Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Search Engine Redirects

  • This topic is locked This topic is locked
11 replies to this topic

#1 lanzecki


  • Members
  • 19 posts
  • Local time:08:47 AM

Posted 23 June 2010 - 10:14 PM

Hi - I'm turning to you guys in desperation. I got something nasty and I've been fighting it for about a week without any success. My problem happened early last week, I believe the evening of the 14th, while browsing the web through Google searches (either mobile Sid Meier's pirates app or 2010 world cup / soccer stuff, I can no longer remember which). I hit a google link, and my payware McAfee popped up that it detected and removed several files with Alureon in them. Everything seemed okay, but the next morning I noticed that any links from big search sites like Google or Yahoo or Bing began frequently (not always, but often) redirecting to other search sites, new sites, or ad sites. For an example, I've attached two JPEG images --- one of a google response page, and then one when I clicked the ESPN link showing the site history, with two history pages labeled "redirect".

I get similar results through IE. Both also occasional spawn new tabs or windows with ad sites. I also have Chrome on the machine, and interestingly enough it fails to work at all --- it times out trying to get to any site. If I leave Firefox up on a page, occasionally it suddenly exits and the machine blue-screens.

I'm running Windows XP Pro, SP2. My antivirus is McAfee Security Center, it is up to date and licensed. I've had other home PCs hit with something similar, but was always able to find changes, usually bogus DNS settings, through Hijack This. This time, I don't see anything. Here is what I've done so far:

1) Full Malware scan --- found nothing
2) Full McAfee scan --- found nothing
3) Full Ad-Aware scan --- found nothing.
4) System Restore --- redirects still occur.
5) SDFix --- found nothing.
6) Did the safe-mode Firefox thing deleted all bookmarks disabled all add-ons, redirects still occur.
7) Booted in XP Safe Mode --- redirects still occur.

I did nslookups of www.google.com on this and an unaffected computer, and both resolve to the same IPs. I tried going to a static IP of google (i.e. http://xxx.xxx.xxx.xxx instead of http://www.google.com) in the browser, but the redirects still occur. So whatever this is seems deeper than a DNS hijack to me.

My system is a Dell XPS, and I have a factory restore partition, so I can always rebuild this PC (I've backed up all my files to external storage both manually and through backup software). I really want to know what happened to it, though, and would prefer to fix it if I can.

I really appreciate any help you're able to give me --- I feel terrible taking up your time --- I just can't believe how bad this situation has made me feel.
I've run through your malware removal preparation steps, but I was unable to get a GMER scan. Shortly after starting GMER, the computer blue screens with the following technical information (if it's any use):

STOP 0x0000008E (0xC0000005, 0xB9EB3457, 0xBA4EF53C, 0x00000000)

SCSIPORT.SYS - Address B9EB3457 base at B9EB3000 DateStamp 41107b4b

I should also mention I'm making this post from a seperate, clean PC. I've quarantined the infected PC from my home network (and Internet), and I'm doing all downloads and file transfers through a thumb drive.

Thank you so much in advance for your time and assistance,

DDS.txt follows:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Steve at 21:29:59.81 on Tue 06/22/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3325.2430 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080531
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080531
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [NVIDIA nTune] c:\program files\nvidia corporation\ntune\nTuneCmd.exe resetprofile
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\2\printray.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [BackupNowEZtray] "c:\program files\newtech infosystems\backup now ez\BackupNowEZtray.exe" -k
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\ue4c9s3a.default\
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-20 64288]
R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [2009-12-21 19478]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-5-31 214664]
R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [2009-12-21 635012]
R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [2009-12-21 431236]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-5-31 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-5-31 144704]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\newtech infosystems\backup now ez\BackupNowEZSvr.exe [2010-2-22 45312]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-5-31 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-5-31 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-5-31 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-5-31 40552]
S1 sonypvd2;sonypvd2;c:\windows\system32\drivers\sonypvd2.sys [2009-12-21 64093]
S2 gupdate1c9b4bb72885b0;Google Update Service (gupdate1c9b4bb72885b0);c:\program files\google\update\GoogleUpdate.exe [2009-4-3 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-5-31 34248]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-11-22 280344]

=============== Created Last 30 ================

2010-06-22 23:34:07 0 d-s---w- c:\documents and settings\steve\UserData
2010-06-22 23:33:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-20 22:53:38 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-20 22:52:37 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-20 22:52:26 0 d-----w- c:\program files\Lavasoft
2010-06-20 01:52:33 0 d-----w- c:\windows\system32\appmgmt
2010-06-19 19:22:01 0 d-----w- c:\windows\system32\NtmsData
2010-06-19 19:18:37 0 d-----w- c:\docume~1\alluse~1\applic~1\NTIReg
2010-06-19 19:11:51 14464 ----a-w- c:\windows\system32\drivers\NTIDrvr.sys
2010-06-19 19:11:51 13440 ----a-w- c:\windows\system32\drivers\UBHelper.sys
2010-06-19 19:11:22 0 d-----w- c:\windows\system32\drivers\nti
2010-06-19 19:11:22 0 d-----w- c:\program files\NewTech Infosystems
2010-06-19 19:10:53 0 d-----w- c:\windows\Downloaded Installations
2010-06-19 00:53:44 0 d-----w- c:\windows\ERUNT
2010-06-19 00:49:29 0 d-----w- C:\SDFix
2010-06-18 01:53:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-18 01:53:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-17 06:43:46 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-17 03:51:33 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-17 03:51:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-16 05:22:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-16 03:01:53 0 d-----w- c:\docume~1\steve\applic~1\Malwarebytes
2010-06-16 03:01:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-16 03:01:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-28 01:39:45 0 d-----w- C:\OpenFox

