Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google results hijacked


  • Please log in to reply
15 replies to this topic

#1 tkpro72

tkpro72

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 01 July 2011 - 11:13 AM

Hi. My work requires me to visit a lot of websites some of which are pretty shady which put my computer at risk. Ihave antivirus software on my computer but it has not been able to fix this particular problem. A few days ago I clicked on an strange looking link which lead to a page that looked somewhat like a search results page with several low quality yellowbook type directory results. One of the results must have installed a virus that hijacks my google results. When I click on a google link I get redirected to one of these shady looking directory sites. I have to go back to the results and click again to get the correct page. I was told that combofix could restore my computer but I needed to have someone guide me through it. I have already printed the tutorial on how to use it. Also I have already checked my host files and did not see anything unusual there. Any assistance you could provide me would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:43 AM

Posted 01 July 2011 - 09:39 PM

Welcome aboard Posted Image

Combofix is not allowed in this forum, nor should be run by yourself.

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

==================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 tkpro72

tkpro72
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 06 July 2011 - 12:00 PM

I ran security check and these were the results

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
TuneUp Companion 1.7.1
Java™ 6 Update 18
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Adobe Reader 9.4.5
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe
ALWILS~1 Avast5 avastUI.exe
``````````End of Log````````````

I had already run malwarebytes before posting here but it didn't find anything.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:43 AM

Posted 06 July 2011 - 07:24 PM

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 tkpro72

tkpro72
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 08 July 2011 - 09:48 AM

Hi. Below is the result from GMER:

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-07-08 10:41:43
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 IC25N080ATMR04-0 rev.MO4OAD4A
Running: myebt7lu.exe; Driver: C:\DOCUME~1\Toshiba\LOCALS~1\Temp\kgrdqkog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAF2EDBF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAF2EDA5D]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAF36D902]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----


Below is the result of Mini Tool Box

MiniToolBox by Farbar
Ran by Toshiba (administrator) on 08-07-2011 at 10:34:22
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "china2"

set address name="china2" source=dhcp
set dns name="china2" source=dhcp register=PRIMARY
set wins name="china2" source=dhcp

# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=static addr=192.168.0.1 mask=255.255.255.0
set dns name="Local Area Connection" source=static addr=none register=PRIMARY
set wins name="Local Area Connection" source=static addr=none


popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : toshiba-zass3k4 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter china2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Atheros AR5004G Wireless Network Adapter Physical Address. . . . . . . . . : 00-90-96-CA-08-50 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.0.0.3 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.0.1 DHCP Server . . . . . . . . . . . : 10.0.0.1 DNS Servers . . . . . . . . . . . : 205.152.37.23 205.152.132.23 Lease Obtained. . . . . . . . . . : Friday, July 08, 2011 8:17:09 AM Lease Expires . . . . . . . . . . : Saturday, July 09, 2011 8:17:09 AMEthernet adapter Local Area Connection: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC Physical Address. . . . . . . . . : 00-02-3F-D6-7F-0BServer: dns.asm.bellsouth.net
Address: 205.152.37.23

Name: google.com
Addresses: 74.125.45.147, 74.125.45.104, 74.125.45.105, 74.125.45.103
74.125.45.106, 74.125.45.99

