Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google links get hijacked


  • This topic is locked This topic is locked
12 replies to this topic

#1 anubis_

anubis_

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 20 May 2010 - 05:50 AM

Hi there,

I'm close to a nervous break down, since a few days google search results get hijacked to various pages and I can't get rid of it.
I just tried to give you an example of the pages I get redirected to, but funnily the problem does not occur everytime
Edit: I just got one example: hxxp://wshscripting.com/search.php

Another page is: hxxp://coolringtones.com/search.php

This pages always try to run a script located at hxxp://cl1i1lc1ilk.com/mV10fLqd5e5qWUS812a635bc2d1cc71746f4d38bbb30f87a36h

which don't start thanks to the noscript plugin.
I already scanned with Avira Antivir, removed about 10 worms/viruses
scanned with hitman pro which fixed a few things
scanned with Spybot search&destroy which fixed a few things and immunized both IE and Firefox
scanned with Combofix which finds rootkits each time I run it.
also did ipconfig /flushdns
So I finally searching advise of some more experienced virus-hunters.

I used defogger to deactivate my emulated cd drive
ran DDS
and ran GMer after 3 hours running it seemed like Gmer was trapped in a loop in C:\program files\Common Files\Adobe\Help\.... so I saved a log file of what it found so far:

the combobox rootkit entry:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EF3CEC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf786bf28
\Driver\ACPI -> ACPI.sys @ 0xf775ecb8
\Driver\atapi -> atapi.sys @ 0xf76fe852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
SecurityProcedure -> ntoskrnl.exe @ 0x805df529
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
SecurityProcedure -> ntoskrnl.exe @ 0x805df529
NDIS: Atheros AR5007EG Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf75c6bd4
PacketIndicateHandler -> NDIS.sys @ 0xf75d2a21
SendHandler -> NDIS.sys @ 0xf75c6d44
user & kernel MBR OK

several Logs of Combofix, Antivir, catchme, Hijackthis are available on request.

Hope anyone can give some adivse.

Cheers Anubis

EDIT: Moved from XP to more appropriate Malware Removal Logs forum ~ Hamluis.

Attached Files


Edited by Orange Blossom, 20 May 2010 - 10:43 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:44 PM

Posted 21 May 2010 - 06:47 PM

Hi Anubis,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

  1. Tell me if you have still the redirection problem. If yes please proceed with the next steps.

  2. Please go to start -> Run. Copy and paste the bold line in the run-box and click OK:

    C:\ComboFix.txt

    If a text file opens up, copy and paste the content to your reply.

  3. Open a notepad (go to Start > Run and type in Notepad)
    Copy/paste the following text inside the code box into a new notepad document.
    CODE
    @echo off
    regedit /e log.txt  "HKEY_LOCAL_MACHINE\system\currentcontrolset\services\perc2hib"
    start log.txt
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it. A log.file opens, the log will also be made on the desktop (log.txt). Please attach it to your reply.


#3 anubis_

anubis_
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 22 May 2010 - 02:50 AM

Hi farbar,
first of all thank you very much for your help I really appreciate it!!!.

The redirect problems still exist and I won't make any changes to my system.



Here's the ComboFix content:

ComboFix 10-05-19.01 - m 20/05/2010 8:35.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.726 [GMT 2:00]
Running from: c:\downloadz\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\perc2hib.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 )))))))))))))))))))))))))))))))
.