==================== Find3M ====================

2010-05-31 19:17:09 5614 ----a-w- c:\docume~1\steve\applic~1\wklnhst.dat
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k(2)(3).sys
2010-05-02 05:56:34 1850880 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:51:20 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 13:36:53 18432 ------w- c:\windows\system32\dllcache\iedw.exe
2010-04-03 08:33:56 2365288 ----a-w- c:\windows\system32\dllcache\WMVCore.dll

============= FINISH: 21:30:25.42 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:47 PM

Posted 29 June 2010 - 03:13 AM

Hi lanzecki,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer. No need for logs or screen-shots at this time.

#3 lanzecki

  • Topic Starter

  • Members
  • 19 posts
  • Local time:08:47 AM

Posted 29 June 2010 - 01:59 PM

Hi farbar --- thanks for your time! The current condition of this computer is the same as when I posted the topic. I haven't actually even powered it on again since then.

#4 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:47 PM

Posted 29 June 2010 - 02:47 PM

  1. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  2. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    @echo off
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping -n 1 -w 1000 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

Edited by farbar, 29 June 2010 - 02:49 PM.

#5 lanzecki

  • Topic Starter

  • Members
  • 19 posts
  • Local time:08:47 AM

Posted 29 June 2010 - 09:11 PM

Okay - here's the output:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AB3AEC5]<<
kernel: MBR read successfully
user & kernel MBR OK

#6 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:47 PM

Posted 30 June 2010 - 03:57 AM

We will take care of the infection and update your Java, do some cleaning and run an updated MBAM for any eventual registry leftover of the malware.
  1. We are going to run this special tool.
    • Please download TDSSKiller.exe and save it to your desktop.
    • Run TDSSKiller.exe.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.
    • Also it makes a txt file on the C:\ directory (like TDSSKiller. Please attach it to your replay.

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any remaining versions if the tool could not uninstall them (look for any entry on Add/Remove that contains Java, JRE or Java Run Time), they are:

    Java DB
    Java™ 6 Update 14

  3. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  4. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  5. Tell me how is your computer running.

#7 lanzecki

  • Topic Starter

  • Members
  • 19 posts
  • Local time:08:47 AM

Posted 30 June 2010 - 09:09 AM

Thanks farbar - I'm at work this morning without access to my infected (home) computer - I'll do all this in the evening and let you know how it goes.....

#8 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:47 PM

Posted 30 June 2010 - 09:36 AM


#9 lanzecki

  • Topic Starter

  • Members
  • 19 posts
  • Local time:08:47 AM

Posted 30 June 2010 - 09:38 PM

Okay farbar, I ran TDSSKiller and it found one infected file, said it would fix next reboot, and I did the reboot. It found disk.sys infected, I've attached the entire output log to this post.

I download and ran JavaRA, cleaned up old Javas, and installed the Java 6 Update 20 JRE.
I manually deleted the Java DB entry using Add/Remove Programs from Control Panel

I ran CCleaner (I think I hit most of these already with a cleaner utility in my McAfee, but what the heck I did it with CCleaner as well)

I updated MBAM successfully, ran it, it didn't find anything, but I'm pasting the output below.

The computer seems fine, I ran Google & Yahoo searches from Firefox, IE, and Chrome (which is now back from the dead and working once again).

You're the man, farbar, this seems to have done it! thumbup.gif

I didn't think I had that TDSS business because I did the system check for hidden device drivers and didn't see anything - I was obviously wrong.

MBAM Log follows (TDSSKiller log attached):
Malwarebytes' Anti-Malware 1.46

Database version: 4262

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/30/2010 9:18:02 PM
mbam-log-2010-06-30 (21-18-02).txt

Scan type: Quick scan
Objects scanned: 159601
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files

#10 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:47 PM

Posted 01 July 2010 - 11:55 AM

It looks good lanzecki. thumbup2.gif
  1. You may delete any tool or log we used from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

Optional Recommendations:
  1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office.
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC. Windows XP Service Pack 2 is now outdated. Microsoft has released Service Pack 3 which has more features and is more secure than Service Pack 2.

    Also I recommend updating to at least Internet explorer 7 as it has more functionality and is much safer.

    You can update by going to start > All Programs > Windows update > click on Custom button.

    Note: Download Service Pack 3 but before installing it disable your antivirus real-time protection.

  2. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  3. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

  4. The rule of thumb: One AntiVirus with real-time protection, and one antispyware with real-time protection. Any additional anti-malware shouldn't be running. You might have two antispyware but they should not be running at the same time.

Happy Surfing lanzecki. smile.gif

#11 lanzecki

  • Topic Starter

  • Members
  • 19 posts
  • Local time:08:47 AM

Posted 02 July 2010 - 08:40 PM

Great - thanks for the tips - I've already installed the McAfee Site Advisor - it's cool I like it.

Thanks again for your help farbar - you guys run an awesome service with this site! I've made a donation to your account to express the fact that I value the service I've received - keep up the great work, or take a break and have a cold beer on me, either way thanks!

#12 Farbar


    Just Curious

  • Security Developer
  • 21,688 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:47 PM

Posted 03 July 2010 - 05:32 AM

take a break and have a cold beer on me

I'll do both this evening. laugh.gif

You are most welcome and thank you for the donation and your kind words. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users