Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search URL Redirect and Connections To Mal IP Addresses


  • This topic is locked This topic is locked
11 replies to this topic

#1 BaldieBonce

BaldieBonce

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buckinghamshire, UK
  • Local time:05:56 PM

Posted 12 June 2011 - 01:53 PM

TOPIC INTRO NOTES:

Browser redirect virus infection in machine with XP SP3 started at instant of completion of downloading and installing upgrade of FireFox from v3.6.17 to v4.0.1.
Malicious redirection seems only to occure when a seach engine page (eg. Google/Yahoo/AltaVista etc) is clicked in IEv8 or FF4.

Symptoms similar to many of your other help forum requests on same topic, but I add that when either IEv8 or FFv4 are opened individually or concurrently, they continuously demand up to 100% of CPU capacity.

That high CPU behaviour occurs whether PC is physically connected via router to the Internet or unplugged.
When either IE or FF are closed by usual methods, they continue to totally occupy CPU capacity for up to two minutes, whether or not any html pages were opened or websites visited.

Closing IE or FF with Task Manager or Process Explorer, effects an immediate stop to their gross CPU usage.

MalwearBytes(MBAM) allerts and blocks many rapid series of attempts of machine to go on line to unknown rogue IP addresses listed:
94.75.207.72
94.75.207.73
74.208.129.145
66.45.255.230
94.100.19.131 (happened just now while testing IE at wqw.pcworld.co.uk)(wqw = www)
66.45.255.230 (When just now tested with Google for hgv and clicked wikipedia URL. re goingonearth note below)

At this instant IE and FF seem well behaved on going to favorite websites, but on Googling for 'hgv' the same redirect hijack starts. But this time IE and FF CPU usage has not stayed high and stops soon after closing!!! The redirect shows wqw.goingoneart.com/search.php?q=hgv&n=1307902477, and a cookie request for 64.111.211.171 . When the address bar is highlighted, copied and pasted, all that gets pasted is co.uk , so I grapbed the screen and saved as bitmap.
Repated test seach and it went to the wiki as correct. Something is changing or has changed in the behaviour of the infection.

Infection seems to be inactive/absent when booted into Safe Mode with Networking.
In safe mode, IE and FF can be used for Google online searches, and both programs close promptly without any continued high CPU activity.

Of websites redirected to or via, www.goingonearth.com often occurred.

MBAM scans have quarantined instances of malware listed under 'Vendor' as:
Highjack.zones
Broken.Open.Command
P.U.M.Disabled.Security.Center
MBAM also found some broken Registry keys.

Many scans with Norton Internet Security(NIS)2011, Norton Power Eraser, HijackThis and Registry Patrol, which found a few irregularities and fixed them, but have not cured the infection.

on 18 May, I used Norton Online help, which momentarily inhibited the redirects, but they wanted 115GBP to continue and offered a week long guaranteed fix!!!

Two of their brief fix actions that I recall, were deletion of files: qmgr0.dat and qmgr1.dat, in:
C:documents and settings\All Users\Application Data\Microsoft\Network\Downloader\

Another nearby file was also deleted but can't recall its name or path.

NIS Boot Time Protection has been set to 'agressive'

Have cleaned out all Temp files and downloaded DDS, GMER, and Defogger, ready for instruction on their use.
Have blocked some seldom used programs from starting at boot up by using Sysinternals' Autoruns.exe.

During repair operations for this infection, how should the machine be booted?
Safe mode or as normal?
As Administrator or as user with administrative or standard privileges?

Oldest System Restore Point is 17 May 2011 at 01.24, which was about 20 minutes after the initial upgrade of
FF 3.6.17 to FFv4.0.1.

The infection, manifested itself at instant of completion of download and installation of FF4.

Also at that instant also, NIS blocked several viruses and intrusion attempts.
All NIS Quarantined items have been deleted pending running AV tools.

Next day I uninstalled and reinstalled FFv4 from an earlier download (same file properties), but the redirect problem persists.

I don't know why System Restore points prior to infection have vanished.

Prior to downloading FFv4 from Mozilla.com, I had visited several Software sites, and downloaded from wqw.SourceForge.net, but they have simply been saved and not opened. Although those aquisitions might be totally innocent and unrelated to the subsequent experience following the download and installation of FFv4 from Mozilla.com.

Bootable CDs and full external backups prior to and since start of infection have been made.

So, I think that's covered all the basic intro and preps, and am ready to be redirected to safe pastures.

This posting has been made from an uninfected machine, as I had expected that IE and FF would be uncontrollably busy and in effect locked up, but that now strangely seems not to be the case.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:56 PM

Posted 15 June 2011 - 04:59 PM

Can you post the logs from Malwarebytes?

