Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search results redirecting - possible rootkit?


  • This topic is locked This topic is locked
4 replies to this topic

#1 Nexys

Nexys

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 17 September 2011 - 02:23 PM

Hi there, I'm hoping there's an internet security genius out there who can help with this - thanks in advance!

About a week ago, my search results started redirecting me to random pages - I suspect a rootkit. Interestingly, only my 32-bit browsers (Firefox 6 and IE 8) are affected - my 64-bit copy of IE seems to work fine. So far, the redirecting is the only symptom that I've experienced.

I tried running Kaspersky's TDSSKiller, which found nothing. I then tried running MBAM, which found a couple of things, but removing them didn't affect the redirecting behavior.

Thanks again for any help you can offer!

Here's the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_20
Run by user at 15:11:23 on 2011-09-17
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4094.2356 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files (x86)\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\SysWOW64\SAgent4.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\WUDFHost.exe
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\WTouch\WTouchUser.exe
C:\Windows\RAVCpl64.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\NETGEAR\WPN311\wlancfg5.exe
C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\Freecorder\FLVSrvc.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\msiexec.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: {0f7c680e-f0df-437d-8199-d7d5614de2cc} - C:\Windows\SysWow64\wscui32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun: [Adobe_ID0ENQBO] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Freecorder FLV Service] "C:\Program Files (x86)\Freecorder\FLVSrvc.exe" /run
mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTQyMzk3OTgxLVQxLVU4NSsxLUJBKzEtS1YzKzctWEwrMS1VQ0FMTCsxLUJBUjhHKzEtVUNBTEwyKzItVEI4KzItRkwrOC1GOE0xMUMrMS1VUEcrMjAxMS1MSUMrMi1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVVArNC1TUDFTNCsxLUREVCswLUxTRCsy"&"prod=90"&"ver=10.0.1392
dRun: [AppleUpdate] C:\Users\user\AppData\Local\Apple Computer\AppleUpdate\Appleupdt32.exe
dRunOnce: [AutoLaunch] C:\Program Files (x86)\Lavasoft\Ad-Aware\AutoLaunch.exe monthly
StartupFolder: C:\Users\user\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WPN311\wlancfg5.exe
uPolicies-explorer: DisallowCpl = 1 (0x1)
uPolicies-explorer: DisallowRun = 0 (0x0)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll/search.htm
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{40AF8FBF-E6AF-435A-B82B-8E27F665D90A} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D539E50D-42BA-44E3-85A8-E94FE4E1350E} : DhcpNameServer = 10.0.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
C:\Windows\SysWow64\wscui32.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Windows Live Toolbar Helper: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
BHO-X64: 0x1 - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB-X64: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
mRun-x64: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [Adobe_ID0ENQBO] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Freecorder FLV Service] "C:\Program Files (x86)\Freecorder\FLVSrvc.exe" /run
mRun-x64: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe"
mRunOnce-x64: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTQyMzk3OTgxLVQxLVU4NSsxLUJBKzEtS1YzKzctWEwrMS1VQ0FMTCsxLUJBUjhHKzEtVUNBTEwyKzItVEI4KzItRkwrOC1GOE0xMUMrMS1VUEcrMjAxMS1MSUMrMi1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVVArNC1TUDFTNCsxLUREVCswLUxTRCsy"&"prod=90"&"ver=10.0.1392
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xjy156e7.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-5-28 275968]
R2 TabletServicePen;TabletServicePen;C:\Windows\system32\Pen_Tablet.exe --> C:\Windows\system32\Pen_Tablet.exe [?]
R2 WTouchService;WTouch Service;C:\Program Files\WTouch\WTouchService.exe [2009-12-27 127272]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-8-18 2151640]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-9-8 366640]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-3-17 93184]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-2-3 1038088]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\E927.tmp --> C:\Windows\system32\E927.tmp [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 SndTAudio;SndTAudio;C:\Windows\system32\drivers\SndTAudio.sys --> C:\Windows\system32\drivers\SndTAudio.sys [?]
S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\system32\DRIVERS\wacmoumonitor.sys --> C:\Windows\system32\DRIVERS\wacmoumonitor.sys [?]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2071-07-25 14:13:30 203576 ------w- C:\Program Files (x86)\Microsoft Games\Age of Empires III\autopatcher2.exe
2011-09-17 14:07:03 -------- d-----w- C:\archive_db
2011-09-17 02:17:21 -------- d-----w- C:\ProgramData\launcher
2011-09-17 02:13:48 -------- d-----w- C:\Program Files (x86)\Paragon Software
2011-09-16 12:22:57 -------- d-----w- C:\Users\user\AppData\Local\Safe mirror
2011-09-16 12:21:48 -------- d-----w- C:\Program Files (x86)\Cobian Backup 10
2011-09-12 06:11:12 -------- d-----w- C:\ProgramData\STOPzilla!
2011-09-12 05:46:00 257232 ----a-w- C:\Windows\System32\drivers\PCTCore64.sys
2011-09-12 05:45:57 92896 ----a-w- C:\Windows\System32\drivers\pctplsg64.sys
2011-09-12 05:45:52 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2011-09-12 05:42:02 -------- d-----w- C:\ProgramData\PC Tools
2011-09-12 05:17:38 -------- d-----w- C:\Users\user\Pavark
2011-09-12 03:16:22 -------- d-----w- C:\Windows\FLV Player
2011-09-12 00:04:36 18816 ------w- C:\Windows\SysWow64\SAVRKBootTasks.sys
2011-09-11 22:09:25 6144 ------w- C:\Windows\System32\E927.tmp
2011-09-11 22:02:42 6144 ------w- C:\Windows\System32\C580.tmp
2011-09-11 22:02:27 -------- d-----w- C:\Program Files (x86)\Sophos
2011-09-11 21:40:43 316416 ----a-w- C:\Windows\System32\msshsq.dll
2011-09-11 21:40:43 231936 ----a-w- C:\Windows\SysWow64\msshsq.dll
2011-09-11 21:36:13 8862544 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3D36A4AB-0A03-49BF-9D5A-F4851FCD23DC}\mpengine.dll
2011-09-11 21:17:03 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2011-09-11 21:17:03 7680 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2011-09-11 21:03:51 80896 ----a-w- C:\Windows\SysWow64\MSNP.ax
2011-09-11 21:01:23 2048 ----a-w- C:\Windows\SysWow64\winrsmgr.dll
2011-09-11 21:00:59 2050048 ----a-w- C:\Windows\System32\WsmSvc.dll
2011-09-08 12:59:41 -------- d-----w- C:\Users\user\AppData\Roaming\Malwarebytes
2011-09-08 12:59:35 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-09-08 12:59:35 -------- d-----w- C:\ProgramData\Malwarebytes
2011-09-08 12:59:32 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-09-08 12:59:32 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-09-08 12:52:47 16432 ----a-w- C:\Windows\System32\lsdelete.exe
2011-09-06 02:27:26 -------- d-----w- C:\TheKlub17
2011-09-06 01:12:15 -------- d-----w- C:\Users\user\AppData\Roaming\Spotify
2011-09-06 01:12:15 -------- d-----w- C:\Users\user\AppData\Local\Spotify
2011-09-06 01:12:13 -------- d-----w- C:\Program Files (x86)\Spotify
2011-09-05 22:25:18 239616 ----a-w- C:\Windows\SysWow64\wscui32.dll
2011-09-05 22:25:16 68608 ----a-w- C:\ProgramData\IntelNotifierNotifier.dll
2011-08-28 15:56:40 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-08-28 15:56:05 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2011-08-21 20:29:06 -------- d-----w- C:\Temp
2011-08-21 01:13:45 -------- d-----w- C:\Users\user\AppData\Roaming\AVG
.
==================== Find3M ====================
.
2011-08-20 20:17:16 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-06 15:18:20 274432 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
.
============= FINISH: 15:11:39.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:07 PM

