Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Results Redirected


  • This topic is locked This topic is locked
21 replies to this topic

#1 Lilly Rose

Lilly Rose

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 22 July 2010 - 07:13 PM

Lately, I've been having my search results redirected to ad sites. Ad sites will also open in new tabs periodically, and my antivirus (avast) is unable to update itself. I get the message: "Error: cannot connect to server." I tried Malwarebytes Antimalware and Spybot Search & Destroy, to no avail. The DDS log is below.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Lilly at 16:07:39.54 on Thu 07/22/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.173 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Lilly\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lilly\applic~1\mozilla\firefox\profiles\60f1vze4.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-20 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-20 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-20 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-27 133104]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

=============== Created Last 30 ================

2010-07-22 23:03:59 0 ----a-w- c:\documents and settings\lilly\defogger_reenable
2010-07-22 20:59:28 0 d-----w- c:\docume~1\lilly\applic~1\HandBrake
2010-07-22 20:59:19 0 d-----w- c:\program files\Handbrake
2010-07-22 19:31:31 0 d-----w- c:\program files\Trend Micro
2010-07-21 13:43:39 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-07-21 13:43:39 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-07-21 13:43:39 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-07-21 13:43:39 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-07-21 13:43:39 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-07-21 06:27:08 819200 ----a-w- c:\windows\system32\xvidcore.dll
2010-07-21 06:27:08 77824 ----a-w- c:\windows\system32\xvid.ax
2010-07-21 06:27:08 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2010-07-21 00:57:15 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-21 00:57:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-21 00:02:43 38848 ----a-w- c:\windows\avastSS.scr
2010-07-20 02:42:18 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-20 02:38:34 120 ----a-w- c:\windows\Hzofoqeviwec.dat
2010-07-20 02:38:34 0 ----a-w- c:\windows\Gguzobak.bin
2010-07-20 02:37:06 767488 ----a-w- c:\windows\system32\drivers\rkmphy.sys
2010-07-20 02:37:05 150 ----a-w- C:\zrpt.xml
2010-07-20 02:36:40 0 d-----w- c:\docume~1\lilly\applic~1\3E4F81F84DD2B2994BB90091B9D7AF3D
2010-07-20 01:18:51 0 d-----w- c:\docume~1\lilly\applic~1\Malwarebytes
2010-07-19 08:56:36 0 d-----w- c:\docume~1\lilly\applic~1\Adobe Mini Bridge CS5
2010-07-18 07:18:06 0 d-----w- c:\documents and settings\lilly\.gimp-2.6
2010-07-17 05:55:12 0 d-----w- c:\docume~1\lilly\applic~1\uTorrent
2010-07-17 05:46:37 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-17 05:41:53 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-07-17 05:41:53 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-07-17 05:40:52 0 d-----w- c:\program files\Bonjour
2010-07-16 10:13:28 0 d-----w- c:\program files\Steam
2010-07-16 10:10:43 0 d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2010-07-16 05:25:25 0 d-----w- c:\docume~1\alluse~1\applic~1\regid.1986-12.com.adobe
2010-07-14 20:11:16 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-07-14 20:11:14 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-14 20:11:14 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-13 22:17:11 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-25 05:37:30 0 d-----w- c:\program files\LimeWire

==================== Find3M ====================

2010-05-18 23:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 23:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 23:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet(2)(2).dll
2010-05-06 10:41:52 1209344 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2010-05-06 10:41:50 1985536 ----a-w- c:\windows\system32\iertutil(2)(2).dll
2010-05-06 10:41:49 11076096 ----a-w- c:\windows\system32\ieframe(2)(2).dll
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 16:08:53.55 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:45 AM

Posted 30 July 2010 - 05:09 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Lilly Rose

Lilly Rose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 30 July 2010 - 04:16 PM

Thank you so much!
I might want to add that the browser hanging has since stopped and the antivirus is able to update again, but I'm still having the problems with redirection and popups.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:45 AM

Posted 30 July 2010 - 04:32 PM

There's some malicious files in the log but more, I bet, hidden away.


Please run Combofix, a powerful removal tool

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 Lilly Rose

Lilly Rose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 30 July 2010 - 04:54 PM

I already have a problem. Combofix says that I have Lavasoft Ad-Watch Live running, but I uninstalled it weeks ago and I can't find any remaining files on my computer. What do I do?

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:45 AM

Posted 30 July 2010 - 05:01 PM

Use the LavaSoft uninstaller to make sure everything's gone.
Posted Image
m0le is a proud member of UNITE

#7 Lilly Rose

Lilly Rose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 30 July 2010 - 06:20 PM

Combofix got to the screen where it says "Scanning for infected files...This typically doesn't take more than ten minutes. However, scan times for badly infected machines may easily double"

It's been sitting there for 1 hour without any other text coming up. Is something wrong?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:45 AM

Posted 30 July 2010 - 06:23 PM

Yes, the malware is stopping Combofix from running. Let's try something else

Please download MBRCheck to your desktop.

http://ad13.geekstogo.com/MBRCheck.exe

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#9 Lilly Rose

Lilly Rose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 30 July 2010 - 06:32 PM

When the black box opens, I get the message: "Found non-standard or infected MBR." sad.gif

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:45 AM

Posted 30 July 2010 - 06:33 PM

The MBR has been rewritten.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter 2and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Posted Image
m0le is a proud member of UNITE

#11 Lilly Rose

Lilly Rose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 30 July 2010 - 06:39 PM

MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

93 GB \\.\PhysicalDrive0 Windows XP MBR code detected





Done! Press ENTER to exit...



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:45 AM

Posted 30 July 2010 - 07:01 PM

Okay, back to Combofix again. Please run it as before. If it is stalled after thirty minutes then let me know.
Posted Image
m0le is a proud member of UNITE

#13 Lilly Rose

Lilly Rose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 30 July 2010 - 07:21 PM

It worked! The log is attached.

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:45 AM

Posted 31 July 2010 - 06:01 AM

Yes, nasty rootkit hijack.

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Please rerun Combofix as below:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
File::
c:\windows\Hzofoqeviwec.dat
c:\windows\Gguzobak.bin

Folder::
c:\documents and settings\Lilly\Local Settings\Application Data\fflsskfji
c:\documents and settings\NetworkService\Local Settings\Application Data\hyfahyung

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5643


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#15 Lilly Rose

Lilly Rose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 31 July 2010 - 04:38 PM

Done. Here's the log.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users