#3 BaldieBonce

BaldieBonce
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buckinghamshire, UK
  • Local time:05:56 PM

Posted 16 June 2011 - 08:09 AM

Hello Bleeping Madman,

I'm new to using forums such as these, I might make inept errors.

Here are osme of the most relevant logs of MBAM scans and its firewall where suspicious activity or malware was found.


MALWAREBYTES SCAN LOGS
open with word doc.txt
################# mbam-log-2011-05-22 #################

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6642

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22/05/2011 22:21:18
mbam-log-2011-05-22 (22-21-18).txt

Scan type: Quick scan
Objects scanned: 181412
Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


################# mbam-log-2011-05-23 #################

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6649

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/05/2011 14:30:39
mbam-log-2011-05-23 (14-30-39).txt

Scan type: Full scan (C:\|K:\|N:\|O:\|)
Objects scanned: 344367
Time elapsed: 1 hour(s), 8 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: () Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
k:\download registry fix\registryfix.exe (Rogue.Installer) -> Quarantined and deleted successfully.


################# mbam-log-2011-05-27 #################

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6680

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/05/2011 18:45:11
mbam-log-2011-05-27 (18-45-11).txt

Scan type: Quick scan
Objects scanned: 184344
Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: () Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


################# mbam-log-2011-06-08 #################

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6779

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/06/2011 20:50:24
mbam-log-2011-06-08 (20-50-24).txt

Scan type: Flash scan
Objects scanned: 129416
Time elapsed: 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: () Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


################# mbam-log-2011-06-09 #################

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6817

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

09/06/2011 16:59:09
mbam-log-2011-06-09 (16-59-09).txt

Scan type: Full scan (C:\|K:\|N:\|O:\|)
Objects scanned: 344247
Time elapsed: 28 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: () Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


########################################################


MALWAREBYTES OUTGOING CONNECTION PROTECTION LOGS

Selection from protection Logs to show all IP addresses blocked since installing MABAM

protection-log-2011-06-14.txt
16:41:34 Baldie Bonce IP-BLOCK 94.75.207.72 (Type: outgoing)
16:56:25 Baldie Bonce IP-BLOCK 94.75.207.73 (Type: outgoing)
=================
protection-log-2011-06-12.txt
19:07:29 Baldie Bonce IP-BLOCK 94.100.19.131 (Type: outgoing)
19:15:03 Baldie Bonce IP-BLOCK 66.45.255.230 (Type: outgoing)
=================
protection-log-2011-06-09.txt
00:03:17 Baldie Bonce IP-BLOCK 94.75.207.72 (Type: outgoing)
08:38:02 Baldie Bonce MESSAGE IP Protection stopped
08:38:18 Baldie Bonce MESSAGE Database updated successfully
08:38:25 Baldie Bonce MESSAGE IP Protection started successfully
08:42:25 Baldie Bonce IP-BLOCK 74.208.129.145 (Type: outgoing)
=================
protection-log-2011-06-08.txt
21:26:02 Baldie Bonce IP-BLOCK 94.75.207.73 (Type: outgoing)
21:33:34 Baldie Bonce MESSAGE Protection started successfully
21:33:43 Baldie Bonce MESSAGE IP Protection started successfully
21:37:50 Baldie Bonce IP-BLOCK 66.45.255.230 (Type: outgoing)
=================
protection-log-2011-06-06.txt
08:34:37 Administrator MESSAGE Protection started successfully
08:34:48 Administrator MESSAGE IP Protection started successfully
15:06:33 Administrator IP-BLOCK 67.215.246.204 (Type: outgoing)
15:06:35 Administrator IP-BLOCK 67.215.246.204 (Type: outgoing)
15:06:41 Administrator IP-BLOCK 67.215.246.204 (Type: outgoing)
15:07:28 Administrator IP-BLOCK 58.241.55.30 (Type: outgoing)
15:12:05 Administrator IP-BLOCK 67.215.246.204 (Type: outgoing)
<<<<< many identical entries removed from this list >>>>>
15:14:09 Administrator IP-BLOCK 67.215.246.204 (Type: outgoing)
20:08:37 Administrator IP-BLOCK 94.75.207.72 (Type: outgoing)
<<<<< many identical entries removed from this list >>>>>
20:09:52 Administrator IP-BLOCK 94.75.207.72 (Type: outgoing)
20:14:16 Administrator IP-BLOCK 94.75.207.73 (Type: outgoing)
<<<<< many identical entries removed from this list >>>>>
21:05:33 Administrator IP-BLOCK 94.75.207.73 (Type: outgoing)
21:22:40 Administrator IP-BLOCK 94.75.207.72 (Type: outgoing)
<<<<< many identical entries removed from this list >>>>>
21:39:52 Administrator IP-BLOCK 94.75.207.72 (Type: outgoing)
21:54:35 Administrator IP-BLOCK 94.75.207.73 (Type: outgoing)
<<<<< many identical entries removed from this list >>>>>
21:55:49 Administrator IP-BLOCK 94.75.207.73 (Type: outgoing)
22:14:04 Administrator IP-BLOCK 94.75.207.72 (Type: outgoing)
=================
protection-log-2011-06-04.txt
10:45:59 Baldie Bonce MESSAGE Protection started successfully
10:46:07 Baldie Bonce MESSAGE IP Protection started successfully
12:00:06 Baldie Bonce IP-BLOCK 67.29.139.153 (Type: outgoing)
12:00:09 Baldie Bonce IP-BLOCK 67.29.139.153 (Type: outgoing)
12:00:15 Baldie Bonce IP-BLOCK 67.29.139.153 (Type: outgoing)
22:32:24 Baldie Bonce IP-BLOCK 94.75.207.73 (Type: outgoing)
=================
protection-log-2011-06-03.txt
00:35:58 Administrator IP-BLOCK 117.21.224.235 (Type: outgoing)
06:22:48 Baldie Bonce MESSAGE Protection started successfully
06:22:56 Baldie Bonce MESSAGE IP Protection started successfully
07:32:06 Baldie Bonce IP-BLOCK 78.140.143.83 (Type: outgoing)
===============================================================================

