Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect virus/isapnp.sys rootkit


  • This topic is locked This topic is locked
3 replies to this topic

#1 senna123

senna123

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 21 July 2010 - 07:47 AM

i recently got this virus that keeps redirecting me when i google something i have to click the link 10 times before the actual page comes up i used various programmes to remove it but none got rid of it so i resulted to a complete reinstall of XP and still it didnt get rid of it i then downloaded hitman pro which came up with the isapnp.sys rootkit i deleted it and nothing so now im here asking for any help or advice on removing this pesky virus


DDS (Ver_10-03-17.01) - NTFSx86
Run by senna's room at 11:04:06.51 on Wed 07/21/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.195 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\T-Mobile\T-Mobile Internet Manager\DataCardMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\senna's room\Application Data\T-Mobile Internet Manager\ouc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\senna's room\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [HW_OPENEYE_OUC_T-Mobile Internet Manager] "c:\program files\t-mobile\t-mobile internet manager\updatedog\ouc.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [DataCardMonitor] c:\program files\t-mobile\t-mobile internet manager\DataCardMonitor.exe
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35[1].exe" /scan:boot
mRun: [SoundMan] SOUNDMAN.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

============= SERVICES / DRIVERS ===============

S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-10 135664]
S3 filtertdidriver;filtertdidriver;c:\windows\system32\drivers\ewfiltertdidriver.sys [2010-7-17 7552]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-7-17 102656]

