Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search links are Redirected and Internet explorer running ads in background


  • Please log in to reply
1 reply to this topic

#1 tapoor

tapoor

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 14 January 2011 - 03:55 PM

Hi, i was asked to post DDS.txt and include attach.txt and ark.txt in this post.

every time i do google search and then clink on any link, it redirects me somewhere else.

alot of times it says croozybannir...in the redirection link.

before searching for help on this site. i have run my mcaffee antivirus, malware bytes, registry mechanic and cleaned my temp folder. none has helped. so this is my last hope.

here is the log file for dds.txt


DDS (Ver_10-12-12.02) - NTFSx86
Run by xxxxxxxxxxxxx at 15:27:56.97 on Fri 01/14/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.392 [GMT -5:00]

AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\mshta.exe
C:\Documents and Settings\Vishal Kapoor\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\Vishal Kapoor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSNB&bmod=TSNB
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNB&bmod=TSNB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNB&bmod=TSNB
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101129231426.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [JP595IR86O] c:\windows\temp\Rfl .exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://aimprods03.webex.com/client/v_mywebex-mywebexconnds/mywebex/ieatgpc.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vishal~1\applic~1\mozilla\firefox\profiles\gwsy4yf2.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - plugin: c:\documents and settings\vishal kapoor\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\vishal kapoor\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\vishal kapoor\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.2166.3772\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {8CA5BF99-574D-44A4-8966-E9EB3437D484} - c:\documents and settings\vishal kapoor\local settings\application data\{8CA5BF99-574D-44A4-8966-E9EB3437D484}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-11-29 386712]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2009-6-29 29760]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2009-5-11 6528]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-11-29 84072]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-11-29 171168]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-11-29 141792]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-11-29 152992]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-11-29 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-11-29 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-11-29 88544]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2010-6-14 24064]
R3 PGSUSFLT;PGSUSFLT;c:\windows\system32\drivers\pgsuspend.SYS [2010-3-22 18816]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-14 136176]
S2 Ias;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2010-1-20 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-3-22 1684736]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-11-29 55840]
S3 cpuz132;cpuz132;\??\c:\docume~1\vishal~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\vishal~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-30 20952]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-11-29 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-11-29 84264]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-3-22 174592]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2010-1-20 14336]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-30 363344]
S4 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-29 271480]
S4 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-29 271480]
S4 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-11-29 271480]
S4 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-11-29 188136]
S4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-12-30 632792]
S4 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2010-3-22 51512]
S4 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-9-17 111960]

=============== Created Last 30 ================

2011-01-14 20:04:54 79360 ----a-w- c:\docume~1\alluse~1\applic~1\61FLOcgO.exe
2011-01-14 18:59:10 -------- d-----w- c:\docume~1\vishal~1\locals~1\applic~1\Mozilla
2011-01-14 18:58:10 552136 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2011-01-14 18:58:05 23512 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2011-01-14 18:58:05 138712 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2011-01-14 18:58:04 64984 ----a-w- c:\program files\mozilla firefox\plugins\npnul32.dll
2011-01-05 00:14:32 -------- d-----w- c:\program files\common files\AnswerWorks 5.0
2011-01-04 22:47:00 -------- d-----w- c:\docume~1\vishal~1\locals~1\applic~1\Intuit
2011-01-04 22:44:40 -------- d-----w- c:\docume~1\vishal~1\applic~1\Intuit
2011-01-04 22:31:53 -------- d-----w- c:\docume~1\vishal~1\locals~1\applic~1\IsolatedStorage
2011-01-04 22:31:42 -------- d-----w- c:\program files\common files\Intuit
2011-01-04 22:31:18 -------- d-----w- c:\program files\TurboTax
2011-01-04 22:30:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Intuit
2010-12-30 10:49:30 -------- d-----w- c:\docume~1\vishal~1\applic~1\Registry Mechanic
2010-12-30 10:41:43 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2010-12-30 10:41:42 658432 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2010-12-30 10:38:38 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-12-30 10:38:38 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-12-30 10:38:38 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-12-30 10:38:34 -------- d-----w- c:\program files\common files\PC Tools
2010-12-24 16:12:50 -------- d-----w- c:\windows\system32\%APPDATA%

==================== Find3M ====================

2011-01-04 05:18:53 0 ----a-w- c:\windows\Nhoqivamebopev.bin
2010-12-26 21:06:59 37380 ----a-w- c:\windows\system32\TDispVol.exe
2010-12-26 21:06:58 37380 ----a-w- c:\windows\system32\TPSMain.exe
2010-12-26 21:06:55 37380 ----a-w- c:\windows\system32\ZoomingHook.exe
2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-02 19:52:22 1716297 ----a-w- c:\windows\system32\InetClnt.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_ rev.0040 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll >>UNKNOWN [0x8732B446]<<
c:\windows\system32\drivers\thpdrv.sys TOSHIBA Corporation TOSHIBA HDD Protection
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87331504]; MOV EAX, [0x87331580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8737B030]
3 CLASSPNP[0xF74F2FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\THPDRV1[0x8737C030]
5 thpdrv[0xF774CE1F] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8737D028]
\Driver\iaStor[0x869BFF38] -> IRP_MJ_CREATE -> 0x8732B446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskFUJITSU_MJA2160BH_G2____________________00400018#4&2b0e2257&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x8732B292
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 15:31:12.26 ===============

Attached Files


Edited by tapoor, 14 January 2011 - 04:07 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 19 January 2011 - 08:45 AM

Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users