Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Google pop up ads (ecata.info) help :(


  • Please log in to reply
14 replies to this topic

#1 dansgalaxy

dansgalaxy

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Swindon
  • Local time:04:46 AM

Posted 02 January 2009 - 05:43 PM

Hello,

I have seen a couple of threads on here which seem to have the same problem as me http://www.bleepingcomputer.com/forums/t/188036/copy-book-bug-redirects-from-search-engines/ being one of them

This b*rd is affecting both my desktop pc and my new laptop :flowers: so i really need to get this sorted and hope you can help.

This effects ALL browsers, Internet explorer, google chrome etc and all addons have been disabled in IE 7 so i know this is not browser specific.

I use custom DNS servers (openDNS) which is set on both my laptop and desktop connections.

Both are running vista.

When i use google the page is hijacked and is replaced by ecata.info

For instance the results page for the term "malware is bad"

the page code returned is:



** There are A LOT of new lines here which i removed **


and the URL shows: http://www.google.co.uk/search?hl=en&h...amp;newwindow=1

When i click links in the results it redirects to random dodgy sites and i get a popup almost every time i click something.

I have run ad aware, removed any tracking cookies etc which came up and still have the problem.

I would have simply reinstalled everything, but i really dont/cant do that with my laptop its brand new and would mean losing all the programs i got with it (that i want) and dont want to play too much incase i need to use the guarentee :thumbsup:

Please help ASAP... before i go insane.

Many Thanks,
Dan

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 AM

Posted 02 January 2009 - 06:29 PM

Hello Dan.

Let's see what we can do.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Download and Run SmitFruadFix Scan
  • Please download SmitFraudFix by S!Ri to your desktop.
  • Double click the icon to run it.
  • Select Option 1 by typing 1 and hitting Enter.
  • When the scan is complete, a log file will appear. Please copy the contents of the log into your next post.

Please give me an update on the symtoms, if anything has changed.

With Regards,
The Panda

#3 dansgalaxy

dansgalaxy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Swindon
  • Local time:04:46 AM

Posted 02 January 2009 - 07:30 PM

Hi

Installed Malwarebytes, when i tried to get the update it failed and 404ed when tried to go direct so had to download via laptop (currently fixing desktop first, but both laptop and desktop are infected)

and now scanning with malwarebytes... will probably take a very very long time (i have 4 drives totally upwards of 1TB)

downloaded the seond program and will post the logs once they have completed.

Should i run these on both laptop and desktop and post both sets of logs? or can we assume that it is the same problem? (and the solution to one will be the same for the other)

Many Thanks,
Dan

#4 dansgalaxy

dansgalaxy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Swindon
  • Local time:04:46 AM

Posted 02 January 2009 - 07:37 PM

Hey,

Report:
SmitFraudFix v2.388

Scan done at 0:29:09.93, 03/01/2009
Run from C:\Users\dan\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is
Fix run in normal mode

Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\SOUNDMAN.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\cmd.exe

hosts


C:\

C:\autorun.inf FOUND !
C:\resycled\ FOUND !

C:\Windows


C:\Windows\system


C:\Windows\Web


C:\Windows\system32


C:\Windows\system32\LogFiles


C:\Users\dan


C:\Users\dan\AppData\Local\Temp


C:\Users\dan\Application Data


Start Menu


C:\Users\dan\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{E31004D1-A431-41B8-826F-E902F9D95C81}"="Windows DreamScene"

[HKEY_CLASSES_ROOT\CLSID\{E31004D1-A431-41B8-826F-E902F9D95C81}\InProcServer32]
@="%SystemRoot%\System32\DreamScene.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E31004D1-A431-41B8-826F-E902F9D95C81}\InProcServer32]
@="%SystemRoot%\System32\DreamScene.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\Program,Files\\PremierOpinion\\pmai.dll,C:\\Program,Files\\PremierOpinion\\pmai.dll,C:\\Program Files\\PremierOpinion\\pmai.dll"
"LoadAppInit_DLLs"=dword:00000000


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"


RK



DNS

Description: NVIDIA nForce 10/100 Mbps Ethernet
DNS Server Search Order: 208.67.222.222
DNS Server Search Order: 208.67.220.220

HKLM\SYSTEM\CCS\Services\Tcpip\..\{091B9C99-D0D5-4A81-BD6F-5EC1282A78E0}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D9DAA8B5-01E5-484C-B41C-EC0FD8630E2D}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{091B9C99-D0D5-4A81-BD6F-5EC1282A78E0}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D9DAA8B5-01E5-484C-B41C-EC0FD8630E2D}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS2\Services\Tcpip\..\{091B9C99-D0D5-4A81-BD6F-5EC1282A78E0}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D9DAA8B5-01E5-484C-B41C-EC0FD8630E2D}: NameServer=208.67.222.222,208.67.220.220


