Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit? All search engines redirect


  • This topic is locked This topic is locked
2 replies to this topic

#1 volson

volson

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 21 July 2011 - 10:24 AM

Hey guys,

I got a virus when I clicked on a car forum page after a google search. It started as "your computer is messed up - click here to fix", and then went to everything being hidden. We got rid of most of it with rkill and combofix but this little nagging issue will not go. I am not seeing any other issues at the moment.


Thanks in advance to anyone that can help.

Cheers,

Edit ** Sorry about not posting logs in first post, I misunderstood the rules

GMER just closes when it is done scanning, no log is generated. Don't I have to wait for it to finish to save it? :whistle:



DDS Log
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by volson at 11:45:30 on 2011-07-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3292.2256 [GMT -4:00]
.
AV: FortiClient AntiVirus *Disabled/Updated* {C86EC76D-5A4C-40E7-BD94-59358E544D81}
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: FortiClient Personal Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\volson\Local Settings\Application Data\AMS Services, Inc\AMS 360\WorkstationCoordinator.exe
C:\Documents and Settings\All Users\Application Data\Google\Google Toolbar\Update\GoogleToolbarInstaller_updater_signed.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\volson\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ams360.allstarfg.com/default.aspx
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: allstarfg.com\ams360
Trusted Zone: ams-benefits.com
Trusted Zone: ams-services.com
Trusted Zone: ams-support.com
Trusted Zone: ams360.com
Trusted Zone: amsservices.com
Trusted Zone: prevailnetwork.com
Trusted Zone: vertafore.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1305558768703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://imageright.webex.com/client/T27LC/event/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {A240EF33-E2D8-431B-82F2-86A434117F8F} = 192.168.1.5
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-7-19 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-7-19 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-7-19 656320]
R1 FAFileMon;FAFileMon;c:\windows\system32\drivers\fortimon2.sys [2011-1-12 43112]
R1 FARegMon;FARegMon;c:\windows\system32\drivers\FortiRmon.sys [2011-1-12 46184]
R1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [2011-1-12 13416]
R1 FortiPFW;FortiPFW;c:\windows\system32\drivers\fortipfw.sys [2011-1-12 119528]
R1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [2011-1-12 104296]
R1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [2011-1-12 30568]
R1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [2011-1-12 40552]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-7-19 353168]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-7-19 820568]
R2 PfFilter;PfFilter;c:\program files\iobit\protected folder\pffilter.sys [2011-7-19 140848]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2008-6-6 435496]
R3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\drivers\fortidrv.sys [2010-1-4 22504]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2010-3-23 209960]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-19 136176]
S3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [2011-7-12 14496]
S3 Peachtree SmartPosting 2011;Peachtree SmartPosting 2011;c:\program files\sage software\peachtree\SmartPostingService2011.exe [2010-9-13 43848]
S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-7-19 30368]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-7-19 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-7-19 1150936]
S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-7-19 16080]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-7-19 239600]
.
=============== Created Last 30 ================
.
2011-07-21 15:08:15 472808 ----a-w- c:\windows\system32\REN63.tmp
2011-07-20 20:44:27 -------- d-----w- c:\program files\ESET
2011-07-20 13:57:58 -------- d-----w- C:\ComboFix
2011-07-19 20:28:03 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-07-19 20:02:32 -------- d-----w- c:\documents and settings\all users\application data\IObit
2011-07-19 20:00:20 -------- d-----w- c:\documents and settings\volson\application data\IObit
2011-07-19 20:00:17 -------- d-----w- c:\program files\IObit
2011-07-19 14:49:43 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-07-19 14:49:42 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-07-19 14:47:05 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-07-19 12:39:06 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-07-19 12:39:06 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-07-19 12:39:03 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-07-19 12:38:53 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-07-19 12:38:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-07-19 12:38:41 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-07-19 12:38:21 -------- d-----w- c:\program files\PC Tools Security
2011-07-19 12:38:21 -------- d-----w- c:\program files\common files\PC Tools
2011-07-19 12:38:21 -------- d-----w- c:\documents and settings\volson\application data\PC Tools
2011-07-19 12:38:21 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-07-14 19:04:30 -------- d-----w- C:\ec3dac0e2422f1cdb4a0f62b9c
2011-07-14 16:13:40 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-13 18:51:38 -------- d-----w- C:\fc14d279f7f10295bbc874b5e8
2011-07-13 18:29:50 -------- d-----w- C:\cbe0b571951ada19bbab5d7b
2011-07-12 21:28:51 14496 ----a-w- c:\windows\system32\drivers\ftvnic.sys
2011-07-12 21:28:47 -------- d-----w- c:\program files\common files\Fortinet
2011-07-12 21:28:46 -------- d-----w- c:\program files\Fortinet
2011-07-12 21:27:11 -------- d-----w- c:\documents and settings\all users\application data\Applications
2011-07-12 20:49:28 684297 ----a-w- C:\unhide.exe
.
==================== Find3M ====================
.
2011-07-21 12:12:32 8222 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-22 20:26:20 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-09 19:21:51 52352 ---ha-w- c:\windows\system32\drivers\volsnap.sys
2011-06-02 14:07:35 1867904 ---ha-w- c:\windows\system32\win32k.sys
2011-05-04 06:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ---ha-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ---ha-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ---ha-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ---ha-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ---ha-w- c:\windows\system32\html.iec
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3250318AS rev.CC45 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B029F16]<<
_asm { PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x8]; CMP DWORD [EAX+0x2c], 0x7; PUSH EBX; MOV EBX, [EBP+0xc]; PUSH ESI; PUSH EDI; MOV EDI, [EBX+0x60]; JNZ 0x17e; MOV ESI, [EDI+0x4]; MOV EAX, [ESI+0xc]; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B09D030]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B097588]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; PUSH CS; POP DS; PUSH CS; POP ES; PUSHAD ; MOV [0x7e00], DL; MOV BYTE [0x7e04], 0x1e; MOV AH, 0x48; MOV SI, 0x7e04; INT 0x13; MOV AL, 0x50; JB 0x19b; }
user != kernel MBR !!!
sectors 488281248 (+255): user != kernel
.
============= FINISH: 11:51:38.06 ===============

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 21 July 2011 - 04:32 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:19 AM

Posted 22 July 2011 - 08:49 PM

Hi

Please run the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:19 AM

Posted 29 July 2011 - 09:00 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users