overulat.dll and Thojetogum.dll - possible infection

**goku_ssj4** · 2009-01-03, 06:12

Can't tell you much about that proxy server. I don't see any program (that I know of off-hand) that uses that port for the loopback. I did look in previous HTJ logs and it was in those logs as well, but they were from awhile back (a couple of months).

I did a port scan from GRC (ShieldsUP) and I passed all the scans done (all marked as stealth).

I looked in ZoneAlarm and all the programs that have been ok'ed for internet access are ones that I know to be well.

The rootkit scan was clean. I'll post the log file.

Now, I did go into IE today and there were no Google redirects. I even tried some searches in Firefox and then retried them in IE. Some of the Firefox searches links were redirected while none of the IE searches were.

I also noticed (in the lower left part of the window) that the IE links lead directly to the site linked to. In Firefox, it appeared that ad1.doubleclicker.net (where those .php scripts were located) was visited first. A few links that did go to this site first were not redirected, but most were.

So far, I havn't seen a redirect to that goougly.com site for at least two days, but I havn't been doing many Google searches lately. When I copy and paste the link given in the search, Firefox visits the site fine, without being redirected.

Also, I'm using Firefox 2.0.0.20 at the moment. I plan to up-grade to Firefox 3 sometime soon. And, ignoring today, I havn't used IE for general web browsing for at least two years.

-----Blacklight scan

01/02/09 13:16:44 [Info]: BlackLight Engine 2.2.1092 initialized
01/02/09 13:16:44 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/02/09 13:16:44 [Note]: 7019 4
01/02/09 13:16:44 [Note]: 7005 0
01/02/09 13:16:50 [Note]: 7006 0
01/02/09 13:16:50 [Note]: 7011 1464
01/02/09 13:16:50 [Note]: 7035 0
01/02/09 13:16:50 [Note]: 7026 0
01/02/09 13:16:51 [Note]: 7026 0
01/02/09 13:17:03 [Note]: FSRAW library version 1.7.1024
01/02/09 13:58:18 [Note]: 2000 1012
01/02/09 21:11:29 [Note]: 7007 0

**pskelley** · 2009-01-03, 12:28

BlackLight is clean, before we consider other scans, let's look at this.

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I suggest you update to IE7 if you use it or not.
(IE8 is already out in beta)

Mozilla (1.7.13)
Mozilla Firefox (2.0.0.20)
Mozilla Firefox (2.0.0.3)
I suggest you uninstall all of those and download the newest version:
http://www.mozilla.com/en-US/firefox/

I have not used a version that old in a long time, so I am not sure this information applies?
http://support.mozilla.com/en-US/kb/...alling+add-ons
Gives you one idea of a Firefox extension issue.
http://blog.misec.net/2008/09/25/new...irestarterfox/

**goku_ssj4** · 2009-01-03, 23:43

I checked the extensions and themes in Firefox and there is nothing out of the ordinary in there. Anyway, I went ahead and uninstalled the old versions of Java, Mozilla, and Firefox. Right now, I have Firefox 3.0.5 running.

The redirects are still occuring, but I noticed that they only occur in Firefox normal mode. In Firefox's safe mode, google searches don't head to that doubleclicker.net site (and active c.php). I tried uninstalling Firefox and removing all its folders before reinstalling, but it didn't work, unless I'm missing something.

**pskelley** · 2009-01-04, 00:08

I have the newest Firefox onboard in the event I need a backup but rarely use it. What happens with IE? Have you thought about trying another browser? http://www.google.com/chrome

I am about out of ideas myself, let see if a Kaspersky Online Scan can find anything hidden.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

**goku_ssj4** · 2009-01-04, 20:05

Well, IE is still running just fine. Google searches run just fine.

I have seen the other browsers and while they seem good, I still want to use Firefox. I havn't seen any feature yet that makes me want to abandon Firefox.
About the Kaspersky scan, I had to have it only scan the C drive. It froze two times when I had it scan both the C and G drives. I wouldn't worry too much since the G drive only has avi, mp3, and zip files. Nothing was added to it during this problem.

Today, after the Kaspersky scan, I was thinking about why Firefox works fine in safe-mode, but not in normal mode. I looked through all the add-ons and plug-ins, but still didn't see anything weird. I went ahead and had safe-mode disable all add-ons and restart normal mode. So far, the google searches are working just like they should (expect the sponsored links don't seem to be showing up).

I went back into the add-ons to see what was disabled and only saw Java Quick Starter 1.0 and AVG Safe Search. I enabled them and google still works fine. I'm not too sure what safe-mode disabled, but it seems to be working, expect for the sponsored links unless I need to give it more time.

-----Kaspersky Scan

KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 4, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 04, 2009 12:17:31
Records in database: 1558285
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Folder
C:\
Scan statistics
Files scanned 182173
Threat name 6
Infected objects 14
Suspicious objects 0
Duration of the scan 03:49:43

File name Threat name Threats count
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
C:\Program Files\LogMeIn\update\2-30-523.bak\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1
C:\Program Files\LogMeIn\update\2-30-523.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1
C:\Program Files\LogMeIn\update\2-30-537.bak\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.i 1
C:\Program Files\LogMeIn\update\2-30-537.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.c 1
C:\Program Files\LogMeIn\update\2-30-539.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.c 1
C:\Program Files\LogMeIn\update\2-30-547.bak\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1
C:\Program Files\LogMeIn\update\2-30-547.bak\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1
C:\Program Files\LogMeIn\update\2-30-547.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.c 1
C:\Program Files\LogMeIn\update\2-30-557.bak\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1
C:\Program Files\LogMeIn\update\2-30-557.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.c 1
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.i 1
The selected area was scanned.

**pskelley** · 2009-01-04, 20:24

Sounds good to be, KOS always identifies that stuff as questionable, the only thing I really see is this:
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
No doubt it is adware, delete it if you wish.

I have done about all I can for you, if you have additional questions about Mozilla Firefox, try the free forum as I said earlier.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

(MBAM scan is optional since it was clean last scan)
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update AVG 8 and scan the system, to be sure it is running right and scanning clean.
Some good AVG information:
FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/m...wcomputer.html
http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/m...oes/Links.html

**goku_ssj4** · 2009-01-06, 08:18

So far, everything is running well. Firefox is still working just fine. I still have no idea what was disabled, but its working.

By the way, I'll get to work uninstalling/up-dating my programs.

Thanks for all your help pskelley. I really appreciate it. Especially during the holidays.

**pskelley** · 2009-01-06, 13:29

Thanks for taking the time to let me know, safe surfing and Happy New Year

Thread: overulat.dll and Thojetogum.dll - possible infection

Thread Tools

Display

Posting Permissions