2010-05-19 16:42 . 2010-05-19 16:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-19 15:28 . 2010-05-19 15:49 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-19 15:28 . 2010-05-19 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-19 15:28 . 2010-05-19 15:28 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-18 16:03 . 2010-05-18 16:03 -------- d-----w- C:\avrescue
2010-05-18 14:58 . 2010-05-18 14:58 -------- d-----w- c:\documents and settings\m\Application Data\Avira
2010-05-18 14:53 . 2010-03-01 08:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-05-18 14:53 . 2010-02-16 12:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-18 14:53 . 2009-05-11 10:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-05-18 14:53 . 2009-05-11 10:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-05-18 14:53 . 2010-05-18 14:53 -------- d-----w- c:\program files\Avira
2010-05-18 14:53 . 2010-05-18 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-05-15 15:05 . 2010-05-15 15:05 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-11 10:00 . 2009-12-01 08:52 621944 ----a-w- c:\windows\system32\pskill.exe
2010-05-02 01:48 . 2010-05-02 01:48 -------- d-----w- c:\program files\Guitar Pro 5
2010-04-23 01:25 . 2007-03-18 08:00 69632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP8T.DLL
2010-04-23 01:25 . 2007-03-18 08:00 27136 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD8T.DLL
2010-04-23 01:25 . 2008-02-05 08:00 216064 ----a-w- c:\windows\system32\CNMLM8T.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-20 06:32 . 2009-09-02 12:33 -------- d-----w- c:\program files\DivX
2010-05-19 18:24 . 2009-01-02 03:48 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-19 17:47 . 2009-09-19 23:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-19 10:46 . 2009-01-02 11:56 -------- d-----w- c:\documents and settings\m\Application Data\uTorrent
2010-05-19 07:57 . 2009-02-11 02:08 -------- d-----w- c:\documents and settings\m\Application Data\Skype
2010-05-16 20:19 . 2009-09-06 21:37 -------- d-----w- c:\documents and settings\m\Application Data\vlc
2010-05-15 23:17 . 2009-01-02 11:56 -------- d-----w- c:\program files\uTorrent
2010-05-15 17:53 . 2009-01-05 06:07 -------- d-----w- c:\program files\Flv Audio Extractor
2010-05-14 17:21 . 2009-02-04 00:24 -------- d-----w- c:\documents and settings\m\Application Data\dvdcss
2010-05-10 18:54 . 2009-01-01 19:09 92744 ----a-w- c:\documents and settings\m\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-09 16:26 . 2008-07-08 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-05 22:18 . 2010-04-17 06:49 -------- d-----w- c:\program files\Telecom Connection Manager
2010-04-23 01:26 . 2010-04-23 01:26 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-04-20 01:55 . 2009-01-02 03:21 -------- d-----w- c:\program files\Look@LAN
2010-04-19 22:10 . 2010-04-19 22:10 -------- d-----w- c:\program files\Sun
2010-04-19 05:32 . 2010-04-11 09:59 -------- d-----w- c:\documents and settings\m\Application Data\Wireshark
2010-04-17 06:49 . 2008-07-08 18:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-15 05:28 . 2010-04-15 05:28 -------- d-----w- c:\program files\WinHTTrack
2010-04-11 09:37 . 2010-04-11 09:37 -------- d-----w- c:\program files\Wireshark
2010-04-11 09:37 . 2010-04-11 09:37 -------- d-----w- c:\program files\WinPcap
2010-04-07 14:50 . 2010-04-14 22:11 1496064 ----a-w- c:\documents and settings\m\Application Data\Mozilla\Firefox\Profiles\b2srsbhi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-04-07 14:50 . 2010-04-14 22:11 43008 ----a-w- c:\documents and settings\m\Application Data\Mozilla\Firefox\Profiles\b2srsbhi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-04-07 14:50 . 2010-04-14 22:11 338944 ----a-w- c:\documents and settings\m\Application Data\Mozilla\Firefox\Profiles\b2srsbhi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-04-07 14:50 . 2010-04-14 22:11 346112 ----a-w- c:\documents and settings\m\Application Data\Mozilla\Firefox\Profiles\b2srsbhi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-04-02 02:34 . 2009-02-27 01:51 1820 ----a-w- c:\documents and settings\m\Application Data\wklnhst.dat
2010-03-25 08:06 . 2010-03-25 08:06 99728 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2010-03-25 08:06 . 2010-04-19 22:12 123856 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2010-03-25 08:06 . 2010-04-19 22:11 41680 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2010-03-25 08:06 . 2010-03-25 08:06 133648 ----a-w- c:\windows\system32\VBoxNetFltNotify.dll
2010-03-25 08:06 . 2010-03-25 08:06 110608 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys
2010-03-09 11:09 . 2008-04-15 03:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 05:43 . 2008-04-15 03:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2008-04-15 03:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2008-04-15 03:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-05-19_17.30.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-08 18:14 . 2010-05-19 17:13 72134 c:\windows\system32\perfc009.dat
+ 2008-07-08 18:14 . 2010-05-20 06:39 72134 c:\windows\system32\perfc009.dat
+ 2008-07-08 18:14 . 2010-05-20 06:39 443034 c:\windows\system32\perfh009.dat
- 2008-07-08 18:14 . 2010-05-19 17:13 443034 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2009-03-16 91648]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro356.exe" [2010-05-19 5937984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-14 15:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2010-03-02 09:28 282792 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-15 03:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-15 03:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-15 03:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-15 03:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 05:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2009-07-12 01:32 5113430 ----a-w- c:\program files\Vidalia Bundle\Vidalia\vidalia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"0082191230837264mcinstcleanup"=2 (0x2)
"SiteAdvisor Service"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MSK80Service"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"IviRegMgr"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"Cadence License Manager"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Look@LAN\\LookAtLan.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Look@LAN\\LookAtHost.exe"=
"c:\\Program Files\\WinHTTrack\\WinHTTrack.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [20/04/2010 12:12 AM 123856]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [20/04/2010 12:11 AM 41680]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 8:19 PM 50704]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [25/03/2010 10:06 AM 99728]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [25/03/2010 10:06 AM 110608]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [10/01/2010 12:30 PM 16512]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [21/05/2008 10:11 AM 96856]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [17/04/2010 8:49 AM 7680]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [22/04/2009 11:48 AM 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [22/04/2009 11:48 AM 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [22/04/2009 11:48 AM 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [22/04/2009 11:48 AM 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [22/04/2009 11:48 AM 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [22/04/2009 11:48 AM 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [22/04/2009 11:48 AM 115752]
S4 0082191230837264mcinstcleanup;McAfee Application Installer Cleanup (0082191230837264);c:\windows\TEMP\008219~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\008219~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [18/05/2010 4:53 PM 135336]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/03/2009 2:33 PM 717296]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\m\Application Data\Mozilla\Firefox\Profiles\b2srsbhi.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\m\Application Data\Mozilla\Firefox\Profiles\b2srsbhi.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-20 08:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EF3CEC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf786bf28
\Driver\ACPI -> ACPI.sys @ 0xf775ecb8
\Driver\atapi -> atapi.sys @ 0xf76fe852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
SecurityProcedure -> ntoskrnl.exe @ 0x805df529
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
SecurityProcedure -> ntoskrnl.exe @ 0x805df529
NDIS: Atheros AR5007EG Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf75c6bd4
PacketIndicateHandler -> NDIS.sys @ 0xf75d2a21
SendHandler -> NDIS.sys @ 0xf75c6d44
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
Completion time: 2010-05-20 08:55:52
ComboFix-quarantined-files.txt 2010-05-20 06:55
ComboFix2.txt 2010-05-19 17:38