Scanning for wininet.dll infection


End



Report for malwarebytes

Malwarebytes' Anti-Malware 1.31
Database version: 1571
Windows 6.0.6001 Service Pack 1

03/01/2009 11:22:05
mbam-log-2009-01-03 (11-22-05).txt

Scan type: Full Scan (C:\|D:\|M:\|N:\|)
Objects scanned: 541911
Time elapsed: 6 hour(s), 36 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Windows\System32\msqpdxpniwvnoy.dll (Trojan.TDSS) -> Delete on reboot.
N:\$RECYCLE.BIN\S-1-5-21-4039041717-337806916-3729976787-1000\$RBNHI29\mozilla.org\Mozilla\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\msqpdxsjgtvniq.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\dan\AppData\Local\Temp\matrix31995.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

I left the malwarebytes scanner going all night, log file above, it found 8 problems 3 were a DNSchanger, removed them all and it appears tohave fixed it google is google and so far no popups or redirects.

Edited by dansgalaxy, 03 January 2009 - 06:30 AM.


#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 AM

Posted 03 January 2009 - 08:26 AM

Hello dansgalaxy.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Run Cleaning with SmitFraudFix
  • Your computer needs to be in Safe Mode before we can run the cleaning.
  • Double click the icon to run it.
  • Select Option 2 by typing 2 and hitting Enter.
  • The scan will progress. Answer Yes to any prompts you receive. This will include running disk cleanup and removing infected files.
  • The tool will restart your computer.
  • Upon reboot, a log file located at C:\rapport.txt will open. Copy its contents into your next reply.
How to Boot into Safe Mode
Print out all intructions to be carried out in Safe Mode, or save them onto your desktop as you will not be able to access the forum where you are recieveing help.

If you are unfimiliar with the boot process, please jot down the boot instructions.
  • Shutdown your computer.
  • Press the power on button.
  • Wait for your computer to beep.
  • After hearing the beep, hit the F8 key repeatedly until you see a selection screen.
  • Use your arrow keys to navigate the highlight to Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP, if the highlight was not already on it.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode. However, do not use the MsConfig method to edit the Boot.ini.
Important!:Please do not select the Show all checkbox during the scan..

With Regards,
The Panda

#6 dansgalaxy

dansgalaxy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Swindon
  • Local time:04:46 AM

Posted 03 January 2009 - 09:28 AM

Hi.

Ran smitfraudfix opt 2 on both laptop and desktop

However not sure where the settings are for gmer, on both machines ran it and clicked >>> although cant see any visible settings option.

Although both did flag up system32\drivers\msqpdxsjgtvniq.sys which was the only file malwarebytes could not delete - it said it would be deleted on reboot.

The report for the laptop is attached, desktop will be attached after posting.

Laptop Report:
SmitFraudFix v2.388

Scan done at 14:03:16.90, 03/01/2009
Run from C:\Users\Dan\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost
127.0.0.1 encata.info

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\autorun.inf Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

Description: Atheros AR928x Wireless Network Adapter
DNS Server Search Order: 208.67.222.222
DNS Server Search Order: 208.67.220.220

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F3240F0A-EFB2-4F33-8962-A669CF010825}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F3240F0A-EFB2-4F33-8962-A669CF010825}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F3240F0A-EFB2-4F33-8962-A669CF010825}: NameServer=208.67.222.222,208.67.220.220


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


Desktop Report:

SmitFraudFix v2.388

Scan done at 14:11:53.17, 03/01/2009
Run from C:\Users\dan\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{E31004D1-A431-41B8-826F-E902F9D95C81}"="Windows DreamScene"

[HKEY_CLASSES_ROOT\CLSID\{E31004D1-A431-41B8-826F-E902F9D95C81}\InProcServer32]
@="%SystemRoot%\System32\DreamScene.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E31004D1-A431-41B8-826F-E902F9D95C81}\InProcServer32]
@="%SystemRoot%\System32\DreamScene.dll"


Killing process


hosts


127.0.0.1 localhost
::1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\autorun.inf Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{091B9C99-D0D5-4A81-BD6F-5EC1282A78E0}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D9DAA8B5-01E5-484C-B41C-EC0FD8630E2D}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{091B9C99-D0D5-4A81-BD6F-5EC1282A78E0}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D9DAA8B5-01E5-484C-B41C-EC0FD8630E2D}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS2\Services\Tcpip\..\{091B9C99-D0D5-4A81-BD6F-5EC1282A78E0}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D9DAA8B5-01E5-484C-B41C-EC0FD8630E2D}: NameServer=208.67.222.222,208.67.220.220


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{E31004D1-A431-41B8-826F-E902F9D95C81}"="Windows DreamScene"

[HKEY_CLASSES_ROOT\CLSID\{E31004D1-A431-41B8-826F-E902F9D95C81}\InProcServer32]
@="%SystemRoot%\System32\DreamScene.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E31004D1-A431-41B8-826F-E902F9D95C81}\InProcServer32]
@="%SystemRoot%\System32\DreamScene.dll"



End



With regards to what the computer(s) are used for simple answer is everything.
It is used for personal banking, managing online systems (like my servers and web hosting site)

With the desktop a reinstall is just a pain, i have disks and its all easy as i have reinstalled many many times before. (i intended to make a drive image once i had installed everything this round... never got round to it, can you suggest a good drive image program (pref linux live CD) which i can use for the purpose?)