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:56 PM

Posted 16 June 2011 - 08:59 AM

Now 2 additional scans:

SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Instructions:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



#5 BaldieBonce

BaldieBonce
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buckinghamshire, UK
  • Local time:05:56 PM

Posted 16 June 2011 - 05:38 PM

Hello Cryptodan,
I've installed and set up SuperAntiSpyWare as instructed, and initiated close down of PC.
However, it seems to have chosen this moment to install 16 updates! The first update has been installing for over an hour now, yes, an hour!
I'm surprised that there are so many updates, as it regularly gets it updates automatically and usually gets shut down late at end of each day and allowed to install any updates.
The screen is alternating between the install anouncement and the warning not to disconnect, but I get the feeling from seeing that the HDD LED is constant on, together with listening to its 'body noises' on earphones, that it's just cruising in idle mode.
I just checked MS's update pages, and there are 16 fairly small updates available for Vista, and as this is a Vista OS, it's not easy to find what's available for XP. But given the overlap of MS Office and IE etc, it's faintly possible that the XP machine's action is legitimate.
However, it's now well over 1h:25m into install update 1, shall I force the issue?

#6 BaldieBonce

BaldieBonce
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buckinghamshire, UK
  • Local time:05:56 PM

Posted 16 June 2011 - 05:45 PM

FURTHER TO LAST POST:::
XP installing updates have not stalled...
It's just movedon to install update 2 of 16, so I'll let it go on through the night.
Will report back tomorrow, thanks and good night.

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:56 PM

Posted 16 June 2011 - 06:17 PM

Let the updates continue.

#8 BaldieBonce

BaldieBonce
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buckinghamshire, UK
  • Local time:05:56 PM

Posted 17 June 2011 - 10:11 AM

Hello again,

The MS XP security updates evenntually ended after seven hours without incident, and then rebooted to Safe mode.

SuperAntiSpyware; log copied below.

GMER log also copied below.

In the GMERscreen prior to the scan results, it said '4 files detected', and, during the scan, MalwareBytes alert showed under Norton Int. Sec. as having high CPU usage, despite having (I believed) disabled them.
So, should the GMER scan be rerun after using Task Manager to end all processes associated with MBAM and NIS? i.e. mbamservice.exe and ccsvchst.exe

After running scans, to see if any chnages had occured, FF was opened to blank page with network disconnected. It behaved as before, consuming up to 100% CPU continuously, and similarly after being closed via top right hand [X] window close button, its demand continued unchanged for about 30 seconds.


---------------------------- SUPERAntispyware Log ---------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/17/2011 at 12:54 PM

Application Version : 4.54.1000

Core Rules Database Version : 7277
Trace Rules Database Version: 5089

Scan type : Complete Scan
Total Scan Time : 03:00:35

Memory items scanned : 266
Memory threats detected : 0
Registry items scanned : 7379
Registry threats detected : 0
File items scanned : 101857
File threats detected : 13

Adware.Tracking Cookie
C:\Documents and Settings\Baldie Bonce\Cookies\Baldie_Bonce@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Baldie Bonce\Cookies\Baldie_Bonce@www.googleadservices[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bridge2.admarketplace[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@customercenter.solidworks[1].txt
.yamahamotor.122.2o7.net [ C:\Documents and Settings\Baldie Bonce\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Documents and Settings\Baldie Bonce\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.googleadservices.com [ C:\Documents and Settings\Baldie Bonce\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
www.googleadservices.com [ C:\Documents and Settings\Baldie Bonce\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\Baldie Bonce\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\Baldie Bonce\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.specificclick.net [ C:\Documents and Settings\Baldie Bonce\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.microsoftmachinetranslation.112.2o7.net [ C:\Documents and Settings\Baldie Bonce\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Baldie Bonce\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]


