google hijack, cmd block, other funkiness

June 10, 2009 at 13:44:33
Specs: Microsoft Windows XP Professional, 2.411 GHz / 3582 MB
Persistent symptoms on this box suggest a trojan at play, but scans by Comodo, AVG, BitDefender have yielded nothing. Symptoms include:
Google search result misdirects (consistent),
cmd, taskmgr, antivirus process launch blocks (inconsistent).
Jumping the gun a bit based on other forum threads, have generated the following for your perusal:
virusinfo_syscure
ComboFix
ComboFix-quarantined-files
BelArc benchmark and system reports
They were created in the manner and order typically suggested, but any or all can be redone as needed.

Have been wrestling with this for a few weeks with little success, and am trending toward more extreme measures. Will nuke the system if needed, but want to know what's screwing it up, because many files on it have been circulating among many machines. It would help to know what to look for to determine if this is an isolated incident or an epidemic.

Any advice would be profoundly appreciated.


See More: google hijack, cmd block, other funkiness

Report •


#1
June 10, 2009 at 14:12:11

Report •

#2
June 10, 2009 at 14:52:39
PM'd you a rapidshare link. Can post content of log to this thread if that's more appropriate.

Report •

#3
June 10, 2009 at 14:58:47
Generate these logs again:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. Upload the log to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
June 10, 2009 at 15:49:16
1) virusinfo_syscure.zip at http://rapidshare.com/files/2431616...

Report •

#5
June 10, 2009 at 15:56:00

Report •

#6
June 10, 2009 at 16:23:11
Post AVZ log again read "Note". What browser does google links redirect in and to what site? I also suggest you uninstall "Ask Toolbar".

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#7
June 10, 2009 at 18:17:48
d'oh!
New AVZ log, generated with browser open this time, posted here: http://rapidshare.com/files/2431910...

Ask Toolbar uninstalled.

Browser of choice is FF (using 3.0.10)
Redirected links also encountered in IE (currently using 8.0.6001.18702)


Report •

#8
June 10, 2009 at 18:46:27
Please close all browsers and other windows while running GooredFix.
* Please download GooredFix and save it to your Desktop.
* Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
* A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Note: Do not run Option #2 yet.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#9
June 11, 2009 at 15:15:08
GooredFix v1.92 by jpshortstuff
Log created at 17:13 on 11/06/2009 running Option #1 (Administrator)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"


Report •

#10
June 11, 2009 at 15:29:03
Do you know these ips 192.168.31.54,12.96.160.115 ?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#11
June 11, 2009 at 15:54:58
Nope.

NetSol's WHOIS lists the first one only as being in a range belonging to the IANA, the second as being in the range hosted by THEPLANET.COM INTERNET SERVICES.

192.168.31.54
Internet Assigned Numbers Authority
NetRange: 192.168.0.0 - 192.168.255.255
CIDR: 192.168.0.0/16
NetName: IANA-CBLK1
NetHandle: NET-192-168-0-0-1
Parent: NET-192-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment: http://www.arin.net/reference/rfc/r...


12.96.160.115
THEPLANE725-160 (NET-12-96-160-0-1)
12.96.160.0 - 12.96.167.255


Report •

#12
June 11, 2009 at 16:01:34
Can you make a new HijackThis log and upload it to rapidshare.com. HijackThis: Here

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#13
Report •

#14
June 11, 2009 at 16:26:30
Fix this entry with HijackThis

O17 - HKLM\System\CCS\Services\Tcpip\..\{B52E20E8-4EE3-4B10-BAB8-CBC9AE3579FF}: NameServer = 192.168.31.54,12.96.160.115

Then change your dns servers to http://www.opendns.com/start/ check and see if your redirect problem is solved.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#15
June 11, 2009 at 17:09:50
done.

not getting google redirects, can launch command terminal - hard to prove a negative, but no symptoms evident at this point.

any idea what may have been going on, based on what you've seen? further steps you'd suggest be run?


Report •

#16
June 11, 2009 at 17:38:42
Problem solved? Redo Response Number 12.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#17
June 11, 2009 at 17:44:07
possibly....

http://rapidshare.com/files/2435555...


Report •

#18
June 11, 2009 at 17:59:01
Follow these two next:
FIRST
Download OTL to your Desktop

1) Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted (for Vista, right click the icon and Run as Administrator).

2) When the window appears, underneath Output at the top change it to Minimal Output.

3) Click the "Scan All Users" checkbox.

4) In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".

5) Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

i) When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.

ii) Upload both the files to rapidshare.com and post download links.

SECOND

Download Security Check by screen317 and SAVE it to your Desktop: http://screen317.spywareinfoforum.o...

* Double-click on SecurityCheck.exe and follow the on-screen instructions inside the black box.
* A Notepad document named checkup.txt should then open automatically; close Notepad & saving the file to your desktop. Post this log, too.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#19
Report •

#20
June 12, 2009 at 12:36:44
SECOND
http://rapidshare.com/files/2438393...

Report •

#21
June 12, 2009 at 12:45:10
Is your problem back or fixed? I don't see any malware on your PC just few things: Seems you internet is not setup right via some gateway and your java needs updating as soon as possible.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#22
June 12, 2009 at 13:32:39
Seems to be symptom-free now. Will update java. Net connection is through an institutional network, so I can't vouch for the gateway. Any liabilities that might emerge from the internet setup, or is it just non-standard?

Report •

#23
June 12, 2009 at 14:03:24
Your problem was caused by adware. Since the problem is fixed i am not monitoring this post anymore if you have any more problems regarding this feel free to private message me.

PS: don't worry about internet gateway problem. Its just eventid log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#24
June 12, 2009 at 14:43:35
Amazed by your quick responses and thorough investigation. Thanks for all your help.

Report •


Ask Question