Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect from Google Links and random pop-ups while browsing


  • This topic is locked This topic is locked
21 replies to this topic

#1 stab

stab

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 12 June 2010 - 12:01 AM

I recently got infected with antivirus soft. Thanks to your guide I was able to remove it. Since, I have noticed that I am also getting redirected to random sites on google seach links. The only way to get to the site I search, I have to copy and paste the address. Just now while typing I got a random pop-up to some random site. colorado something or other. They always change. Here are the logs requested.

DDS


DDS (Ver_10-03-17.01) - NTFSx86
Run by Racedog66 at 19:37:05.23 on Fri 06/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2430 [GMT -7:00]

AV: avast! antivirus 4.8.1368 [VPS 100611-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Racedog66\Desktop\Defogger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Racedog66\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.undeadlords.net/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [PlayNC Launcher]
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\JMRaidSetup.exe boot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
StartupFolder: c:\documents and settings\racedog66\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1213591980859
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_11/PCAXSetupv2.0.0.11.cab?
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\racedo~1\applic~1\mozilla\firefox\profiles\oxgj9xda.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.undeadlords.net/
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-7-2 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-2 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-7-2 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-7-2 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-7-2 352920]
S2 WMP300NSvc;WMP300NSvc;c:\program files\linksys\wmp300n\WLService.exe [2008-11-12 53307]
S3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\drivers\WMP300Nv1.sys [2008-11-12 822400]

=============== Created Last 30 ================

2010-06-12 02:36:03 0 ----a-w- c:\documents and settings\racedog66\defogger_reenable
2010-06-04 20:00:22 0 d-----w- c:\docume~1\racedo~1\applic~1\Malwarebytes
2010-06-04 20:00:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 20:00:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 20:00:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 20:00:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-03-25 00:52:17 3168683 ----a-w- c:\program files\SopCast.zip
2010-02-05 20:12:11 15945753 ----a-w- c:\program files\ForStab.rar
2010-02-02 21:31:10 13728267 ----a-w- c:\program files\LUI v2.0.2.zip
2010-01-12 20:53:39 1899682 ----a-w- c:\program files\Aion Reader2 v1.5.zip
2009-12-06 05:18:26 3668 ----a-w- c:\program files\Cleric.txt
2009-12-01 08:05:01 2432 ----a-w- c:\program files\EnchanterLaughster.txt
2009-11-15 02:33:03 75298 ----a-w- c:\program files\Crafter.Beta.6.zip
2009-11-11 01:31:35 826 ----a-w- c:\program files\1st path.txt
2009-11-11 00:24:01 2667 ----a-w- c:\program files\DogyRanger_1_1_0_0.txt
2009-11-11 00:12:11 269312 ----a-w- c:\program files\Aion_Goblin_Launcher.exe
2009-11-11 00:08:18 2631067 ----a-w- c:\program files\MacroGoblin_v2.5.6.1.exe
2009-09-06 03:09:27 6946304 ----a-w- c:\program files\Nokia_Connectivity_Cable_Driver_eng_us.msi
2009-07-13 18:57:34 55137464 ----a-w- c:\program files\DarkfallUS.exe
2009-04-27 21:31:39 4505861 ----a-w- c:\program files\actoolinstall_540.exe
2009-02-13 18:05:35 2018243 ----a-w- c:\program files\Autohotkey.exe
2009-02-09 02:53:56 37094704 ----a-w- c:\program files\Darkfall.exe
2009-02-09 02:45:28 84245536 ----a-w- c:\program files\directx_aug2008_redist.exe
2009-01-06 05:05:33 22285608 ----a-w- c:\program files\SkypeSetup.exe
2008-12-23 04:34:01 39537784 ----a-w- c:\program files\AVSVideoConverter.exe
2008-12-23 03:27:54 18540762 ----a-w- c:\program files\XPack.exe
2008-08-11 08:09:00 97288 ----a-w- c:\program files\DSETUP.dll
2008-08-11 08:09:00 528392 ----a-w- c:\program files\DXSETUP.exe
2008-08-11 08:09:00 1694728 ----a-w- c:\program files\dsetup32.dll
2008-08-11 08:08:58 978396 ----a-w- c:\program files\BDAXP.cab
2008-08-11 08:08:58 1158739 ----a-w- c:\program files\BDANT.cab
2008-08-09 06:01:10 63530280 -c--a-w- c:\program files\iTunesSetup.exe
2008-07-12 05:37:13 1052042 -c--a-w- c:\program files\WAR_Beta_Setup.exe
2008-07-02 20:50:34 24234968 -c--a-w- c:\program files\Avast Setup.exe
2008-06-15 18:28:14 6104632 -c--a-w- c:\program files\Picasa Setup.exe
2008-06-08 06:28:39 2732032 -c--a-w- c:\program files\Ventrilo.exe

