Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with search engine redirection malware


  • This topic is locked This topic is locked
24 replies to this topic

#1 brianw23

brianw23

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 24 May 2010 - 08:14 AM

I seem to be infected with this nasty bug.
I have tried a few experiments and this is what I have found:
-The redirects occur in google, yahoo and bing searches. I did not try any other search engines.
-I normally use Google Chrome on a Vista machine, and I have tried Opera, IE and Safari all on the same computer with the same redirection results.
-I have noticed that usually the first one or two clicks (sometimes more) on search results will take me to the correct page. After that it seems to always redirect.
-I was recently (within the last 1 1/2 to 2 weeks) infected with Win32/Alureon.BP and Win32/Alureon.CO, whether these could have any affect, I do not know. I was able to remove them from my system using Microsoft Security Essentials (my current firewall and AV) and MalwareBytes' Anti-Malware.
-My Google account has been 'temporarily disabled'. I do not know why. I do not spam, or anything else that would violate Google's Terms of Service. Again, if this could be a result of data (username and password) hijacking from either the Alureon virus or this redirect virus, I don't know. I am awaiting a response from Google at this time.
-I have been getting occasional Host Process errors for the last few days. Seems to have started at the same time this issue started if I recall correctly. The actual message I am receiving is:

Host Process for Windows Services stopped working and was closed

A problem caused the application to stop working correctly.
Windows will notify you if a solution is available.


-At the same time the Host Process error started occurring my system blue screened and when I rebooted, Chrome had lost all of my extensions. I was able to replace them all, but now occasionally Chrome will crash. Again, I have no idea if any of this is related. Having all occurred within the same time-frame I thought it best to mention it.
-When I click on a search result, multiple domain names will appear in the address bar before finally settling on one.
-Clicking on search result links that lead to Google.com or Yahoo.com pages do not seem to redirect (mail.google.com; news.yahoo.com, etc).
-I have run an MSE virus scan, an Anti-Maware scan and a Spybot S&D scan. Nothing was found.
-Based on some online research (which was not easy having no search abilities) I found that the following registry key was blank:
HKLM\System\CurrentControlSet\Services\tcpip\Parameters\NameServer
I assume that this field should have my primary DNS server listed??

Wow. I think that is everything. Sorry for being so long-winded but I wanted to be as complete as possible. I'm dying without my Google fix. I am posting my DDS.txt file below and attaching my Attach.txt and Ark.txt files.
Thanks for any and all help with this.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Daddy at 0:14:31.10 on Mon 05/24/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.1755 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\USB Safely Remove\USBSRService.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SolarWinds\ipMonitor\ipmrptsrv9.exe
C:\Program Files\Google\Update\1.2.183.27\GoogleCrashHandler.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\NLSSRV32.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Replay TV\WiRNS\WiRNS.exe
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Gemstar\eBook USB Driver\TrayEBU.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\UI0Detect.exe
C:\Users\Daddy\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Daddy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Daddy\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=15187&l=dis
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: PandoraTV Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [Google Update] "c:\users\daddy\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
mRun: [hpsysdrv] "c:\hp\support\hpsysdrv.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [<NO NAME>]
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ebooku~1.lnk - c:\program files\gemstar\ebook usb driver\TrayEBU.exe
uPolicies-explorer: DisallowRun = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Subscribe in RSS Bandit - c:\users\daddy\appdata\roaming\rssbandit\iecontext_subscribebandit.htm
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: google.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 65.32.5.111
TCP: {B1C57204-5091-4C47-8EED-2FA742EAA100} = 65.32.5.111,65.32.5.112

================= FIREFOX ===================

FF - ProfilePath - c:\users\daddy\appdata\roaming\mozilla\firefox\profiles\x8dmkm1b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=15187&l=dis
FF - prefs.js: keyword.URL -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-3-26 38976]
R2 ipMonitorRpt;ipMonitorRpt;c:\program files\solarwinds\ipmonitor\ipmrptsrv9.exe [2007-10-19 475136]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2009-12-16 65856]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\usb safely remove\USBSRService.exe [2010-1-9 213776]
R2 WiRNS.exe;WiRNS;c:\program files\replay tv\wirns\WiRNS.exe [2009-9-3 143360]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-8-31 84832]
S3 eBook;eBook;c:\windows\system32\drivers\eBook.sys [2009-7-22 10559]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 ipMonitorSrv;ipMonitorSrv;c:\program files\solarwinds\ipmonitor\ipmservice9.exe [2008-1-4 990720]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2008-9-9 20640]
S3 SolarWinds Discovery Service;SolarWinds Discovery Service;c:\program files\solarwinds\ipmonitor\SWDiscoveryEngine12.exe [2007-10-2 122880]

