 -

McAfee 5809 2009.11.21 -

McAfee+Artemis 5809 2009.11.21 -

McAfee-GW-Edition 6.8.5 2009.11.21 -

Microsoft 1.5302 2009.11.22 -

NOD32 4627 2009.11.21 -

Norman 6.03.02 2009.11.21 -

nProtect 2009.1.8.0 2009.11.22 -

Panda 10.0.2.2 2009.11.21 -

PCTools 7.0.3.5 2009.11.21 -

Prevx 3.0 2009.11.22 -

Rising 22.22.06.04 2009.11.22 -

Sophos 4.47.0 2009.11.22 -

Sunbelt 3.2.1858.2 2009.11.21 -

Symantec 1.4.4.12 2009.11.22 -

TheHacker 6.5.0.2.075 2009.11.20 -

TrendMicro 9.0.0.1003 2009.11.22 -

VBA32 3.12.12.0 2009.11.22 -

ViRobot 2009.11.20.2047 2009.11.20 -

VirusBuster 5.0.21.0 2009.11.21 -

Additional information

File size: 247296 bytes

MD5 : 2406e3a5fae743dce81168a8cdb8573f

SHA1 : b625d3970a39cc25553c2156c3d7f68323c91c33

SHA256: 8cac875d2b984f67cbb20e1a08892ef2583906bd9e38cca35b6c9d21e8fc27eb

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x6C60F520

timedatestamp.....: 0x4791A761 (Sat Jan 19 08:31:45 2008)

machinetype.......: 0x14C (Intel I386)

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x1DFD3 0x1E000 6.43 8358e6ee6ac67519ef4c60597299e85d

.data 0x1F000 0xCC8 0xE00 1.00 8c93b338a52da5bbfdb0cd4044437b1d

.rsrc 0x20000 0x1BD68 0x1BE00 3.84 09abc7989cf9dd7533b80deafc1ecf45

.reloc 0x3C000 0x15D8 0x1600 6.74 4e8bf4ed0aa819280d60e32b825046ea

( 0 imports )

( 0 exports )

TrID : File type identification

Win32 Executable MS Visual C++ (generic) (65.2%)

Win32 Executable Generic (14.7%)

Win32 Dynamic Link Library (generic) (13.1%)

Generic Win/DOS Executable (3.4%)

DOS Executable Generic (3.4%)

ssdeep: 6144:UDdC5mfoLV/MM6RKAscznjHQmjLskRgq2:Uo5mALtMVCb

PEiD : -

RDS : NSRL Reference Data Set

[screen317]

Hi,

My apologies for the delay.

Microsoft

[sundev2]

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 12:56 on 17/01/2010 by Rick (Administrator - Elevation successful)

========== filefind ==========

Searching for "shsvcs.dll"

C:\Windows\System32\shsvcs.dll --a--- 247296 bytes [12:53 17/07/2008] [19:39 26/01/2008] 2406E3A5FAE743DCE81168A8CDB8573F

C:\Windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6000.16386_none_caf99b2e2002860e\shsvcs.dll --a--- 245248 bytes [08:46 02/11/2006] [09:46 02/11/2006] B264DFA21677728613267FE63802B332

C:\Windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18000_none_cd305d2a1ced96e2\shsvcs.dll --a--- 247296 bytes [12:53 17/07/2008] [19:39 26/01/2008] 2406E3A5FAE743DCE81168A8CDB8573F

-=End Of File=-

[screen317]

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

FCOPY::

C:\Windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6000.16386_none_caf99b2e2002860e\shsvcs.dll | C:\Windows\System32\shsvcs.dll

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-screen317

[sundev2]

ComboFix 10-01-19.08 - Rick 01/20/2010 7:50.4.2 - x86

Microsoft

[screen317]

Hi,

Are you currently experiencing any issues? It is likely that your copy of Vista (where did you obtain it?) is responsible for the issue I'm seeing.

[sundev2]

To be honest, I have not searched much between our posts. Let me use firefox for a couple of days and report back. I've had this version of Vista for about 2 years now and just started having the re-direct issues about 2 months ago so I don't think they're related. I do appreciate all your help up to this point!!

Thank you!

Rick

[screen317]

Hi Rick,

Okay let me know how it goes.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!