Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect/popups


  • This topic is locked This topic is locked
1 reply to this topic

#1 justinj93

justinj93

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 04 March 2011 - 10:03 AM

EDIT: Turned out to be a pesky rootkit, got rid of it with HitmanPro. Feel free to close this thread :) Google continues to redirect me even after i reformatted my hard-drive. I also get pop-ups when starting IE. I am unable to post on the infected computer, however i can download and run programs on the infected computer and use a USB to attach the logs on this computer. I'm also unable to run windows update. (using win XP) thanks in advance for any help.

DDS:

DDS (Ver_10-12-12.02) - NTFSx86
Run by HP_Administrator at 8:11:07.96 on Fri 03/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1278.543 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\DISC\DiscGui.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uWindow Title = Windows Internet Explorer provided by MSN & Bing
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [SSC_UserPrompt] c:\program files\common files\symantec shared\security center\UsrPrmpt.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

=============== Created Last 30 ================

2011-03-04 07:54:40 -------- d-----w- c:\program files\Yontoo Layers Client
2011-03-04 07:54:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
2011-03-04 07:52:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\hHfPnKi15405
2011-03-04 04:30:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2011-03-04 04:30:38 -------- d-----w- c:\program files\McAfee Security Scan
2011-03-04 03:28:20 -------- d-----w- c:\program files\ESET
2011-03-04 03:04:00 -------- d-sh--w- c:\documents and settings\hp_administrator\PrivacIE
2011-03-04 03:02:40 -------- d-sh--w- c:\documents and settings\hp_administrator\IETldCache
2011-03-04 02:59:43 -------- d--h--w- c:\windows\msdownld.tmp
2011-03-04 02:58:49 -------- dc-h--w- c:\windows\ie8
2011-03-04 02:51:22 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\HPQ
2011-03-04 02:51:14 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\Adobe
2011-03-04 02:38:00 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2011-03-04 02:37:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 02:37:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-04 02:37:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-04 02:37:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-03 22:44:09 -------- d-sh--w- c:\documents and settings\hp_administrator\UserData
2011-03-03 22:42:41 356096 ----a-w- c:\windows\system32\rt61.sys
2011-03-03 22:42:41 243328 ----a-w- c:\windows\system32\rt2500.sys
2011-03-03 22:42:41 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-03-03 22:42:40 94208 ----a-w- c:\windows\system32\GTW32N50.dll
2011-03-03 22:42:40 356096 ----a-w- c:\windows\system32\drivers\rt61.sys
2011-03-03 22:42:40 31930 ----a-w- c:\windows\system32\GTNDIS3.VXD
2011-03-03 22:42:40 15872 ----a-w- c:\windows\system32\GTNDIS5.sys
2011-03-03 22:42:39 17992 ----a-w- c:\windows\system32\drivers\bcm42rly.sys
2011-03-03 22:42:39 17992 ----a-w- c:\windows\system32\bcm42rly.sys
2011-03-03 22:42:39 17992 ----a-w- c:\windows\bcm42rly.sys
2011-03-03 22:42:29 -------- d-----w- c:\program files\Linksys Wireless-G PCI Wireless Network Monitor
2011-03-03 22:41:57 -------- d-sh--r- C:\cmdcons
2011-03-03 22:41:54 -------- d-----w- c:\windows\setup.pss
2011-03-03 20:54:52 -------- d-----w- c:\windows\I386
2011-03-03 20:45:23 -------- d-----r- c:\documents and settings\all users\Documents
2011-03-03 20:44:08 -------- d-----r- c:\windows\Offline Web Pages
2011-03-03 20:42:55 -------- d-sh--r- c:\windows\system32\dllcache

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3200826AS rev.3.03 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89822439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x898287b8]; MOV EAX, [0x89828834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EEEB8] -> \Device\Harddisk0\DR0[0x8983DAB8]
3 CLASSPNP[0xBA90905B] -> ntkrnlpa!IofCallDriver[0x804EEEB8] -> \Device\00000063[0x898AD1A8]
5 ACPI[0xBA77F620] -> ntkrnlpa!IofCallDriver[0x804EEEB8] -> [0x89911940]
\Driver\atapi[0x8957CC78] -> IRP_MJ_CREATE -> 0x89822439
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3200826AS_____________________________3.03____#5&8675952&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8982227F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 8:13:08.17 ===============
Attached File  Attach.txt   7.18KB   0 downloadsAttached File  ark.txt   17.61KB   0 downloads

Edited by justinj93, 04 March 2011 - 01:53 PM.


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:52 AM

Posted 06 March 2011 - 12:53 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users