============== File Associations ===============

.txt=Notepad++_file

=============== Created Last 30 ================

2010-05-22 15:13:27 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-22 15:13:27 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-22 03:21:46 0 d-----w- c:\users\daddy\appdata\roaming\IrfanView
2010-05-22 03:21:45 0 d-----w- c:\program files\IrfanView
2010-05-18 02:32:33 0 d-----w- c:\users\daddy\appdata\roaming\Malwarebytes
2010-05-18 02:32:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-18 02:32:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-18 02:32:14 0 d-----w- c:\programdata\Malwarebytes
2010-05-18 02:32:13 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-17 14:39:33 0 d-----w- c:\program files\4Musics MP3 Bitrate Changer
2010-05-17 14:19:16 0 d-----w- c:\programdata\Pianosoft
2010-05-15 16:14:34 0 d-----w- c:\temp\nds
2010-05-15 02:27:36 0 d-----w- c:\users\daddy\appdata\roaming\Comical
2010-05-15 02:06:46 0 d-----w- c:\program files\Autoruns
2010-05-12 05:50:46 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-10 17:34:40 0 d-----w- c:\program files\Seagate
2010-05-10 16:10:57 81920 ----a-w- C:\RTVPatch_2.5.3.exe
2010-05-09 01:39:32 0 d-----w- c:\users\daddy\appdata\roaming\TreeDBNotes 3
2010-05-09 01:39:28 0 d-----w- c:\program files\TreeDBNotes 3
2010-05-07 19:57:54 0 d-----w- c:\temp\ebooks
2010-05-04 19:15:19 0 d-----w- c:\temp\Facebook Music
2010-05-03 18:22:52 0 d-----w- c:\temp\keylogger1
2010-05-02 05:39:35 0 d-----w- c:\temp\gmailfs
2010-04-30 21:22:48 3120 ----a-w- c:\windows\tirf44.dat
2010-04-30 21:21:06 0 d-----w- c:\programdata\SolarWinds
2010-04-30 21:21:06 0 d-----w- c:\program files\SolarWinds
2010-04-30 15:00:21 0 d-----w- c:\users\daddy\appdata\roaming\SharePod
2010-04-30 13:38:00 0 d-----w- c:\program files\YAMiPod
2010-04-29 22:18:27 0 d-----w- c:\program files\MediaMonkey
2010-04-29 22:16:04 0 d-----w- c:\program files\SharePod
2010-04-29 21:58:34 0 d-----w- c:\program files\Floola
2010-04-29 13:30:22 0 d-----w- c:\program files\Zamzom
2010-04-29 13:28:22 0 d-----w- c:\program files\Network Info 1.5
2010-04-27 18:41:28 0 d-----w- c:\program files\Microsoft Security Essentials
2010-04-26 22:57:07 0 d-----w- c:\users\daddy\.gimp-2.6
2010-04-26 22:56:29 0 d-----w- c:\program files\GIMP-2.0
2010-04-24 14:47:21 0 d-----w- c:\users\daddy\Calibre Library
2010-04-24 14:47:17 0 d-----w- c:\users\daddy\appdata\roaming\calibre
2010-04-24 14:44:13 0 d-----w- c:\program files\Calibre2

==================== Find3M ====================

2010-05-22 16:58:45 236592 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-06 14:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-23 16:53:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-18 12:42:38 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-18 12:42:38 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-18 12:42:38 143360 ----a-w- c:\windows\inf\infstor.dat
2010-04-09 15:20:33 72200 ----a-w- c:\windows\system32\drivers\BdfNdisf6.sys
2010-04-08 03:31:32 174 --sha-w- c:\program files\desktop.ini
2010-03-26 04:33:48 720896 ----a-w- c:\windows\iun6002.exe
2010-03-26 04:15:13 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys
2010-03-20 05:10:17 109360 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 08:19:16 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-05 12:22:26 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-21 02:48:40 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-09-11 20:49:39 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-09-11 20:49:39 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-09-11 20:49:39 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2008-11-13 10:24:37 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 0:15:48.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:46 AM

Posted 24 May 2010 - 08:59 AM

Hi brianw23,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  2. We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    • Go to Start > Control Panel > Windows Defender.
    • Open Windows Defender.
    • Click on Tools, Options.
    • At the bottom of the Window Defender's page, under Administrator Options uncheck "use Windows Defender" and then Save.
    • Click Close.

    Note:When everything is done and your log is clean again, you can enable it again.

  3. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

    Double-click to run TDLfix.exe, type the following in the command window and press Enter:

    mbr

    A log file opens up. please post the content to your reply.


#3 brianw23

brianw23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 24 May 2010 - 09:20 AM

Hi, I'll be happy to do anything you need to fix this problem.

When I try to open Windows Defender through Control Panel I get the following message:
Windows Defender is turned off by Group Policy.