With the laptop a reinstall is currently not an option, its brand new (got it for christmas) and i really dont want to get in reinstalling the OS until the guarrentee has expired. Also it means i lose all the sony vaio software which came with it.

Many Thanks.
Dan

Edited by dansgalaxy, 03 January 2009 - 09:30 AM.


#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 AM

Posted 03 January 2009 - 09:36 AM

Hello dansgalaxy.

both did flag up system32\drivers\msqpdxsjgtvniq.sys which was the only file malwarebytes could not delete - it said it would be deleted on reboot.

Could you please run MBAM again to see if the file was deleted? This is a rootkit, and there is a good change MBAM can't remove it.

Can you suggest a good drive image program?

I don't have experience using such programs. Might want to ask around the Applications Forum.

Please start a new topic for the desktop to avoid confusion.

With Regards,
The Panda

#8 dansgalaxy

dansgalaxy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Swindon
  • Local time:04:46 AM

Posted 03 January 2009 - 09:47 AM

Was talking about the desktop in the begining anyway ;)

will ignore laptop for now.

Set mbam running again on desktop, last time i had to leave it running overnight, hopefully it can pick it up quicker.

Will post back results of second mbam scan

How do i do the settings for the gmer app, where were they :s

Dan

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 AM

Posted 03 January 2009 - 12:13 PM

Hello.

Let's just leave settings at default then.

After the application is loaded, click the Scan button. When the scan is done, save the log.

With Regards,
The Panda

#10 dansgalaxy

dansgalaxy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Swindon
  • Local time:04:46 AM

Posted 03 January 2009 - 02:01 PM

Hi,

Ran the GMER scan, log file below.

Also re-ran the MBAM scan (on c: drive only) which came up as clean.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-03 18:58:57
Windows 6.0.6001 Service Pack 1


---- User code sections - GMER 1.0.14 ----

.text C:\Windows\system32\lsm.exe[632] ntdll.dll!NtOpenProcess 77A08868 5 Bytes JMP 003B0010
.text C:\Windows\system32\lsm.exe[632] ntdll.dll!NtTerminateProcess 77A09128 5 Bytes JMP 00AE0010
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1112] kernel32.dll!SetUnhandledExceptionFilter 776E6E2D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service system32\drivers\msqpdxsjgtvniq.sys (*** hidden *** ) [SYSTEM] msqpdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxsjgtvniq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxsjgtvniq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxpniwvnoy.dll
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxsjgtvniq.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxsjgtvniq.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxpniwvnoy.dll

---- Files - GMER 1.0.14 ----

File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS090E2.log 131072 bytes

---- EOF - GMER 1.0.14 ----

Thanks,
Dan

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 AM

Posted 03 January 2009 - 02:16 PM

Hello Dan.

Looks like that was deleted. The driver remains. Without it's files, however, it can do no harm.

Let's take it over to the Malware Removal forum to finish it off. Start a new topic there. Do not post the log in this topic.

Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Change the Rootkit Scan option from "No" to Yes.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.

Link me over there when the topic is posted.

With Regards,
The Panda

#12 dansgalaxy

dansgalaxy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Swindon
  • Local time:04:46 AM

Posted 03 January 2009 - 03:07 PM

Hi

The out put from otscanit2 is below.

I couldnt find how to attach the file on this forum :/

- report removed -

Edited by dansgalaxy, 03 January 2009 - 06:53 PM.


#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 AM

Posted 03 January 2009 - 03:32 PM

Hello dansgalaxy.

Please remove the log from your post above.

Start a new topic in this forum with that log in it.

Post a link to the new topic when it's been created.

Thanks,
The Panda

Edited by PropagandaPanda, 03 January 2009 - 03:33 PM.


#14 dansgalaxy

dansgalaxy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Swindon
  • Local time:04:46 AM

Posted 03 January 2009 - 07:53 PM

Hi,

Thanks looks like all clear :thumbsup:

Seem to have got everythign that is a concern :D

Dan

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 AM

Posted 03 January 2009 - 08:10 PM

Hello Dan.

Nevermind my suggestion for OTScanIt. There shouldn't be a need.

Please consider running an online scan.

F-Secure Online Scan
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.

    With Regards,
    The Panda
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users