Pinging google.com [209.85.157.104] with 32 bytes of data:Reply from 209.85.157.104: bytes=32 time=44ms TTL=47Reply from 209.85.157.104: bytes=32 time=44ms TTL=47Ping statistics for 209.85.157.104: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 44ms, Maximum = 44ms, Average = 44msServer: dns.asm.bellsouth.net
Address: 205.152.37.23

Name: yahoo.com
Addresses: 72.30.2.43, 98.137.149.56, 209.191.122.70, 67.195.160.76
69.147.125.65

Pinging yahoo.com [69.147.125.65] with 32 bytes of data:Reply from 69.147.125.65: bytes=32 time=36ms TTL=46Reply from 69.147.125.65: bytes=32 time=35ms TTL=46Ping statistics for 69.147.125.65: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 35ms, Maximum = 36ms, Average = 35msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 90 96 ca 08 50 ...... Atheros AR5004G Wireless Network Adapter - Packet Scheduler Miniport
0x3 ...00 02 3f d6 7f 0b ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.3 20
10.0.0.0 255.255.255.0 10.0.0.3 10.0.0.3 20
10.0.0.3 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.0.0.3 10.0.0.3 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 10.0.0.3 10.0.0.3 20
224.0.0.0 240.0.0.0 10.0.0.3 10.0.0.3 20
255.255.255.255 255.255.255.255 10.0.0.3 3 1
255.255.255.255 255.255.255.255 10.0.0.3 10.0.0.3 1
Default Gateway: 10.0.0.1
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/04/2011 08:50:01 PM) (Source: NativeWrapper) (User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1686.5002kb24164471033663finstallx865.1.2600.2.3.0.7680

Error: (07/04/2011 08:45:29 PM) (Source: Application Hang) (User: )
Description: Hanging application msimn.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/27/2011 07:00:55 PM) (Source: NativeWrapper) (User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1686.5002kb24164471033663finstallx865.1.2600.2.3.0.7680

Error: (06/23/2011 11:23:29 AM) (Source: NativeWrapper) (User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1686.5002kb24164471033663finstallx865.1.2600.2.3.0.7680

Error: (06/20/2011 07:02:48 PM) (Source: NativeWrapper) (User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1686.5002kb24164471033663finstallx865.1.2600.2.3.0.7680

Error: (06/18/2011 06:15:13 PM) (Source: Application Hang) (User: )
Description: Hanging application msimn.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/18/2011 06:15:13 PM) (Source: Application Hang) (User: )
Description: Hanging application msimn.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/18/2011 06:15:13 PM) (Source: Application Hang) (User: )
Description: Hanging application msimn.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/13/2011 07:01:05 PM) (Source: NativeWrapper) (User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1686.5002kb24164471033663finstallx865.1.2600.2.3.0.7680

Error: (06/06/2011 07:00:48 PM) (Source: NativeWrapper) (User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1686.5002kb24164471033663finstallx865.1.2600.2.3.0.7680


System errors:
=============
Error: (07/08/2011 08:35:03 AM) (Source: 0) (User: )
Description: \Device\Harddisk0\D

Error: (07/08/2011 08:33:21 AM) (Source: 0) (User: )
Description: \Device\Harddisk0\D

Error: (07/08/2011 08:23:26 AM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.107.1308.0).

Error: (07/08/2011 08:19:07 AM) (Source: Service Control Manager) (User: )
Description: The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
%%2

Error: (07/08/2011 08:19:07 AM) (Source: Service Control Manager) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%2

Error: (07/08/2011 08:19:07 AM) (Source: Service Control Manager) (User: )
Description: The Windows Defender service failed to start due to the following error:
%%3

Error: (07/07/2011 08:35:34 AM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.107.1036.0).

Error: (07/07/2011 08:31:56 AM) (Source: DCOM) (User: SYSTEM)
Description: The server {204810B9-73B2-11D4-BF42-00B0D0118B56} did not register with DCOM within the required timeout.

Error: (07/07/2011 08:31:07 AM) (Source: Service Control Manager) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%2

Error: (07/07/2011 08:31:07 AM) (Source: Service Control Manager) (User: )
Description: The Windows Defender service failed to start due to the following error:
%%3


Microsoft Office Sessions:
=========================