---------------------------------- GMER LOG ------------------------

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-17 15:05:37
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HDP725050GLAT80 rev.GM4OA42A
Running: gmer.exe; Driver: C:\DOCUME~1\BALDIE~1\LOCALS~1\Temp\kwtdypog.sys


---- System - GMER 1.0.15 ----

SSDT 870D3E10 ZwAlertResumeThread
SSDT 870D16E8 ZwAlertThread
SSDT 870F1610 ZwAllocateVirtualMemory
SSDT 870F37D8 ZwAssignProcessToJobObject
SSDT 86E60700 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEC90C710]
SSDT 87141830 ZwCreateMutant
SSDT 870ED988 ZwCreateSymbolicLinkObject
SSDT 870D6DF0 ZwCreateThread
SSDT 870FB170 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEC90C990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEC90CEF0]
SSDT 86A5C7C0 ZwDuplicateObject
SSDT 870EB8C8 ZwFreeVirtualMemory
SSDT 86A5C788 ZwImpersonateAnonymousToken
SSDT 870C83A0 ZwImpersonateThread
SSDT 86E562F8 ZwLoadDriver
SSDT 870E6310 ZwMapViewOfSection
SSDT 87380798 ZwOpenEvent
SSDT 870E3FC0 ZwOpenProcess
SSDT 869197C0 ZwOpenProcessToken
SSDT 870F15D8 ZwOpenSection
SSDT 870D3E48 ZwOpenThread
SSDT 871A1BC0 ZwProtectVirtualMemory
SSDT 870E3F88 ZwResumeThread
SSDT 8706B148 ZwSetContextThread
SSDT 871AAE00 ZwSetInformationProcess
SSDT 870EC208 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEC90D140]
SSDT 871CEF88 ZwSuspendProcess
SSDT 870D1570 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEC57C620]
SSDT 870D06B8 ZwTerminateThread
SSDT 86593428 ZwUnmapViewOfSection
SSDT 870FB1A8 ZwWriteVirtualMemory

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EC03D16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EC03CFC2

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
init C:\windows\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF61C9900]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xEBE05400, 0x7960C, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xEBEA7420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xEBEA7420]
.protect˙˙˙˙hardlockunknown last code section [0xEBEA7200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xEBEA7200, 0x5049, 0xE0000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip idmtdi.sys (Internet Download Manager TDI Driver/Tonec Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp idmtdi.sys (Internet Download Manager TDI Driver/Tonec Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp idmtdi.sys (Internet Download Manager TDI Driver/Tonec Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp idmtdi.sys (Internet Download Manager TDI Driver/Tonec Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{61950cd7-8300-4f37-b4cb-ffafc926bf66}@Model 265
Reg HKLM\SOFTWARE\Classes\CLSID\{61950cd7-8300-4f37-b4cb-ffafc926bf66}@Therad 21
Reg HKLM\SOFTWARE\Classes\CLSID\{61950cd7-8300-4f37-b4cb-ffafc926bf66}@MData 0x3E 0xD4 0xAF 0x97 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0xD2 0x3A 0xB3 0xF0 ...
Reg HKLM\SOFTWARE\Classes\Software\Magic_Modules\Buddy_API\Modules@@\x2039 131402
Reg HKLM\SOFTWARE\Classes\Software\Magic_Modules\Buddy_API\Modules@\27\x2039 590380

---- EOF - GMER 1.0.15 ----

#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:56 PM

Posted 17 June 2011 - 01:10 PM

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

#10 BaldieBonce

BaldieBonce
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buckinghamshire, UK
  • Local time:05:56 PM

Posted 17 June 2011 - 03:08 PM

Acknowledged, will use best endeavours. Thank you Cryptodan.

#11 BaldieBonce

BaldieBonce
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buckinghamshire, UK
  • Local time:05:56 PM

Posted 18 June 2011 - 12:09 PM

Hello Cryptodan,

I've reposted the help request as instructed.

Here's the URL to the new topic

'Browsers Redirected & MBAM Blocks Outgoing To Mal IPs'

'IEv8, FFv4 & Google Chrome parasited by hidden virus in XP Pro SP3'

at: http://www.bleepingcomputer.com/forums/topic404650.html

Thanks, Baldie B

#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:56 PM

Posted 18 June 2011 - 01:33 PM

No that you have a log correctly posted, please follow only the advice of the MRT team member that works your topic.

\To prevent confusion, this topic is now closed.

Our best to you and goods luck with cleaning your computer!

rigel

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users