Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google searches redirecting to various search sites in both Firefox and IE


  • This topic is locked This topic is locked
44 replies to this topic

#1 coolshop

coolshop

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 16 May 2010 - 05:53 PM

When clicking on the links from Google searches, I am redirected to various ad sites instead of the proper results.

This happens in both Firefox and IE.

Ran Zonealarm Scan, Superantispyware scan, Spybot Search and Destroy, nothing found.

Turned off javascript, still happens.

Malwarebytes did detect and quarantine 5 things, which I quarantined and deleted, then rebooted, but did not resolve problem.

Malwarebytes log

Files Infected:
C:\Documents and Settings\Alex\Local Settings\Temp\pdfupd.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\337.tmp (Backdoor.Tidserv) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\338.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\16P40YCE\eH670d0fd7V03f01930002R1400e6ed102T2cdedb75Q000002fd901801F0016000aJ0e000601l0409Ka57494883180[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\MR9HWMQJ\update[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

Also ran gooredfix.exe, didn't help.

Would appreciate help!



DDS (Ver_10-03-17.01) - NTFSx86
Run by Alex at 14:44:12.92 on Sun 05/16/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.333 [GMT -4:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\DOCUME~1\Alex\LOCALS~1\Temp\RtkBtMnt.exe
C:\Documents and Settings\Alex\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
mDefault_Page_URL = hxxp://global.acer.com
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1208&m=aoa150
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ooVoo Toolbar: {a1fb2f9a-d35e-11dd-8935-e46a56d89593} - c:\program files\oovootb\dtx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ooVoo Toolbar: {a1fb2f9a-d35e-11dd-8935-e46a56d89593} - c:\program files\oovootb\dtx.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {556B32D5-21FA-4A53-95C6-2B8C91903720} = 4.2.2.1,4.2.2.2
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alex\applic~1\mozilla\firefox\profiles\ngerexv5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\alex\application data\mozilla\firefox\profiles\ngerexv5.default\extensions\twitternotifier@naan.net\platform\winnt\components\nsTwitterFoxSign.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\alex\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: browser.sessionstore.resume_from_crash - false

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-4-25 128016]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-27 528008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-26 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-12-26 96856]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-25 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;"c:\program files\google\google desktop search\googledesktop.exe" --> c:\program files\google\google desktop search\GoogleDesktop.exe [?]

=============== Created Last 30 ================

2010-05-16 18:42:41 0 ----a-w- c:\documents and settings\alex\defogger_reenable
2010-05-16 17:24:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-05-16 16:43:12 0 d-----w- c:\docume~1\alex\applic~1\Malwarebytes
2010-05-16 16:42:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-16 16:42:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-16 16:42:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-16 16:42:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 16:07:28 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-16 16:07:09 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-16 16:07:08 0 d-----w- c:\docume~1\alex\applic~1\SUPERAntiSpyware.com
2010-04-25 19:21:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky SDK
2010-04-25 18:57:35 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-04-25 16:04:25 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-25 16:04:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-25 15:51:46 0 d-----w- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2010-05-16 17:04:27 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-15 02:22:02 15108 ----a-w- c:\docume~1\alex\applic~1\wklnhst.dat
2010-03-24 23:10:32 72584 ----a-w- c:\windows\zllsputility.exe
2010-03-24 23:10:20 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-06-04 19:03:01 474816 ----a-w- c:\program files\debutsetup.exe
2008-08-15 17:51:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-12-26 04:44:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat
2009-12-30 18:56:18 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-30 18:56:18 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-30 18:56:18 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 14:48:38.67 ===============


Attach.txt and ark.txt attached.

Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 PM

Posted 18 May 2010 - 07:00 AM

Hi coolshop,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  3. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
    • Close all the open windows.
    • Double-click TDLfix.exe to run the tool.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      mbr
    • A log file will open, please copy and paste it yo your reply.


#3 coolshop

coolshop
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 19 May 2010 - 09:37 AM

Thank you for your help. Yes, I acknowledge that I should not make any other changes to the computer.

First something important that I noticed. In FIREFOX, if I type www.google.com directly and then search, the redirects do NOT seem to occur. In FIREFOX, if I use the upper right search box in the browser, the redirects DO occur.

In IE, the redirects occur in BOTH cases, whether I type www.google.com directly, or use the upper search box.



Here is the Malwarebytes.log


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4117

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/19/2010 10:18:54 AM
mbam-log-2010-05-19 (10-18-54).txt

Scan type: Quick scan
Objects scanned: 134509
Time elapsed: 14 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






Here is the mbr log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86AE2EE4]<<
kernel: MBR read successfully
user & kernel MBR OK




I await your next instructions.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 PM

Posted 19 May 2010 - 11:22 AM

  1. Close all the open windows.
    • Double-click TDLfix.exe to run the tool, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      isapnp
    • The application shall restart the computer immediately and runs after restart.
    • Tell me if the computer rebooted and ran to completion.