Error: (07/04/2011 08:50:01 PM) (Source: NativeWrapper)(User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1686.5002kb24164471033663finstallx865.1.2600.2.3.0.7680

Error: (07/04/2011 08:45:29 PM) (Source: Application Hang)(User: )
Description: msimn.exe6.0.2900.5512hungapp0.0.0.000000000

Error: (06/27/2011 07:00:55 PM) (Source: NativeWrapper)(User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1686.5002kb24164471033663finstallx865.1.2600.2.3.0.7680

Error: (06/23/2011 11:23:29 AM) (Source: NativeWrapper)(User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1686.5002kb24164471033663finstallx865.1.2600.2.3.0.7680

Error: (06/20/2011 07:02:48 PM) (Source: NativeWrapper)(User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1686.5002kb24164471033663finstallx865.1.2600.2.3.0.7680

Error: (06/18/2011 06:15:13 PM) (Source: Application Hang)(User: )
Description: msimn.exe6.0.2900.5512hungapp0.0.0.000000000

Error: (06/18/2011 06:15:13 PM) (Source: Application Hang)(User: )
Description: msimn.exe6.0.2900.5512hungapp0.0.0.000000000

Error: (06/18/2011 06:15:13 PM) (Source: Application Hang)(User: )
Description: msimn.exe6.0.2900.5512hungapp0.0.0.000000000

Error: (06/13/2011 07:01:05 PM) (Source: NativeWrapper)(User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1686.5002kb24164471033663finstallx865.1.2600.2.3.0.7680

Error: (06/06/2011 07:00:48 PM) (Source: NativeWrapper)(User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1686.5002kb24164471033663finstallx865.1.2600.2.3.0.7680


========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 52%
Total physical RAM: 1406.98 MB
Available physical RAM: 666.86 MB
Total Pagefile: 1741.16 MB
Available Pagefile: 1214.86 MB
Total Virtual: 2047.88 MB
Available Virtual: 1998.96 MB

======================= Partitions: =======================================

1 Drive c: () (Fixed) (Total:74.53 GB) (Free:45.52 GB) NTFS

================= Users: ==================================================

User accounts for \\TOSHIBA-ZASS3K4

-------------------------------------------------------------------------------
Administrator ASPNET Guest
HelpAssistant SUPPORT_388945a0 Toshiba
The command completed successfully.

================= End of Users ============================================

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:43 AM

Posted 08 July 2011 - 11:36 AM

Please download SystemScan and save it to your desktop.

  • Be aware that the file name will be randomly generated (i.e. sys95769.exe) to deceive malware which may attempt to disabled it.
  • If any installed security tools (anti-virus) detects the file as malware or suspicious while downloading or attempting to run, ignore the alert and allow the download.
  • Double-click on sys*****.exe to start the tool.
  • A read before proceeding disclaimer will appear.
  • Uncheck <- Unflag the checkbox to disable updates! next to the version number at the top.
  • After reading, check the box I have read and agree. Please let me...proceed!, then click the Proceed button.
  • When SystemScan opens, click the "Unselect all" button.
  • Important: Under "Make your choice and than click...", check the boxes next to:
    • PC accounts
  • Everything else should be unchecked.
  • Click "Scan Now".
  • Another warning box will appear. Please follow the instructions and click OK.
  • Please be patient while the scan is in progress.
  • Systemscan will scan your computer and create a folder named Suspectfile on the Desktop to save its report.
  • When the scan is complete, Notepad will automatically open a log file named report.txt with the results.
  • Copy and paste the contents of report.txt in your next reply.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#7 tkpro72

tkpro72
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 08 July 2011 - 05:03 PM

Below is the result of System Scan:

SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 3 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Toshiba\My Documents\Downloads\sys98347.exe
Running in: User mode
Date: 7/8/2011
Time: 6:01:20 PM

Output limited to:
-PC accounts

===================== ACCOUNTS ON THIS PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
| ASPNET
| Guest (Disabled)
| HelpAssistant (Disabled)
| SUPPORT_388945a0 (Disabled)
Yes | Toshiba

### users folders

04/10/2008 23:25:25 (DIR) 0 byte 1007 days old -- Default User
