Rootkit infestation? redirct search engines

MarshalK · May 3, 2011

We are having an issue where when we search in google, yahoo, etc. the search resolves to a malicious site (blocked by Trend Micro Worry Free Standard - Version 6.3)

I ran malwarebytes originally (before I found this site) and it removed a few problems - then, following your check list I ran the ERUNT, OTM and Malwarebytes again. Mbam found some more of the same and I am also in a conversation with them as the software (version 6499 will not update to 6500. It gives the following error: PROGRAM_ERROR_UPDATING (0, 0, SGRegGetPath).

Here is the OTM log:

All processes killed

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

U:\Desktop\cmd.bat deleted successfully.

U:\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 36012 bytes

->Temporary Internet Files folder emptied: 82389 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 456 bytes

User: administrator.TITLECO

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Andy

->Temp folder emptied: 37233 bytes

->Temporary Internet Files folder emptied: 54605 bytes

->Java cache emptied: 0 bytes

User: AP2010

->Temp folder emptied: 107610326 bytes

->Temporary Internet Files folder emptied: 3326689 bytes

->Java cache emptied: 2945856 bytes

->Flash cache emptied: 43323 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33237 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33237 bytes

User: TEMP

->Temp folder emptied: 596864 bytes

->Temporary Internet Files folder emptied: 122814 bytes

->Java cache emptied: 3340912 bytes

->Flash cache emptied: 43443 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2402044 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 33691441 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 87194216 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 231.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.17.2 log created on 05032011_141901

Files moved on Reboot...

Registry entries deleted on Reboot...

MarshalK · May 3, 2011

Mbam Log after quick scan (I actually ran a full scan before visiting this site - here is the short version )

5/3/2011 12:06 PM

Scan type: Full scan (C:\|)

Objects scanned: 573511

Time elapsed: 44 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 3

Then I ran the quickscan as per your instructions:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6499

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/3/2011 3:20:16 PM

mbam-log-2011-05-03 (15-20-16).txt

Scan type: Quick scan

Objects scanned: 190854

Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\TEMP\application data\cleanhdd.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.

c:\documents and settings\TEMP\application data\cleanhdd.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

MarshalK · May 3, 2011

Rooter:

Rooter.exe (v1.0.2) by Eric_71

.

SeDebugPrivilege granted successfully ...

.

Windows XP . (5.1.2600) Service Pack 3

[32_bits] - x86 Family 15 Model 2 Stepping 5, GenuineIntel

.

[wscsvc] STOPPED (state:1) : Security Center -> Disabled !

[sharedAccess] RUNNING (state:4)

Windows Firewall -> Enabled

.

Internet Explorer 8.0.6001.18702

.

A:\ [Removable]

C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:157 Go )

F:\ [Network] .. ( Total:76 Go - Free:16 Go )

G:\ [Network] .. ( Total:76 Go - Free:16 Go )

H:\ [Network] .. ( Total:76 Go - Free:16 Go )

I:\ [Network] .. ( Total:76 Go - Free:16 Go )

J:\ [Network] .. ( Total:76 Go - Free:16 Go )

K:\ [Network] .. ( Total:76 Go - Free:16 Go )

L:\ [Network] .. ( Total:76 Go - Free:16 Go )

M:\ [Network] .. ( Total:76 Go - Free:16 Go )

N:\ [Network] .. ( Total:76 Go - Free:16 Go )

O:\ [Network] .. ( Total:76 Go - Free:16 Go )

P:\ [Network] .. ( Total:76 Go - Free:16 Go )

S:\ [CD_Rom]

U:\ [Network] .. ( Total:76 Go - Free:16 Go )

Y:\ [Network] .. ( Total:76 Go - Free:16 Go )

Z:\ [Network] .. ( Total:76 Go - Free:16 Go )

.

Scan : 16:00.22

Path : U:\Desktop\Rooter.exe

User : AP2010 ( Administrator -> YES )

.

----------------------\\ Processes

.

Locked [system Process] (0)

