Jump to content

Google redirect - backdoor trojan or rootkit?


Recommended Posts

When I type a search word or phrase in Google I get a list of proposed website, and then when I click on one of the listed websites, instead of goiing to that website, I am sent to a similar website (jump or redirect) that offers additional search services for the same word or phrase

I ran a few MALWAREBYTES ANTI-MALWARE viruses were found and deleted. Then I ran AVAST virus scan and viruses were found and deleted The redirect is still not gone.

As per other post I downloaded and ran COMBOFIX.

I am affraid that I have a backdoor trojan or rootkit.

Thank you so nuch for your help.

MALWAREBYTES LOG

Database version: 4325

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

7/19/2010 1:50:52 AM

mbam-log-2010-07-19 (01-50-52).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Objects scanned: 39465

Time elapsed: 28 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5

MALWAREBYTES LOG

Database version: 4325

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

7/19/2010 5:30:46 AM

mbam-log-2010-07-19 (05-30-46).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Objects scanned: 261080

Time elapsed: 58 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appinit_dlls (Trojan.Witkinat) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\crntdll (Trojan.Witkinat) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\eMusic Download Manager\winamp_plugin.exe (Adware.BHO) -> Quarantined and deleted successfully.

COMBOFIX LOG

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,66,ff,a2,38,30,1b,c9,4b,84,54,db,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,66,ff,a2,38,30,1b,c9,4b,84,54,db,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(680)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Common Files\aolshare\aolshcpy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\windows\zHotkey.exe

c:\progra~1\COMMON~1\AOL\115522~1\EE\AOLHOS~1.EXE

c:\progra~1\COMMON~1\AOL\115522~1\EE\AOLServiceHost.exe

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

c:\windows\arservice.exe

c:\windows\RTHDCPL.EXE

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\windows\system32\drivers\KodakCCS.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\ScsiAccess.EXE

c:\windows\ehome\mcrdsvc.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\dllhost.exe

c:\windows\eHome\ehmsas.exe

.

**************************************************************************

.

Completion time: 2010-07-19 13:35:19 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-19 17:35

ComboFix2.txt 2009-11-17 21:19

Pre-Run: 165,829,419,008 bytes free

Post-Run: 165,800,259,584 bytes free

- - End Of File - - C10F0C52032576C306A1086E9B85AA9D

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please know that it is dangerous to run ComboFix unless under the eye of a trained analyst.

With that said, its log was cut off; please post it in its entirety.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.