Jump to content

browser redirect infection

Recommended Posts


I seem to have stumbled upon a rather nasty browser redirector. It was partially picked up and removed by MBAM as a phony virus alert. Since then, neither MBAM (5399) nor Avira have picked up the redirector. As requested at: http://forums.malwarebytes.org/index.php?showtopic=9573. I am providing the attached log files. At this time, it only appears to have infected firefox, not IE (I do not normally use IE). It seems to be nested in the bowls of my firefox profile directory and restoring itself under the guise of a bookmark backup. It has also created a 'backups' folder on my desktop with a single text file under 1k. It looks like a simple routine designed to restore itself. I can post that file here if requested. Per the instructions in the URL, my MB log DDS.txt are pasted below. Please let me know if you need any further information. Thank you for your help!!

MB log here:

Malwarebytes' Anti-Malware


Database version: 5399

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/26/2010 4:27:04 PM

mbam-log-2010-12-26 (16-27-04).txt

Scan type: Full scan (C:\|)

Objects scanned: 167290

Time elapsed: 31 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\RECYCLER\s-1-5-21-3570616145-104262437-1874526873-1005\Dc102.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-3570616145-104262437-1874526873-1005\Dc155.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-3570616145-104262437-1874526873-1005\Dc171.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-3570616145-104262437-1874526873-1005\Dc28.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-3570616145-104262437-1874526873-1005\Dc40.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-3570616145-104262437-1874526873-1005\Dc89.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

DDS.txt here:

DDS (Ver_10-12-12.02) - NTFSx86

Run by seanm at 22:03:51.07 on Sun 12/26/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1028 [GMT -5:00]

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch







C:\Program Files\Avira\AntiVir Desktop\sched.exe


C:\Program Files\Avira\AntiVir Desktop\avguard.exe


C:\Program Files\Wave Systems Corp\Common\DataServer.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe


C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe

C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe


C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe

C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe

C:\Program Files\VMware\VMware Workstation\vmware-authd.exe



C:\Program Files\Apoint\Apoint.exe


C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe



C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\QuickSet\quickset.exe


C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Dell AIO 810\dlcgmon.exe


C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

C:\Program Files\VMware\VMware Workstation\hqtray.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\program files\real\realplayer\update\realsched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe


C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe


C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe

c:\program files\avira\antivir desktop\avcenter.exe


C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe



C:\Documents and Settings\seanm\Desktop\redir\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [DLCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCGtime.dll,_RunDLLEntry@16

mRun: [dlcgmon.exe] "c:\program files\dell aio 810\dlcgmon.exe"

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [vmware-tray] c:\program files\vmware\vmware workstation\vmware-tray.exe

mRun: [VMware hqtray] "c:\program files\vmware\vmware workstation\hqtray.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallati...t;ver=10.0.1170

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB

DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

AppInit_DLLs: wxvault.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\seanm\applic~1\mozilla\firefox\profiles\nwzq6jv3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: CrystalFox Qute: CrystalFox_Qute@BigRedBrent - %profile%\extensions\CrystalFox_Qute@BigRedBrent

FF - Ext: Adobe DLM (powered by getPlus®): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

==================== Find3M ====================

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: Hitachi_HTS721010G9SA00 rev.MCZOC10H -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A80A555]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a8107b0]; MOV EAX, [0x8a81082c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A8B3AB8]

3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000087[0x8A8A9510]

5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A823940]

\Driver\atapi[0x8A8A4270] -> IRP_MJ_CREATE -> 0x8A80A555

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS721010G9SA00_________________MCZOC10H#5&1f698b3f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A80A39B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

============= FINISH: 22:05:18.42 ===============


Link to post
Share on other sites


Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.