______ System (4)

______ \SystemRoot\System32\smss.exe (932)

______ \??\C:\WINDOWS\system32\csrss.exe (996)

______ \??\C:\WINDOWS\system32\winlogon.exe (1020)

______ C:\WINDOWS\system32\services.exe (1068)

______ C:\WINDOWS\system32\lsass.exe (1080)

______ C:\WINDOWS\system32\svchost.exe (1308)

______ C:\WINDOWS\system32\svchost.exe (1380)

______ C:\WINDOWS\System32\svchost.exe (1508)

______ C:\WINDOWS\system32\svchost.exe (1652)

______ C:\WINDOWS\system32\svchost.exe (1768)

______ C:\WINDOWS\system32\spoolsv.exe (1912)

______ C:\WINDOWS\system32\svchost.exe (176)

______ C:\Program Files\Symantec\pcAnywhere\awhost32.exe (352)

______ C:\Program Files\Java\jre6\bin\jqs.exe (496)

______ C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (640)

______ C:\Program Files\LogMeIn\x86\RaMaint.exe (952)

______ C:\Program Files\LogMeIn\x86\LogMeIn.exe (1092)

______ C:\WINDOWS\system32\nvsvc32.exe (1560)

______ C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (1640)

______ C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (2004)

______ C:\WINDOWS\system32\svchost.exe (2032)

______ C:\Program Files\UPHClean\uphclean.exe (212)

______ C:\WINDOWS\system32\SearchIndexer.exe (296)

______ C:\WINDOWS\System32\alg.exe (2276)

______ C:\Program Files\LogMeIn\x86\LogMeIn.exe (3596)

______ C:\WINDOWS\Explorer.EXE (2628)

______ C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (764)

______ C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (1592)

______ C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (1488)

______ C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (2208)

______ C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe (3608)

______ C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (2756)

______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (2800)

______ C:\Program Files\Aladdin Systems\iClean\iClean.exe (2928)

______ C:\WINDOWS\system32\ctfmon.exe (2956)

______ C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (636)

______ C:\Program Files\Trend Micro\Client Server Security Agent\Misc\xpupg.exe (3192)

______ C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe (3088)

______ C:\WINDOWS\system32\igfxsrvc.exe (3800)

______ C:\Program Files\Internet Explorer\iexplore.exe (2528)

______ C:\Program Files\Internet Explorer\iexplore.exe (1624)

______ C:\Program Files\Internet Explorer\iexplore.exe (3672)

______ U:\Desktop\Rooter.exe (3284)

.

----------------------\\ Device\Harddisk0\

.

\Device\Harddisk0 [sectors : 63 x 512 Bytes]

.

\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:250056705024)

.

----------------------\\ Scheduled Tasks

.

C:\WINDOWS\Tasks\desktop.ini

C:\WINDOWS\Tasks\SA.DAT

.

----------------------\\ Registry

.

----------------------\\ Files & Folders

.

----------------------\\ Scan completed at 16:00.27

.

U:\Rooter$\Rooter_1.txt - (03/05/2011 | 16:00.27)

MarshalK · May 3, 2011

Locksearch:

LockSearch by jpshortstuff (05.11.09.1)

Log created at 16:02 on 03/05/2011 (AP2010)

Scanning C:\

C:\hiberfil.sys

-------------------------

C:\pagefile.sys

-------------------------

-=E.O.F=-

MarshalK · May 3, 2011

CKScanner:

CKScanner - Additional Security Risks - These are not necessarily bad

scanner sequence 3.RP.11

----- EOF -----

MarshalK · May 3, 2011

I will run the WVCheck and the GMER next - please let me know if I am over posting or if you want more info.

Thank you

MarshalK · May 3, 2011

WVCheck log:

Windows Validation Check

Version: 1.9.12.5

Log Created On: 1720_03-05-2011

-----------------------

Windows Information

-----------------------

Windows Version: Windows XP Service Pack 3

Windows Mode: Normal

Systemroot Path: C:\WINDOWS

WVCheck's Auto Update Check

-----------------------

Auto-Update Option: Download updates and install them automatically.

-----------------------

Last Success Time for Update Detection: 2011-05-03 20:39:17

Last Success Time for Update Download: 2011-04-27 02:21:26

Last Success Time for Update Installation: 2011-04-27 07:02:34

WVCheck's Registry Check Check

-----------------------

Antiwpa: Not Found

-----------------------

Chew7Hale: Not Found

-----------------------

WVCheck's File Dump

-----------------------

WVCheck found no known bad files.

WVCheck's Dir Dump

-----------------------

WVCheck found no known bad directories.

WVCheck's Missing File Check

-----------------------

WVCheck found no missing Windows files.

WVCheck's MBAM Quarantine Check

-----------------------

There were no bad files quarantined by MBAM.

WVCheck's HOSTS File Check

-----------------------

WVCheck found no bad lines in the hosts file.

WVCheck's MD5 Check

EXPERIMENTAL!!

-----------------------

user32.dll - b26b135ff1b9f60c9388b4a7d16f600b

-------- End of File, program close at 1723_03-05-2011 --------

MarshalK · May 5, 2011

Please close this log as I am receiving help via another route. Thank you.

hitest · May 5, 2011

Please close this log as I am receiving help via another route. Thank you.

Closed as per your request.

Sign In

Rootkit infestation? redirct search engines

Recommended Posts

MarshalK

Link to post

Share on other sites

MarshalK

Link to post

Share on other sites

MarshalK

Link to post

Share on other sites

MarshalK

Link to post

Share on other sites

MarshalK

Link to post

Share on other sites

MarshalK

Link to post

Share on other sites

MarshalK

Link to post

Share on other sites

MarshalK

Link to post

Share on other sites

hitest

Link to post

Share on other sites

Browse

Activity