Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects to Google.com/webhp


  • This topic is locked This topic is locked
5 replies to this topic

#1 windwhisperbomb

windwhisperbomb

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 13 April 2010 - 04:17 AM

Hi, a few days ago I clicked on a link in google. My computer became very slow, so I restarted it. After that, select links in google would redirect me to google.com/webhp. Also, IE (version 6) would open without prompt and take me to google.com/webhp. I switched over to my laptop and looked for solutions. I used Superantispyware and it found the backdoor trojan tidserv. It took care of the virus, and it doesn't show up in scans anymore. The problem still remains however. Google still redirects to google.com/webhp (not all the time) and IE will open every half hour or so without prompt. I'm a novice when it comes to this stuff, so I came here after reading the dangers of trying to get rid of viruses without experience.

BC AdBot (Login to Remove)

 


#2 trollocks

trollocks

  • Members
  • 365 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:stoke ,England
  • Local time:02:06 PM

Posted 13 April 2010 - 04:45 AM

Check for rootkits.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

#3 windwhisperbomb

windwhisperbomb
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 13 April 2010 - 05:24 AM

These are the results:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-13 03:20:56
Windows 5.1.2600 Service Pack 2
Running: 1turhjlg.exe; Driver: C:\DOCUME~1\SHANON~1.000\LOCALS~1\Temp\pgldqpoc.sys


---- System - GMER 1.0.15 ----

SSDT 838F0248 ZwConnectPort
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB6B54320]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 0079000A
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 007A000A
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0078000C
.text C:\WINDOWS\System32\svchost.exe[1064] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 01F1000A
.text C:\WINDOWS\Explorer.EXE[1752] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A0000A
.text C:\WINDOWS\Explorer.EXE[1752] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00A6000A
.text C:\WINDOWS\Explorer.EXE[1752] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 009F000C
.text C:\WINDOWS\system32\wuauclt.exe[3000] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\wuauclt.exe[3000] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\wuauclt.exe[3000] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 003C000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 83AF6AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{67D4DB5C-683F-353F-36F9-D5D712ACD602}\InprocServer32@ C:\WINDOWS\System32\MFC40.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{9A8D95E5-AF9F-4126-9B18-5765AA944847}\InprocServer32@ %SystemRoot%\System32\msoeacct.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{9A8D95E5-AF9F-4126-9B18-5765AA944847}\InprocServer32@ThreadingModel Apartment

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#4 trollocks

trollocks

  • Members
  • 365 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:stoke ,England
  • Local time:02:06 PM

Posted 13 April 2010 - 05:50 AM

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

As suspected you have the rootkit that is going around alot at the minute.Rootkits are nasty and you wil need specialised tools.

Follow steps 6-9 here

It may take a few days for a reply.Dont bump your topic.Helpers look for topics with 0 replies first

#5 windwhisperbomb

windwhisperbomb
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:06 AM

Posted 13 April 2010 - 06:41 AM

I did as you instructed. Thank you very much for your help.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 33,296 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:06 AM

Posted 13 April 2010 - 07:33 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/309347/infected-with-rootkit/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users