I have downloaded the files, but wanted to make sure the above message is ok and should I continue with your above instructions?



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:46 AM

Posted 24 May 2010 - 09:37 AM

Windows Defender has a startup entry but indeed is not running. It could be the work of malware. We have to take care of it later on if it didn't run. but for now we need it to be disabled for sure.


Use Windows key+R to bring up the Run box. Type in msconfig and click OK.
Under Startup tab uncheck the box next to Windows Defender.
Click Apply and Close. Click "Exit Without Restart".

I have mentioned double-clicking TDLfix. Please right-click it instead to "Run as administrator".

#5 brianw23

brianw23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 24 May 2010 - 09:49 AM

OK,
Windows Defender has been disabled through msconfig.

Output from TDLfix:

---

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86EE9CEC]<<
kernel: MBR read successfully
user & kernel MBR OK


---

Now another Host Process error has occurred. Should I ignore it or click on close?


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:46 AM

Posted 24 May 2010 - 09:56 AM

Close those errors for now.
  1. Close all the open windows.
    • Disable real-time protection of you security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Right-click TDLfix.exe to run the tool as administrator, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      i8042prt

    • The application shall restart the computer immediately and runs after restart.
    • Tell me if the computer rebooted and ran to completion.

  2. Reboot once manually. Then run TDLfix again with mbr command and post the log.


#7 brianw23

brianw23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 24 May 2010 - 10:13 AM

All security software has been disabled.
Process worked fine and ran through to the end.
Rebooted and here is the output from TDLfix:


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys tcpip.sys NETIO.SYS dxgkrnl.sys atikmdag.sys
kernel: MBR read successfully
user & kernel MBR OK


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:46 AM

Posted 24 May 2010 - 10:25 AM

The rootkit is taken care of. thumbup2.gif

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. Enable your security programs. Wait on enabling Windows Defender until the next round.

  2. You have the latest version of Java (Java 6 Update 20) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Uninstall the following via Add/Remove features in control panel:
    Java™ 6 Update 7

  3. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  4. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#9 brianw23

brianw23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 24 May 2010 - 11:00 AM

Great!!

OK, MSE restarted, waiting on restart of Windows Defender.
Ccleaner downloaded and ran.
MBAM updated and scanned - nothing found

MBAM Log:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4138

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

5/24/2010 11:54:53 AM
mbam-log-2010-05-24 (11-54-53).txt

Scan type: Quick scan
Objects scanned: 134580
Time elapsed: 9 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:46 AM

Posted 24 May 2010 - 11:08 AM

Please tell me how is the computer running and if you get any errors.

Let's take a look at Windows Defender. Please use msconfig, but this time put a checkmark beside the box next to Windows Defender.

Reboot the computer, go to control panel and open Window Defender to see if you still get the same error.

#11 brianw23

brianw23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 24 May 2010 - 11:21 AM

I have not run into any errors.
I re-enabled the startup of Windows Defender in msconfig, but I still get the same message when trying to start it via Control Panel:

'Windows Defender is turned off by Group Policy'


#12 brianw23

brianw23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 24 May 2010 - 11:58 AM

I, of course, have not made any changes other than what you have advised.
However, I did notice that the registry key
HKLM\Software\Policies\Microsoft\Windows Defender
has a value set to 1, if that helps or means anything.


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:46 AM

Posted 24 May 2010 - 12:02 PM

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


CODE
@ECHO OFF
reg query hklm\software\policies\microsoft >log.txt
regedit c:\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender"
if exist c:\look.txt type look.txt >>log.txt
START log.txt
if exist c:\look.txt del c:\look.txt

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this:
  • Right-click to run it as administrator.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#14 brianw23

brianw23
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 24 May 2010 - 12:16 PM

I received two errors when I ran the batch file:

Cannot import c:\look.txt: Error opening file. There may be a disk or file system error.

Cannot import HKLM\Software\Policies\Microsoft\Windows Defender: Error opening file. There may be a disk or file system error.

I clicked OK on both and got the following output in the log.txt file:



HKEY_LOCAL_MACHINE\software\policies\microsoft\Cryptography
HKEY_LOCAL_MACHINE\software\policies\microsoft\Peernet
HKEY_LOCAL_MACHINE\software\policies\microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\software\policies\microsoft\Windows
HKEY_LOCAL_MACHINE\software\policies\microsoft\Windows Defender
HKEY_LOCAL_MACHINE\software\policies\microsoft\Windows NT


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:46 AM

Posted 24 May 2010 - 12:22 PM

There was a mistake in the syntax.

Please try this one:

QUOTE
@echo off
regedit /e log.txt "HKEY_LOCAL_MACHINE\software\policies\microsoft\Windows Defender"
start log.txt





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users