Sign in to follow this  
jaisa01

cl01cl10cl01.com

Recommended Posts

Anyone have solution for this. All my google links are being redirected by cl01cl10cl01.com to other places. Apparently no solutions so far. Anyone know what to do?

Share this post


Link to post
Share on other sites
Have you run a scan with Ad-Aware? If so and that did not clean your system then follow these [url="http://www.lavasoftsupport.com/index.php?showtopic=13639"]Instructions[/url] for posting to the [url="http://www.lavasoftsupport.com/index.php?showforum=36"]Hijack This Forum[/url]. There a Volunteer Security Adviser will assist you in the removal of the malware.

cressy

Share this post


Link to post
Share on other sites
[quote name='jaisa01' post='119498' date='May 12 2010, 07:33 AM']Anyone have solution for this. All my google links are being redirected by cl01cl10cl01.com to other places. Apparently no solutions so far. Anyone know what to do?[/quote]
I did run the scan. Here is the log:

GMER 1.0.15.15281 - [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2010-05-12 04:05:53
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Sandeep\LOCALS~1\Temp\pxtdypob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA11887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA118BFE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xBA670814]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[520] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DA000A
.text C:\Program Files\Internet Explorer\iexplore.exe[520] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DB000A
.text C:\Program Files\Internet Explorer\iexplore.exe[520] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D9000C
.text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 3E35200B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 3E352046 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 3E351FC7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 3E351F53 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 3E351F8D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 3E352081 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[520] ole32.dll!OleLoadFromStream 77518C62 5 Bytes JMP 3E352243 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0096000A
.text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0097000A
.text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 3 Bytes JMP 0095000C
.text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!KiUserExceptionDispatcher + 4 7C90E480 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1228] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 0212000A
.text C:\WINDOWS\System32\svchost.exe[1228] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 017B000A
.text C:\WINDOWS\Explorer.EXE[1900] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1900] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1900] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BF000C
.text C:\WINDOWS\system32\SearchIndexer.exe[3200] kernel32.dll!WriteFile 7C810D97 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[3848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\wuauclt.exe[3848] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\wuauclt.exe[3848] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BE000C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61449D87] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61449CF2] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3BFEE4

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] bvlbjcd <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Support Driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Maintains links between NTFS files within a computer or across computers in a network domain.
Reg HKLM\SYSTEM\CurrentControlSet\Services\bvlbjcd\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\bvlbjcd\[email protected] C:\WINDOWS\system32\fszas.dll
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] Support Driver
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 32
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 2
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 0
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] Maintains links between NTFS files within a computer or across computers in a network domain.
Reg HKLM\SYSTEM\ControlSet002\Services\bvlbjcd\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\bvlbjcd\[email protected] C:\WINDOWS\system32\fszas.dll
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}@eaopdhiojk 0x66 0x61 0x69 0x61 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}@dalaoifb 0x64 0x62 0x6B 0x6F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}@iagnpocncdjihbofnn 0x69 0x61 0x68 0x6D ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}@haaojopghbenalci 0x6A 0x61 0x66 0x6E ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Share this post


Link to post
Share on other sites
[url="http://www.lavasoftsupport.com/index.php?showtopic=29246"]http://www.lavasoftsupport.com/index.php?showtopic=29246[/url]

Now that you've posted in the HijackThis forum, I'll close this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this