=============== Created Last 30 ================

2010-07-21 10:02:23 0 ----a-w- c:\documents and settings\senna's room\defogger_reenable
2010-07-18 00:09:19 0 d-----w- c:\docume~1\senna'~1\applic~1\BitTorrent
2010-07-18 00:09:17 0 d-----w- c:\program files\BitTorrent
2010-07-17 19:26:59 60800 -c--a-w- c:\windows\system32\dllcache\sysaudio.sys
2010-07-17 19:24:58 0 d-----w- C:\Google
2010-07-17 19:24:25 765952 ----a-w- c:\windows\system\crlds3d.dll
2010-07-17 19:24:25 65536 -c--a-w- c:\windows\system32\dllcache\a3d.dll
2010-07-17 19:24:25 65536 ----a-w- c:\windows\system32\Audio3D.dll
2010-07-17 19:24:25 65536 ----a-w- c:\windows\system32\a3d.dll
2010-07-17 19:24:25 62464 ----a-w- c:\windows\SOUNDMAN.EXE
2010-07-17 19:24:25 481596 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2010-07-17 19:24:25 391680 ----a-w- c:\windows\system32\drivers\ALCXSENS.SYS
2010-07-17 19:24:25 208896 ------w- c:\windows\alcupd.exe
2010-07-17 19:24:25 141016 ----a-w- c:\windows\system32\ALSNDMGR.WAV
2010-07-17 19:24:25 139264 ------w- c:\windows\alcrmv.exe
2010-07-17 19:24:25 13469696 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2010-07-17 19:15:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-17 19:08:58 0 d-sh--w- c:\documents and settings\senna's room\PrivacIE
2010-07-17 19:08:19 0 d-sh--w- c:\documents and settings\senna's room\IETldCache
2010-07-17 18:59:30 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-07-17 18:55:24 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-07-17 18:52:25 0 d-----w- c:\docume~1\senna'~1\applic~1\Malwarebytes
2010-07-17 18:51:53 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-07-17 18:51:01 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-17 18:50:49 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Hitman Pro
2010-07-17 18:50:48 0 d-----w- c:\program files\Hitman Pro 3.5
2010-07-17 18:47:00 13646 ----a-w- c:\windows\system32\wpa.bak
2010-07-17 18:43:22 0 d-----w- c:\windows\system32\Lang
2010-07-17 18:39:14 265416 ----a-w- c:\windows\system32\PROUnstl.exe
2010-07-17 18:39:14 1904 ------w- c:\windows\system32\SetupBD.din
2010-07-17 18:37:51 0 d-----w- C:\drvrtmp
2010-07-17 18:13:13 35712 ----a-w- c:\windows\system32\drivers\SISAGPX.SYS
2010-07-17 18:12:11 19072 ----a-w- c:\windows\system32\drivers\PS2.sys
2010-07-17 18:11:55 0 d-----w- c:\documents and settings\all users.windows\Uniblue
2010-07-17 18:11:24 0 d-----w- c:\docume~1\senna'~1\applic~1\Uniblue
2010-07-17 18:08:09 81408 ----a-w- c:\windows\system32\devcon_x64.exe
2010-07-17 18:08:09 0 d-----w- c:\program files\Driver Checker
2010-07-17 13:47:27 148 ----a-w- c:\documents and settings\senna's room\Video.lnk
2010-07-17 13:47:26 148 ----a-w- c:\documents and settings\senna's room\Pictures.lnk
2010-07-17 13:47:26 148 ----a-w- c:\documents and settings\senna's room\Passwords.lnk
2010-07-17 13:47:26 148 ----a-w- c:\documents and settings\senna's room\New Folder.lnk
2010-07-17 13:47:26 148 ----a-w- c:\documents and settings\senna's room\Music.lnk
2010-07-17 13:47:26 148 ----a-w- c:\documents and settings\senna's room\Documents.lnk
2010-07-17 13:47:26 126 --sh--r- c:\documents and settings\senna's room\autorun.inf
2010-07-17 13:22:00 0 d-----w- c:\docume~1\alluse~1.win\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2010-07-17 13:21:12 49152 --sh--r- c:\documents and settings\senna's room\wiuurud.scr
2010-07-17 13:18:43 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
2010-07-17 13:18:09 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-07-17 13:17:44 74240 ----a-w- c:\windows\system32\usbui.dll
2010-07-17 13:17:31 40960 ----a-w- c:\windows\system32\drivers\SISAGP.SYS
2010-07-17 13:15:04 0 d-----r- c:\documents and settings\all users.windows\Documents
2010-07-17 13:14:59 16535 ----a-r- c:\windows\SET8.tmp
2010-07-17 13:14:55 1088840 ----a-r- c:\windows\SET4.tmp
2010-07-17 13:14:53 1296669 ----a-r- c:\windows\SET3.tmp
2010-07-17 13:12:56 290 ----a-w- c:\windows\system32\$winnt$.inf
2010-07-17 13:09:38 0 d-----w- c:\docume~1\senna'~1\applic~1\T-Mobile Internet Manager
2010-07-17 13:05:58 0 d-----w- c:\windows\Dell
2010-07-17 13:02:09 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2010-07-17 13:02:09 112640 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-07-17 13:02:09 102656 ----a-w- c:\windows\system32\drivers\ewusbfake.sys
2010-07-17 13:02:08 7552 ----a-w- c:\windows\system32\drivers\ewfiltertdidriver.sys
2010-07-17 13:02:06 8464 ----a-w- c:\windows\system32\sporder.dll
2010-07-17 13:02:06 719360 ----a-w- c:\windows\system32\bmutil.dll
2010-07-17 13:02:06 294912 ----a-w- c:\windows\system32\bminstall.dll
2010-07-17 13:02:06 22528 ----a-w- c:\windows\system32\drivers\BMLoad.sys
2010-07-17 13:02:06 18816 ----a-w- c:\windows\system32\drivers\tcpipBM.sys
2010-07-17 13:02:06 126976 ----a-w- c:\windows\system32\bmdumpd.bin
2010-07-17 13:02:06 0 d-----w- c:\docume~1\senna'~1\applic~1\T-Mobile
2010-07-17 13:00:18 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-07-17 13:00:18 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-07-17 12:32:26 8192 ----a-w- c:\windows\REGLOCS.OLD
2010-07-17 12:29:58 83748 -c--a-w- c:\windows\system32\dllcache\prcp.nls
2010-07-17 12:28:54 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2010-07-17 12:27:59 66082 -c--a-w- c:\windows\system32\dllcache\c_1146.nls
2010-07-17 12:26:53 2577 ----a-w- c:\windows\system32\CONFIG.NT
2010-07-17 12:26:53 0 ----a-w- c:\windows\control.ini
2010-07-17 12:26:42 23392 ----a-w- c:\windows\system32\nscompat.tlb
2010-07-17 12:26:42 16832 ----a-w- c:\windows\system32\amcompat.tlb
2010-07-17 12:26:40 316640 ----a-w- c:\windows\WMSysPr9.prx
2010-07-17 12:25:10 0 d-sh--w- c:\documents and settings\all users.windows\DRM
2010-07-17 12:23:56 984 -c--a-w- c:\windows\system32\dllcache\srframe.mmf
2010-07-17 12:22:27 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-07-17 12:22:13 37 ----a-w- c:\windows\vbaddin.ini
2010-07-17 12:22:13 36 ----a-w- c:\windows\vb.ini
2010-07-16 16:27:07 16384 ---ha-w- C:\SZKGFS.dat
2010-07-16 16:21:20 0 d-----w- c:\program files\common files\iS3
2010-07-16 16:09:32 0 d-----w- c:\program files\STOPzilla!
2010-07-16 15:54:33 0 d-----w- c:\windows\RestoreSafeDeleted
2010-07-16 15:49:59 0 d-----w- c:\program files\UnHackMe
2010-07-16 13:58:32 0 d-----w- c:\program files\Lavasoft
2010-07-13 22:29:23 0 d-----w- c:\program files\Datel
2010-07-05 23:46:03 0 d-----w- c:\program files\Messenger Plus! Live
2010-07-05 23:41:18 0 d-----w- c:\program files\VideoLAN
2010-07-05 23:41:03 0 d-----w- c:\program files\Microsoft
2010-07-05 23:40:35 0 d-----w- c:\program files\Windows Live SkyDrive
2010-07-05 23:34:06 0 d-----w- c:\program files\common files\Windows Live
2010-06-23 12:50:14 182784 ----a-w- c:\windows\system32\Ncs2Setp.dll

==================== Find3M ====================

2010-06-16 11:08:06 772728 ----a-w- c:\windows\system32\ncs2dmix.dll
2010-06-16 11:08:04 547960 ----a-w- c:\windows\system32\accesor.dll
2010-06-16 10:26:54 129144 ----a-w- c:\windows\system32\ncs2instutility.dll
2010-06-16 09:54:06 1771640 ----a-w- c:\windows\system32\ncscolib.dll

============= FINISH: 11:05:21.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 27 July 2010 - 06:31 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

You are infected with a rootkit.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop. If you have already run ComboFix, delete your old copy and download a new one.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.


  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 senna123

senna123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 28 July 2010 - 02:55 PM

Dont worry dude i fixed it myself thumbup.gif thanks for the reply tho much appreciated

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 28 July 2010 - 05:06 PM

Alright, thanks for letting me know.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users