Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google result hyperlinks being redirected?


  • Please log in to reply
5 replies to this topic

#1 Chris Harmston

Chris Harmston

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 12 August 2009 - 12:39 PM

Hi everyone, I'll try to make this simple and quick.

To explain the scenario....

Running Windows XP Pro with SP3
Problem is/was with Internet Explorer 8
Problem was diagnosed by myself as SKYNET root-kit.
Running AVG 8.5 paid version.

Every-time my boss tried doing a Google search and clicking on a hyperlink he would be redirected to various websites. (Some would make AVG report a virus)

I ran AVG scanner and came up clean.
Next ran Spybot search and Destroy.. results showed SKYNET files but did not remove them.
Next ran Malwarebytes... results showed SKYNET files ....removed them.
Next checked IE8 and found problem still existed.
Next ran Sophos Anti-Root-kit, scan found 5 skynet entries. Removed them all and rebooted.
Ran Sophos again and do not have any skynet entries but alot of others.
I would like to know if I should post any type of log to find out if I am still infected?

Finally I guess I can say I am very comfortable working with pc's, I have good common sense with what to change and not change. I feel quite confident the issue of SKYNET is totally gone but I would like to be sure I have all types of spy-ware, root-kit's etc off this PC for my boss.

Thanx again in advance!
Great site with lots of help! :thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:02 AM

Posted 12 August 2009 - 01:32 PM

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs


For the Sophos log, go to Start > Run and type or copy/paste: %temp%\sarscan.log
This should open the log from the rootkit scan so you can copy and paste it into your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Chris Harmston

Chris Harmston
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 12 August 2009 - 04:37 PM

Thanx for taking the time to help me Quietman7

Below are both the logs for mbam and sophos.


Malwarebytes' Anti-Malware 1.40
Database version: 2613
Windows 5.1.2600 Service Pack 3

8/12/2009 5:27:32 PM
mbam-log-2009-08-12 (17-27-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 190067
Time elapsed: 39 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And now Sophos Anti-Rootkit log:

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/12/2009 at 13:05:08
User "Fred Mattei" on computer "LFO-TOWER"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008032420080325
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Program Files\T4_Internet _T4_ par_Internet_9.0\UninstallerData\Uninstall T4 Internet - T4 par Internet 9.0.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\avg8\temp\7cb7dc1f-b583-4656-9de6-5cf99903d65b.tmp
Hidden: file C:\Documents and Settings\All Users\Application Data\avg8\temp\41e1fce7-e364-45b5-8b7c-c05bc19cd406.tmp
Hidden: file C:\WINDOWS\system32\RmActivate.exe
Hidden: file C:\WINDOWS\system32\SecProc.dll
Hidden: file C:\WINDOWS\system32\SecProc_isv.dll
Hidden: file C:\WINDOWS\system32\msdelta.dll
Hidden: file C:\Program Files\Spybot - Search & Destroy\Plugins\Fennel.dll
Hidden: file C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware\mbam-dor.exe
Hidden: file C:\WINDOWS\system32\dllcache\wmploc.dll
Hidden: file C:\Documents and Settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
Hidden: file C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\NlsLexicons0009.dll
Hidden: file C:\Program Files\Microsoft Office\Office12\CRYPTOPP.DLL
Hidden: file C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\ISSetup.dll
Hidden: file C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\atioglx2.dll
Hidden: file C:\WINDOWS\system32\atioglx2.dll
Hidden: file C:\Documents and Settings\Fred Mattei\My Documents\Downloads\sar_15_sfx.exe
Hidden: file C:\WINDOWS\Downloaded Program Files\CONFLICT.1\FP_AX_CAB_INSTALLER.exe
Hidden: file C:\Program Files\Adobe\Adobe Bridge CS3\browser\opera.dll
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\xpsp2res.dll
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\sprb040d.dll
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\sprb0401.dll
Hidden: file C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\atioglx2.dll
Hidden: file C:\Documents and Settings\Fred Mattei\Local Settings\Temp\OnlineScanner\updates\hydrawin\fsecr32.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\kperdpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\msncli.exe
Hidden: file C:\WINDOWS\ServicePackFiles\i386\ipevldpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\kprodpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\ipseldpc.dll
Hidden: file C:\Program Files\Microsoft Silverlight\3.0.40723.0\npctrl.dll
Hidden: file C:\WINDOWS\$hf_mig$\KB973815\update\update.exe
Hidden: file C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
Hidden: file C:\WINDOWS\ServicePackFiles\i386\isdpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\knperdpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\knprodpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\isendpc.dll
Hidden: file C:\Program Files\ImgBurn\ImgBurn.exe
Hidden: file C:\Program Files\ImgBurn\ImgBurnPreview.exe
Hidden: file C:\Program Files\ImgBurn\uninstall.exe
Hidden: file C:\WINDOWS\ServicePackFiles\i386\sprb040d.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\sprb0401.dll
Hidden: file C:\WINDOWS\system32\mui\0401\xpsp2res.dll
Hidden: file C:\WINDOWS\system32\mui\040D\xpsp2res.dll
Hidden: file C:\WINDOWS\system32\dpcdll.dll
Hidden: file C:\WINDOWS\system32\dllcache\dpcdll.dll
Hidden: file C:\Program Files\Adobe\Adobe Device Central CS3\Required\Opera\Opera.dll
Hidden: file C:\Program Files\Adobe\Adobe Help Viewer\1.1\MFC71U.DLL
Hidden: file C:\Program Files\eMule\Uninstall.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\Updates\advcheck163.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\Updates\teatimer166.exe
Hidden: file C:\Program Files\T4_Internet _T4_ par_Internet_9.0\T4 Internet -T4 par Internet.exe
Hidden: file C:\Program Files\Lavasoft\Ad-Aware\pkarchive85u.dll
Hidden: file C:\Program Files\SSC Service Utility\ssc_serv.exe
Hidden: file C:\Program Files\EPSON\PrinterDriverTemp\SPR200\EPUPDATE.EXE
Hidden: file C:\WINDOWS\system32\spool\drivers\w32x86\EPUPDATE.EXE
Hidden: file C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_photo_r2c5c0\EPUPDATE.EXE
Hidden: file C:\WINDOWS\system32\spool\drivers\w32x86\3\EPUPDATE.EXE
Hidden: file C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Hidden: file C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Hidden: file C:\WINDOWS\Downloaded Program Files\CONFLICT.2\FP_AX_CAB_INSTALLER.exe
Info: Starting disk scan of E: (NTFS).
Info: Starting disk scan of F: (NTFS).
Hidden: file F:\2008_02_28_17_00_03_439F2.TIB
Stopped logging on 8/12/2009 at 13:40:17


I hope this info is what you need. It's this sophos log that has me concerned.

Thanx again and look forward to hearing from ya!
Chris

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:02 AM

Posted 13 August 2009 - 06:37 AM

It's this sophos log that has me concerned

Appears all the SKYNET entries were successfully removed. As for other entries in that log, you need to keep in mind that not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

How is your computer running now? Are there any more reports/alerts, signs of infection or issues with your browser?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Chris Harmston

Chris Harmston
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 13 August 2009 - 12:53 PM

I have been running the PC all morning and so far everything is running 100% normal. No more redirects and no more pop-ups about viruses. I really appreciate the time you took to help me out! I must say this forum has been a great help! I'll be sure to recommend this site to others I know.

Quietman7 ... THX alot for the help!

Chris

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:02 AM

Posted 13 August 2009 - 03:56 PM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users