============= FINISH: 19:38:08.76 ===============


Here is the GMER file:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-11 21:44:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\RACEDO~1\LOCALS~1\Temp\pxddrpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB69586B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB6958574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6958A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB695814C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB695864E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB695808C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB69580F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB695876E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB695872E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB69588AE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB94FB360, 0x372FAD, 0xE8000020]
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xB6C6FA00]
.rsrc C:\WINDOWS\System32\drivers\afd.sys entry point in ".rsrc" section [0xB6A2BC94]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1052] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1052] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1052] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1052] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F5000A
.text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\nvata \Device\Harddisk0\DR0 8A1A8EC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\drivers\afd.sys suspicious modification
File C:\WINDOWS\system32\drivers\nvata.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by stab, 12 June 2010 - 12:01 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:21 AM

Posted 15 June 2010 - 04:23 PM

Hi stab,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved please update me on the current condition of your computer.

#3 stab

stab
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 15 June 2010 - 06:34 PM

Everything remains the same. Although I went on google last night and the redirects weren't there... However I have had more random pop-ups. A couple that Avast caught as malicious and cancelled the connection to them.

I will make no changes unless told to do so.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:21 AM

Posted 15 June 2010 - 06:38 PM

Close all the open windows.
  • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double-click TDLfix.exe to run the tool, a command window opens.
  • Type (or copy the following and right-click to paste) in the command window and press Enter:

    afd


  • The application shall restart the computer immediately.
  • In this case the windows might take some time to load fully. Please wait until Windows load fully and the tool restart the computer once more.
  • Tell me if the computer rebooted twice.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:21 AM

Posted 15 June 2010 - 06:43 PM

Sorry didn't include the download link

Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
  • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Close all the open windows.
  • Double-click TDLfix.exe to run the tool, a command window opens.
  • Type (or copy the following and right-click to paste) in the command window and press Enter:

    afd
  • The application shall restart the computer immediately.
  • In this case the windows might take some time to load fully. Please wait until Windows load fully and the tool restart the computer once more.
  • Tell me if the computer rebooted twice.


#6 stab

stab
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 15 June 2010 - 07:27 PM

Done. The computer rebooted twice.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:21 AM

Posted 15 June 2010 - 07:37 PM

Then the rootkit has been taken care of and the issue should have been resolved.
  1. Run TDLfix, type del and press Enter. This will delete the quarantined infected file and mbr.exe. Delete the tool from your desktop.

  2. We need to remove some settings added by the malware. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    proxycfg -d

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate fix.bat on the desktop.
    • Double-click to run it.
    • A window flashes, this is normal.

  3. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any version remaining versions if the tool could not uninstall them.

  4. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  5. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  6. Tell me also how is your computer running.


#8 stab

stab
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 15 June 2010 - 11:14 PM

Followed everything to the 'T'. CCleaner deleted a few things. Malwarebytes found nothing out of the ordinary.

The computer seems to run fine. I will post an update in a few to let you know if the pop-ups are gone.

I really appreciate your quick responses and time in helping me in this matter.

#9 stab

stab
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 16 June 2010 - 01:08 AM

So I have not noticed any pop-ups. While not even on the web, while gaming.. my avast stopped 3 malicious sites at once. This has happened twice now. No pop-ups, hopefully no infection because it said it blocked the attack, but I am not sure what this entails.