Posted 22 September 2011 - 09:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know what problem persists.

#3 Nexys

Nexys
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 25 September 2011 - 09:27 AM

Hi nasdaq, thanks for helping out.

After running Combofix, the redirecting seems to have gone away, and there are no other symptoms to report.

Here's the Security Check log:

Results of screen317's Security Check version 0.99.18
Windows Vista (UAC is disabled!)
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Eusing Free Registry Cleaner
Java™ 6 Update 20
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.3.183.5
Mozilla Thunderbird (3.1.14) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
``````````End of Log````````````

Let me know if there's anything else that needs to be done, and thanks again!

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:07 PM

Posted 25 September 2011 - 01:39 PM

http://support.microsoft.com/lifecycle/search/?sort=PN&alpha=WINDOWS+vista
Windows Vista Service Pack 1 support ended on 12/07/2011

For continued security support from Microsoft get the Service Pack 2.
http://support.microsoft.com/kb/935791
===

I suggest your remove HijackThis 2.0.2 using the Add/Remove Programs list. This program is obsole and not ready for the 64 Bit systems. Most forum now requrest a DDS log.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java SE Runtime Environment 6 Update 27.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, select Windows (or Windows x64), and check the "agree" box and click "Continue".
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Then from your Desktop double-click on jre-6u27-windows-i586.exe that you have downloaded to install the newest version.

    For the x64 bit version download this on jre-6u27-windows-x64.exe). Make sure you download the corrent version.

    - Note: If you are running Vista or Windows 7, you may need to right-click on the installation file and select Run as Administrator.

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 20
Java™ 6 Update 7

===

Check and make sure you have the latest Adobe reader if you use it.
Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

===

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions... being exploited in the wild in active targeted attacks... update to Adobe Flash Player 10.3.183.10 ... Flash Player for Android update to Adobe Flash Player for Android 10.3.186.7

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.

Download for Internet Explorer

Download for Firefox and other browsers
<<<>>>

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:07 PM

Posted 30 September 2011 - 07:24 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users