Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect and Random Tab opening


  • This topic is locked This topic is locked
2 replies to this topic

#1 123wizard

123wizard

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 20 April 2010 - 07:45 PM

I was told to make a new topic so here is my original issue.

"I recently installed Windows 7 (about 1 month), and now Firefox decides to randomly visit urls, like monstermarketplace or something. The weird thing is that I think they are taking things i type into Google and using them in other sites that pop up. I tried changing my web browser, but nothing helped. Im somewhat of a noob when it comes to security because I never had serious problems like this. Also, this doesn't occur in any other comp in my house, so its probably not my router. And I really want to stray away from reinstalling a brand new copy. Please help guys.

-cyborg129"

Also, for reference, here is the old topic.
http://www.bleepingcomputer.com/forums/t/311119/random-tabs-opening-on-firefox/

I would love if someone could help me out as soon as possible.

Here's the GMER Log after defrogger.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-20 20:35:24
Windows 6.1.7600
Running: gmer.exe; Driver: C:UsersOWNER~1AppDataLocalTempufkiiuow.sys


---- System - GMER 1.0.15 ----

INT 0x1F SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E37AF8
INT 0x37 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E37104
INT 0xC1 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E373F4
INT 0xD1 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1F634
INT 0xD2 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1F898
INT 0xDF SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E371DC
INT 0xE1 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E37958
INT 0xE3 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E376F8
INT 0xFD SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E37F2C
INT 0xFE SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E381A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A50579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A74F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys 95A28C9D 28 Bytes [9E, 17, 74, F6, AC, 4D, 74, ...]
.text peauth.sys 95A28CC1 28 Bytes [9E, 17, 74, F6, AC, 4D, 74, ...]

---- User code sections - GMER 1.0.15 ----

.text C:Windowssystem32svchost.exe[872] ntdll.dll!NtProtectVirtualMemory 77B85360 5 Bytes JMP 0017000A
.text C:Windowssystem32svchost.exe[872] ntdll.dll!NtWriteVirtualMemory 77B85EE0 5 Bytes JMP 0019000A
.text C:Windowssystem32svchost.exe[872] ntdll.dll!KiUserExceptionDispatcher 77B86448 5 Bytes JMP 0016000A
.text C:Windowssystem32svchost.exe[872] ole32.dll!CoCreateInstance 779657FC 5 Bytes JMP 00C0000A
.text C:Windowssystem32svchost.exe[872] USER32.dll!GetCursorPos 7775C198 5 Bytes JMP 00C1000A
.text C:WindowsExplorer.EXE[1444] ntdll.dll!NtProtectVirtualMemory 77B85360 5 Bytes JMP 001B000A
.text C:WindowsExplorer.EXE[1444] ntdll.dll!NtWriteVirtualMemory 77B85EE0 5 Bytes JMP 001C000A
.text C:WindowsExplorer.EXE[1444] ntdll.dll!KiUserExceptionDispatcher 77B86448 5 Bytes JMP 001A000A
.text C:Program FilesOperaopera.exe[2728] ntdll.dll!NtProtectVirtualMemory 77B85360 5 Bytes JMP 000A000A
.text C:Program FilesOperaopera.exe[2728] ntdll.dll!NtWriteVirtualMemory 77B85EE0 5 Bytes JMP 001B000A
.text C:Program FilesOperaopera.exe[2728] ntdll.dll!KiUserExceptionDispatcher 77B86448 5 Bytes JMP 0009000A
.text C:Program FilesMicrosoft OfficeOffice12WINWORD.EXE[2732] kernel32.dll!SetUnhandledExceptionFilter 76633142 5 Bytes JMP 680C52B8 C:Program FilesCommon FilesMicrosoft Sharedoffice12mso.dll (2007 Microsoft Office component/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device DriverACPI_HAL Device00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice Drivervolmgr DeviceHarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivervolmgr DeviceHarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivervolmgr DeviceHarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device -> Driveratapi DeviceHarddisk0DR0 857DAAC8

---- Registry - GMER 1.0.15 ----

Reg HKLMSYSTEMCurrentControlSetservicessptdCfg0D79C293C1ED61418462E24595C90D04
Reg HKLMSYSTEMCurrentControlSetservicessptdCfg0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLMSYSTEMCurrentControlSetservicessptdCfg0D79C293C1ED61418462E24595C90D04@ujdew 0xAB 0x28 0xF4 0x04 ...
Reg HKLMSYSTEMCurrentControlSetservicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLMSYSTEMCurrentControlSetservicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:Program FilesDAEMON Tools Lite
Reg HKLMSYSTEMCurrentControlSetservicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLMSYSTEMCurrentControlSetservicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLMSYSTEMCurrentControlSetservicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDC 0x93 0x2F 0x16 ...
Reg HKLMSYSTEMCurrentControlSetservicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001
Reg HKLMSYSTEMCurrentControlSetservicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLMSYSTEMCurrentControlSetservicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@hdf12 0x90 0x2E 0x2B 0xF0 ...
Reg HKLMSYSTEMCurrentControlSetservicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0
Reg HKLMSYSTEMCurrentControlSetservicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0@hdf12 0x29 0xDD 0x52 0xEC ...
Reg HKLMSYSTEMControlSet002servicessptdCfg0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLMSYSTEMControlSet002servicessptdCfg0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLMSYSTEMControlSet002servicessptdCfg0D79C293C1ED61418462E24595C90D04@ujdew 0xAB 0x28 0xF4 0x04 ...
Reg HKLMSYSTEMControlSet002servicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLMSYSTEMControlSet002servicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:Program FilesDAEMON Tools Lite
Reg HKLMSYSTEMControlSet002servicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLMSYSTEMControlSet002servicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLMSYSTEMControlSet002servicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDC 0x93 0x2F 0x16 ...
Reg HKLMSYSTEMControlSet002servicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001 (not active ControlSet)
Reg HKLMSYSTEMControlSet002servicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLMSYSTEMControlSet002servicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@hdf12 0x90 0x2E 0x2B 0xF0 ...
Reg HKLMSYSTEMControlSet002servicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0 (not active ControlSet)
Reg HKLMSYSTEMControlSet002servicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0@hdf12 0x29 0xDD 0x52 0xEC ...
Reg HKLMSOFTWAREMicrosoftWindows NTCurrentVersionProfileListS-1-5-21-3071815854-1593722977-1082220530-1002@RefCount 4

---- Files - GMER 1.0.15 ----
File C:Windowssystem32driversatapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

________________________________________________________________________________
___________________________________________

I was told that this may mean I have a rootkit.
"File C:Windowssystem32driversatapi.sys suspicious modification"

Edited by 123wizard, 20 April 2010 - 08:02 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:07 PM

Posted 25 April 2010 - 06:50 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:07 PM

Posted 30 April 2010 - 06:52 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users