This is a list from my avast logs showing the last attacks:

15.06.2010 19:29:16 Network Shield: blocked access to malicious site 88.80.7.152/photo/joxnds.php?ynds=60564337x644573x<x4x4x545x [ C:\Program Files\Internet Explorer\iexplore.exe ( 2580 ) ]
15.06.2010 20:41:24 Network Shield: blocked access to malicious site media9s.com/photo/tjyodtjy.php?ej=60564337x644573x<x4x4x545x [ C:\Program Files\Internet Explorer\iexplore.exe ( 2580 ) ]
15.06.2010 20:41:24 Network Shield: blocked access to malicious site nopagency.com/photo/nd.php?ix=60564337x644573x<x4x4x545x [ C:\Program Files\Internet Explorer\iexplore.exe ( 2580 ) ]
15.06.2010 20:41:24 Network Shield: blocked access to malicious site 88.80.7.152/photo/siyn.php?yh=60564337x644573x<x4x4x545x [ C:\Program Files\Internet Explorer\iexplore.exe ( 2580 ) ]
15.06.2010 21:53:32 Network Shield: blocked access to malicious site media9s.com/photo/jyo.php?tjo=60564337x644573x<x4x4x545x [ C:\Program Files\Internet Explorer\iexplore.exe ( 2580 ) ]
15.06.2010 21:53:33 Network Shield: blocked access to malicious site nopagency.com/photo/dsix.php?dsydm=60564337x644573x<x4x4x545x [ C:\Program Files\Internet Explorer\iexplore.exe ( 2580 ) ]
15.06.2010 21:53:33 Network Shield: blocked access to malicious site 88.80.7.152/photo/mcrhxms.php?ggggg=60564337x644573x<x4x4x545x [ C:\Program Files\Internet Explorer\iexplore.exe ( 2580 ) ]
15.06.2010 23:05:41 Network Shield: blocked access to malicious site media9s.com/photo/si.php?xnnd=60564337x644573x<x4x4x545x [ C:\Program Files\Internet Explorer\iexplore.exe ( 2580 ) ]
15.06.2010 23:05:41 Network Shield: blocked access to malicious site nopagency.com/photo/ndiccc.php?cccc=60564337x644573x<x4x4x545x [ C:\Program Files\Internet Explorer\iexplore.exe ( 2580 ) ]
15.06.2010 23:05:41 Network Shield: blocked access to malicious site 88.80.7.152/photo/hwwwmmm.php?cr=60564337x644573x<x4x4x545x [ C:\Program Files\Internet Explorer\iexplore.exe ( 2580 ) ]

Edited by stab, 16 June 2010 - 01:11 AM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:21 AM

Posted 16 June 2010 - 01:34 AM

We should look into it:

Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

CODE
@echo off
if exist mbr.log del mbr.log
mbr.exe -t
ping 1.1.1.1 -n 1 -w 1000 >nul
start mbr.log

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this:
  • Double-click to run it.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#11 stab

stab
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 16 June 2010 - 01:20 PM

Here is the following log from those directions:


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
kernel: MBR read successfully
user & kernel MBR OK

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:21 AM

Posted 16 June 2010 - 01:39 PM

The rootkit is gone.
  1. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

  2. I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      • Click on to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the icon on your desktop.
    • Check
    • Click the button.
    • Accept any security warnings from your browser.
    • Check
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push
    • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the button.
    • Push

    A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt


#13 stab

stab
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 16 June 2010 - 02:21 PM

I am currently running the ESET.. thankfully I kept Avast running. This scan is still going and during the start of the scan, Avast picked up the same three threats again:


15.06.2010 23:05:41 Network Shield: blocked access to malicious site media9s.com/photo/si.php?xnnd=60564337x644573x<x4x4x545x [ C:\Program Files\Internet Explorer\iexplore.exe ( 2580 ) ]
15.06.2010 23:05:41 Network Shield: blocked access to malicious site nopagency.com/photo/ndiccc.php?cccc=60564337x644573x<x4x4x545x [ C:\Program Files\Internet Explorer\iexplore.exe ( 2580 ) ]
15.06.2010 23:05:41 Network Shield: blocked access to malicious site 88.80.7.152/photo/hwwwmmm.php?cr=60564337x644573x<x4x4x545x [ C:\Program Files\Internet Explorer\iexplore.exe ( 2580 ) ]


#14 stab

stab
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 16 June 2010 - 02:51 PM

There were no threats found on the ESET scan.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:21 AM

Posted 16 June 2010 - 02:53 PM

OK let ESET finishes the scan. Then we take care of that.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users