Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware has hijacked my google


  • Please log in to reply
1 reply to this topic

#1 RAWKNEE

RAWKNEE

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 07 November 2010 - 03:06 PM

Someone on here adviced me to run a deffoger,DDS,create a GMER log and then post the logs on here for further assistance.
By the way i also have a blank google screen with hxxp://[b]results.google-analytics.com/, and hxxp://r3.google.com/click?q=how%20do%20i%20zip%20a%20file&lnk=http%3A%2F%2Fcondor.depaul.edu%2F~slytinen%2Finstructions%2Fzip.html&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26source%3Dhp%26q%3Dhow%20do%20i%20zip%20a%20file, showing up as the address.
Here are my logs.
Sorry, i couldn't figure out how to send it as a zip file,my apologies.


MER 1.0.15.15507 - http://www.gmer.net
Rootkit scan 2010-11-07 01:54:10
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 IBM-DTLA-307030 TX4OA60A
Running: gmer.exe; Driver: C:\DOCUME~1\ANELKA\LOCALS~1\Temp\fwaiipod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF3716620]

---- Kernel code sections - GMER 1.0.15 ----

? skyytof.sys The system cannot find the file specified. !
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xF3066F00, 0x24000, 0x48000000]
? C:\DOCUME~1\ANELKA\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1220945662-839522115-1202660629-1004\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo -556986064
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1220945662-839522115-1202660629-1004\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30113316
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1220945662-839522115-1202660629-1004\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo -556585488
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1220945662-839522115-1202660629-1004\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30113316

---- EOF - GMER 1.0.15 ----



DS (Ver_10-11-05.01) - NTFSx86
Run by ANELKA at 0:17:32.52 on Sun 11/07/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.166 [GMT -4:00]

FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\History Sweeper\sweeper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ANELKA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [Sweeper.exe] c:\program files\history sweeper\sweeper.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\windows\system32\drivers\es1370mp.sys [2010-10-3 37120]
R3 SRS_HDAL_Service;HD Audio Lab;c:\windows\system32\drivers\SRS_HDAL_i386.sys [2010-10-7 384752]
S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?]

=============== Created Last 30 ================

2010-11-06 21:50:18 -------- d-----w- c:\docume~1\anelka\applic~1\Malwarebytes
2010-11-06 21:49:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-06 21:49:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-06 21:49:39 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-11-06 21:49:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-06 20:26:04 98816 ----a-w- c:\windows\sed.exe
2010-11-06 20:26:04 88576 ----a-w- c:\windows\MBR.exe
2010-11-06 20:26:04 256512 ----a-w- c:\windows\PEV.exe
2010-11-06 20:26:04 161792 ----a-w- c:\windows\SWREG.exe
2010-11-06 17:34:39 -------- d-----w- c:\program files\R-Wipe&Clean
2010-11-06 17:34:39 -------- d-----w- c:\docume~1\anelka\applic~1\R-Wipe&Clean
2010-11-06 17:14:59 86016 ----a-w- c:\windows\unvise32.exe
2010-11-06 17:14:58 -------- d-----w- c:\program files\uninstallerpro
2010-11-06 17:00:12 -------- d-----w- c:\program files\Easy Uninstaller
2010-11-06 00:25:33 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-11-06 00:25:33 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-11-06 00:25:32 -------- d-----w- c:\program files\SpywareBlaster
2010-11-06 00:09:17 -------- d-----w- c:\docume~1\anelka\applic~1\SystemBoostElite
2010-11-06 00:09:17 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\SystemBoostElite
2010-11-05 00:10:04 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-11-05 00:01:27 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-11-04 23:59:23 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Hitman Pro
2010-11-03 23:56:09 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-11-03 23:56:08 -------- d-----w- c:\docume~1\anelka\applic~1\SUPERAntiSpyware.com
2010-11-03 23:55:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-03 00:25:11 -------- d-----w- c:\program files\common files\PC Tools
2010-10-25 21:20:41 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2010-10-25 21:10:19 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\PC Tools
2010-10-23 18:08:05 -------- d-----w- c:\docume~1\anelka\locals~1\applic~1\Temp
2010-10-23 18:04:06 -------- d-----w- c:\docume~1\anelka\applic~1\PhotoScape
2010-10-23 18:01:26 -------- d-----w- c:\program files\PhotoScape
2010-10-23 17:48:29 -------- d-----w- c:\docume~1\anelka\applic~1\EmailNotifier
2010-10-23 17:31:17 98 --sh--w- c:\windows\WSYS049.SYS
2010-10-23 17:31:13 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\EmailNotifier
2010-10-23 17:31:11 -------- d-----w- c:\docume~1\anelka\applic~1\PhotoposComtb
2010-10-23 17:31:10 -------- d-----w- c:\docume~1\anelka\applic~1\Photopos
2010-10-23 04:59:28 -------- d-----w- c:\program files\Spiritual-Numerology
2010-10-23 03:44:57 -------- d-----w- c:\docume~1\anelka\applic~1\IObit
2010-10-11 07:04:28 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-10-11 07:03:24 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-10-11 07:03:24 117760 ------w- c:\windows\system32\prntvpt.dll
2010-10-11 07:03:23 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-10-11 07:03:23 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-10-11 07:03:22 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-10-11 07:03:22 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-10-11 07:03:20 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-10-11 07:03:20 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-10-11 07:03:17 -------- d-----w- C:\8e80598f02084d02c7872d613dd3f1
2010-10-11 07:01:21 -------- d-----w- C:\51c61ffc83ceb9247a0b
2010-10-11 07:01:05 -------- d-----w- C:\9eb15119394387c6dd6de70894386c
2010-10-10 18:58:07 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-10 18:58:07 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-10 18:57:14 -------- d-----w- c:\docume~1\anelka\locals~1\applic~1\Shareaza
2010-10-10 18:57:13 -------- d-----w- c:\docume~1\anelka\applic~1\Shareaza
2010-10-10 17:41:27 -------- d-----w- c:\program files\QO Developments
2010-10-10 14:56:23 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Alwil Software
2010-10-09 17:27:07 -------- d-----w- c:\docume~1\anelka\applic~1\IDM
2010-10-09 17:08:49 -------- d-----w- c:\docume~1\anelka\applic~1\GlarySoft
2010-10-08 04:44:32 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

==================== Find3M ====================

2010-08-10 16:26:36 237320 ----a-w- c:\windows\system32\PDBoot.exe

============= FINISH: 0:18:24.89 ===============

Edited by Orange Blossom, 07 November 2010 - 07:54 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:10 PM

Posted 14 November 2010 - 09:30 AM

Hello RAWKNEE

Welcome to BleepingComputer :)
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users