13/06/2008 18:02:43 (DIR) 0 byte 1120 days old -- All Users
04/05/2011 18:20:09 (DIR) 0 byte 65 days old -- LocalService
05/04/2011 15:37:49 (DIR) 0 byte 94 days old -- NetworkService
05/04/2011 15:37:50 (DIR) 0 byte 94 days old -- Administrator.TOSHIBA-ZASS3K4
24/06/2011 14:28:37 (DIR) 0 byte 14 days old -- Toshiba
07/03/2011 11:44:18 (DIR) 0 byte 123 days old -- Administrator

### startup files in users folders

C:\documents and settings\Administrator\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Administrator.TOSHIBA-ZASS3K4\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Toshiba\Start Menu\Programs\Startup\AOL Desktop.lnk
C:\documents and settings\Toshiba\Start Menu\Programs\Startup\desktop.ini

==========================================
Scan completed in 0 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:43 AM

Posted 08 July 2011 - 05:05 PM

Download and run HAMeb_check.exe
Post the contents of the resulting log.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 tkpro72

tkpro72
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 09 July 2011 - 11:34 AM

Below is the result from HAMeb:

C:\Documents and Settings\Toshiba\My Documents\Downloads\HAMeb_check.exe
Sat 07/09/2011 at 12:33:35.60

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:43 AM

Posted 09 July 2011 - 11:47 AM

Very good.

Is redirection still there?
If so, which browser is getting redirected?
Did you try different browser?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#11 tkpro72

tkpro72
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 10 July 2011 - 06:25 PM

Redirects is still an issue. I use firefox almost exclusively in part because my work requires that I use only firefox. Is there anything else that might help?

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:43 AM

Posted 10 July 2011 - 06:55 PM

I want you to check if redirection is present in IE as well.

Then...

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#13 tkpro72

tkpro72
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 11 July 2011 - 07:51 AM

Below is the result of Goored:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 08:40 on 11/07/2011 (Toshiba)
Firefox version 3.6.18 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{7343BBE4-6E04-478D-9182-3D655D0D7D69} -> Success!
Deleting C:\Documents and Settings\Toshiba\Local Settings\Application Data\{7343BBE4-6E04-478D-9182-3D655D0D7D69} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:38 23/06/2011]

C:\Documents and Settings\Toshiba\Application Data\Mozilla\Firefox\Profiles\a0v7ilao.default\extensions\
qrptoolbar@leapforceathome [17:40 23/06/2011]
{02450954-cdd9-410f-b1da-db804e18c671} [13:48 08/07/2011]
{20a82645-c095-46ed-80e3-08825760534b} [12:57 25/06/2011]
{3d7eb24f-2740-49df-8937-200b1cc08f8a} [12:57 25/06/2011]
{8ea9957e-2953-402f-80e0-bceb5f169d6f} [17:45 23/06/2011]
{c4dc572a-3295-40eb-b30f-b54aa4cdc4b7} [12:57 25/06/2011]
{f035aa18-ee32-4e6e-81d2-57e32867f8a7} [17:45 23/06/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [19:56 15/05/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [16:41 18/03/2009]
"{27182e60-b5f3-411c-b545-b44205977502}"="C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\" [23:44 28/01/2010]
"smartwebprinting@hp.com"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3" [03:17 21/07/2010]
"{22119944-ED35-4ab1-910B-E619EA06A115}"="C:\Program Files\Siber Systems\AI RoboForm\Firefox" [16:07 07/06/2011]

-=E.O.F=-

I was on IE for a little while and it did not seem to be a problem there. It also seemed to be happening less on Firefox but still occurred occasionally before running Goored.

Edited by tkpro72, 11 July 2011 - 10:12 AM.


#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:43 AM

Posted 11 July 2011 - 06:47 PM

How is it AFTER running GooredFix?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#15 tkpro72

tkpro72
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 11 July 2011 - 07:23 PM

I posted the last reply immediately after running Goored so I wasn't yet sure if it had helped. So far so good. Everything seems to be running normally. I want to thank everyone here for their assistance. This is a wonderful and very helpful site.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users