  2. Run TDLfix.exe after the tool finished, type the following in the open window and press enter:

    mbr

    A log file opens up. please post the content to your reply.


#5 coolshop

coolshop
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 19 May 2010 - 01:04 PM

The computer did reboot after running tdlfix.exe for isapnp

The log from tdlfix.exe for mbr after the reboot is

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK

Edited by coolshop, 19 May 2010 - 01:05 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 PM

Posted 19 May 2010 - 01:29 PM

The rootkit is taken care of.
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove Jav 6 upate 14.
    • Reboot your computer once old Java component is removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  2. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    Reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{556B32D5-21FA-4A53-95C6-2B8C91903720} /v NameServer /f
    Reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Alcmtr
    Reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v aim6
    proxycfg -d

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • A window flashes, it is normal.

  3. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#7 coolshop

coolshop
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 19 May 2010 - 02:25 PM

FYI the google redirection is still occuring, it has not been fixed.

I updated the JAVA as instructed.

I created the look.bat as instructed. However, your instructions did not say to actually double click and run the look.bat, but I assumed this instruction was just missing, so I ran it.

It actually prompted me to confirm the deletion of Alcmtr and aim6, which I confirmed yes.

I then ran DDS and am posting the log here.

I will await your next instruction.

Attached Files

  • Attached File  DDS.txt   13.12KB   3 downloads


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 PM

Posted 19 May 2010 - 03:36 PM

Please run TDLfix.exe, type mbr and click Enter. Post the log it creates.

#9 coolshop

coolshop
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 19 May 2010 - 03:39 PM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EECEE4]<<
kernel: MBR read successfully
user & kernel MBR OK


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 PM

Posted 19 May 2010 - 03:53 PM

Yes the rootkit is active again.
  1. Please right-click to remove TDLfix and download the latest copy from http://download.bleepingcomputer.com/farbar/TDLfix.exe

  2. Disable ZoneAlarm rantivirus real-time protection and make sure you configure it not to run after reboot.

  3. Run TDLfix, type isapnp and press Enter. Let the tool run after reboot.

  4. Reboot once manually as we want to see if the rootkit becomes active again.

  5. Run TDLfix.exe, type mbr and press Enter. Please post the log it makes. You may enable Zonealarm again.


#11 coolshop

coolshop
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 19 May 2010 - 04:10 PM

I did the steps that you indicated. Here is the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EE9EE4]<<
kernel: MBR read successfully
user & kernel MBR OK




#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 PM

Posted 19 May 2010 - 04:32 PM

Let's see what is there.
  1. Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      CODE
      :filefind
      isapnp.sys*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

  2. Please open GMER, uncheck all the sections except Sections (C: drive should be checked). Please post the log.


#13 coolshop

coolshop
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 19 May 2010 - 04:50 PM

I ran systemlook, here is the log

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:35 on 19/05/2010 by Alex (Administrator - Elevation successful)

========== filefind ==========

Searching for "isapnp.sys*"
C:\backup\isapnp.sys --a--- 37248 bytes [17:56 19/05/2010] [03:00 15/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
C:\WINDOWS\system32\dllcache\isapnp.sys --a--c 37248 bytes [03:00 15/04/2008] [03:00 15/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
C:\WINDOWS\system32\drivers\isapnp.sys --a--- 37248 bytes [03:00 15/04/2008] [03:00 15/04/2008] (Unable to calculate MD5)
C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\isapnp.sys --a--- 37248 bytes [03:00 15/04/2008] [03:00 15/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7

-=End Of File=-


However, I attempted to run gmer but it failed.

It started to run, I noticed one message was something about 'isapnp access denied', and then it got the blue screen of death and rebooted the computer.

*scared!*

I await your next instruction.

Oh, I also realized that I had forgotten to re-enable Zonealarm to restart at reboot, so I hope I wasn't too long with it off. I think there was only one reboot since then.

Are we making progress..?

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:30 PM

Posted 19 May 2010 - 04:55 PM

Two questions:
Are you sure ZoneAlarm antivirus real-time protection is disabled, it can blocks the file we want to replace with a good copy preventing it from replacing.

Is internet connected when running the tool?



#15 coolshop

coolshop
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 19 May 2010 - 04:58 PM

I'm not positive, but I think I re-enabled it once I discovered I had forgotten to re-enable it before.

It may have been active when GMER ran.

You had not mentioned to turn it off. Can you tell me again when to turn it off and then the steps to follow, and when I can turn it on.

I am connected to the network via a wireless network. Should I disable it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users