Pre-Run: 17,861,050,368 bytes free
Post-Run: 17,822,355,456 bytes free

- - End Of File - - 6E77AAF724C2AF177770F84993039424


I think the rootkits were a misinterpretation by myself...

Just to let you know, I also have a Linux on an USB stick which I can use to delete or scan for viruses (silly me that I didn't come up with this idea earlier, but I'm pretty busy at the moment). As I don't want to waste your time and interfere with your diagnostics I won't use it till you tell me to.
Thank's again for your time and help

Attached Files

  • Attached File  log.txt   1.18KB   8 downloads

Edited by anubis_, 22 May 2010 - 02:57 AM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:44 PM

Posted 22 May 2010 - 04:01 AM

The rootkit is not misinterpretation and I suspect it is still active.
  1. Go to start > Run copy and paste the following line in the run box and click OK:

    sc config sptd start= disabled

    A window flashes it is normal.

  2. Reboot the computer.

  3. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

    Double-click to run TDLfix.exe, type the following in the command window and press Enter:

    mbr

    A log file opens up. please post the content to your reply.

Edited by farbar, 22 May 2010 - 04:26 AM.


#5 anubis_

anubis_
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 22 May 2010 - 04:47 AM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86ED6CEC]<<
kernel: MBR read successfully
user & kernel MBR OK


can you give me a hint what let you suggest that it's the TDL rootkit?

Edited by anubis_, 22 May 2010 - 05:15 AM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:44 PM

Posted 22 May 2010 - 07:33 AM

QUOTE
can you give me a hint what let you suggest that it's the TDL rootkit?

Everything: GMER, ComboFix log, Google search redirection and mbr.exe log. In some cases there is problem with updating Windows too.
  1. Close all the open windows.
    • Disable real-time protection of you security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double-click TDLfix.exe to run the tool, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      perc2hib

    • The application shall restart the computer immediately and runs after restart.
    • Tell me if the computer rebooted and ran to completion.

  2. Reboot once manually.

  3. Run TDLfix.exe, type the following in the open window and press enter:

    mbr

    A log file opens up. please post the content to your reply.


#7 anubis_

anubis_
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 22 May 2010 - 07:45 AM

computer rebooted and ran to completion

The log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK

Edited by anubis_, 22 May 2010 - 07:49 AM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:44 PM

Posted 22 May 2010 - 07:56 AM

The rootkit is taken care of and any search redirection should have been stopped now. You may check it. thumbup2.gif

Let's do some maintenance and preventing measure.
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  2. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  3. Tell me how is your computer running now.



#9 anubis_

anubis_
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 22 May 2010 - 08:51 AM

Legend!
Looks pretty good so far, have to keep on surfing for a while as it didn't occur on each search before.

I'll let you know how my system is running tomorrow.

Thank you very much for your time and the great help!

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:44 PM

Posted 22 May 2010 - 08:59 AM

You are most welcome. smile.gif

We are going to round off with proper removing of the tools when you posted back after making sure.

#11 anubis_

anubis_
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 25 May 2010 - 02:36 AM

Again, great job! No hijacking the last two days!

Is it possible to find the dropper file of the rootkit?

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:44 PM

Posted 25 May 2010 - 03:07 AM

QUOTE
Is it possible to find the dropper file of the rootkit?

If you mean on the PC, no. The dropper deletes itself after infecting the system.
  1. Run TDLfix, type del and press Enter. This will delete the quarantined infected file, mbr.exe and the tool itself.

  2. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  3. Also remove any tool or log we used from your computer.

Happy Surfing. smile.gif



#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:44 PM

Posted 30 May 2010 - 05:56 AM


This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users