Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Im sure im infected - Firefox Google


  • This topic is locked This topic is locked
16 replies to this topic

#1 yass

yass

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 22 December 2009 - 04:29 AM

So im real sure im infected. I click a link off a google search page it goes to this url real fast, blank page - its just a redir, and sends me back to google homepage.

Please help :thumbsup:



EDIT: Moved from XP forum to a more appropriate forum as suggested by hamluis ~ Elise

Edited by elise025, 22 December 2009 - 10:00 AM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,257 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:20 AM

Posted 22 December 2009 - 09:38 AM

Go to BleepingComputer.com - Am I infected What do I do - http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/, read and follow the administrative procedures posted there.

Louis

#3 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 23 December 2009 - 12:31 AM

Oh sorry about the wrong forum post. Any idea anyone? :thumbsup:

#4 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 23 December 2009 - 02:39 PM

I was able to find out more information on this.
Now randomly new tabs open with ads. Latest ad was this:
[url=http://www.thewebsitesurvey.com/?c=11374&kw=google.com]http://www.thewebsitesurvey.com/?c=11374&kw=google.com[/url]

And whenever i click off of google it takes me to this site all of them have the same site icon in the url bar. The sites so far have been this:
[url=http://jesuschristsuperstar.com/search.php]http://jesuschristsuperstar.com/search.php[/url]
[url=http://lanetcity.com/search.php]http://lanetcity.com/search.php[/url]
[url=http://leakingbrainfluid.com/search.php]http://leakingbrainfluid.com/search.php[/url]
[url=http://marketingdirections.com/search.php]http://marketingdirections.com/search.php[/url]
[url=http://rice.com/search.php]http://rice.com/search.php[/url]

Plz help :(
Malware bytes and super anti spyware both returend 0 detected after I updated them to most recent definitions.

Edited by Orange Blossom, 23 December 2009 - 10:49 PM.
Deactivate links. ~ OB


#5 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 26 December 2009 - 02:42 AM

Oh sorry orange blossom i didnt relaize i should deactivate.
Anyone have any idea on how to cure this :thumbsup:

#6 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 27 December 2009 - 09:43 PM

Does anyone know how this person fixed it:
http://www.bleepingcomputer.com/forums/t/265291/infected-with-google-search-redirect-in-firefox/

:thumbsup:

#7 swagger

swagger

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:10:20 AM

Posted 27 December 2009 - 10:07 PM

Hello yass,

My name is swagger and I'll be assisting you with your computer troubles. You said you ran MBAM as well as SAS and they detected nothing... Would you mind posting the logs anyway? Let's try this as well:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

In your next reply, please include the following logs:
  • MBAM
  • SAS
  • GMER
Regards,
swagger

#8 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 30 December 2009 - 11:06 PM

Thanks a lot swagger sorry for the late reply! Got carried away with the holiday. Ill do it momentarily :thumbsup:
Thanks a lot a lot!

#9 swagger

swagger

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:10:20 AM

Posted 31 December 2009 - 07:00 AM

yass,

No problem at all, I completely understand :flowers: I'll be waiting for those logs :thumbsup:

Regards,
swagger

#10 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 31 December 2009 - 10:28 PM

Thanks very very much for the prompt reply mate! :flowers:

Mbam and super anti spyware are still reporting 0 :thumbsup:

But the rootkit scan gave me some logs here it is mate:

When i first ran it i had some programs in the background running so this quick scan ran and then my computer slowed down like very very bad. I thought i should let it keep going till it recovered it's speed but after 3 hours when i came back it was still impossible to use. But here is the results of the first scan.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2009-12-31 00:02:28
Windows 5.1.2600 Service Pack 2
Running: vbiwpio0.exe; Driver: C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\pgpcykob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8731F618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


So then later that night after a restart I launched it and then ran the full scan and went to sleep lol. I woke up and here are the results :trumpet:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-31 09:03:11
Windows 5.1.2600 Service Pack 2
Running: vbiwpio0.exe; Driver: C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\pgpcykob.sys


---- System - GMER 1.0.15 ----

SSDT 872D1840 ZwConnectPort
SSDT 87016250 ZwOpenProcess
SSDT 870D91F0 ZwOpenThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEC0CF0B0]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF73EF3A4]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5D29380, 0x2FF527, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[820] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00B0000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8731F618

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001583077df7 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583077df7
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\001583077df7 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@C:\Program Files\Nova Development\Art Explosion Publisher Pro\Templates\Calendars\Year on a Page\8\xbdx11 inch\Business Bank.npp 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@C:\Program Files\Nova Development\Art Explosion Publisher Pro\Templates\Calendars\Year on a Page\8\xbdx11 inch\Business.npp 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Oh forgot to mention earlier but Merry Christmas!!
And now Happy New Years! :inlove:

Edited by yass, 31 December 2009 - 10:29 PM.


#11 swagger

swagger

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:10:20 AM

Posted 01 January 2010 - 11:26 AM

Hello yass,

Happy New Year to you too! :thumbsup:

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

Regards,
swagger

#12 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 01 January 2010 - 08:41 PM

I'm on it swagger. It's a long guide I'll get it done in just a little bit lol. My computer is a bit slow I think this backup may take some time. Again can't thank you guys enough for what you do! :thumbsup:

I have one question. Do i have to run that psuedo HJT logs when I already ran the actual thing here?

Ill update you soon as i post that topic :flowers:

Edited by yass, 01 January 2010 - 08:55 PM.


#13 swagger

swagger

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:10:20 AM

Posted 01 January 2010 - 09:17 PM

Hello yass,

Yes, please run DDS as it includes more than just a HJT report and will provide more detailed information for the malware removal expert who takes your thread. You're very welcome and good luck! Please let me know when you do create a new thread. Have a good night!

Regards,
swagger

#14 yass

yass
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 04 January 2010 - 11:44 AM

Hey swagger I've been running the backup program but keeps keeps slowing my computer so much and then crashing. Do you know of a maybe lightweight backup program? :thumbsup:

#15 swagger

swagger

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:10:20 AM

Posted 04 January 2010 - 12:22 PM

Hey yass,

You might try FBackup. I have not personally used it as I do everything manually but it looks to be pretty good. Let me know if it works out for you!

Regards,
swagger




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users