Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redicts (variety of search engines)


  • Please log in to reply
9 replies to this topic

#1 trigueoh

trigueoh

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 15 January 2012 - 06:08 PM

I am running Windows XP Pro version 2002 SP3. Yesterday afternoon while doing a websearch I clicked on a link in the search results and all hell broke loose. Whatever I managed to click on cleared my desktop, disabled the taskbar, hid all files folders and command prompt. I finally managed to get control of the machine again. I have run numerous utilities (Unhackme, Hitman Pro, CCleaner, Malwarebytes,SUPER antispyware, Spybot, Sophos, ESET, and Avira) Everything seems to be coming up clean but it is still redirecting anytime I do a search. (It often shows "Infomash" in the browser screen when it redirects) Malwarebytes keeps popping up a message stating it is blocking an outgoing IP. Any help would be greatly appreciated

Edited by trigueoh, 15 January 2012 - 06:09 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 AM

Posted 15 January 2012 - 06:16 PM

Try this:

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 trigueoh

trigueoh
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 15 January 2012 - 06:29 PM

Renamed and I get the error "The application failed to initialize properly (0xc0000005) Click on Ok to terminate. I then downloaded the zip file, tried to install without renaming and it doesn't do anything. Antivirus was disabled prior to trying to install

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 AM

Posted 15 January 2012 - 06:33 PM

What did you rename it to?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 trigueoh

trigueoh
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 15 January 2012 - 06:33 PM

iexplore.exe as it said to do on the DL page

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 AM

Posted 15 January 2012 - 06:37 PM

Try downloading and using the SUPERAntiSpyware Portable Scanner in Safe Mode. Double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 trigueoh

trigueoh
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 15 January 2012 - 07:23 PM

SASportable found 43 tracking cookies and no other threats, is it ok to go ahead and remove them

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 AM

Posted 15 January 2012 - 07:34 PM

Yes you can remove them. Let's try a different scan.

Please download MBRCheck by clicking here and save it to your desktop.
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
  • A window will open on your desktop.
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter.
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
  • Please post the contents of that file in your next reply.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 trigueoh

trigueoh
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 15 January 2012 - 07:44 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 107):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80700000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7607000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF798B000 dmload.sys
0xF74B2000 dmio.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF749A000 atapi.sys
0xF7B05000 iaStor.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF747A000 fltMgr.sys
0xF7468000 sr.sys
0xF798D000 DLACDBHM.SYS
0xF7451000 DRVMCDB.SYS
0xF7647000 PxHelp20.sys
0xF743A000 KSecDD.sys
0xBA773000 Ntfs.sys
0xBA746000 NDIS.sys
0xF7657000 sfaudio.sys
0xBA72C000 Mup.sys
0xF7717000 BMLoad.sys
0xF794B000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7677000 \SystemRoot\system32\DRIVERS\HECI.sys
0xBA55E000 \SystemRoot\system32\DRIVERS\e1k5132.sys
0xF77EF000 \SystemRoot\System32\drivers\swmsflt.sys
0xF7807000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xBA53A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF774F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA512000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7797000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7687000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7697000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA4EF000 \SystemRoot\system32\DRIVERS\ks.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA6DC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xBA4D8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF776F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA49F000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF779F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77AF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF77BF000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xBA41F000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7727000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7757000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79F1000 \SystemRoot\system32\DRIVERS\swenum.sys
0xBA3C1000 \SystemRoot\system32\DRIVERS\update.sys
0xBA603000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA384000 \SystemRoot\system32\DRIVERS\NWADIenum.sys
0xF7587000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7577000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79F7000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF780F000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA4B4000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79FD000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A81000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A01000 \SystemRoot\System32\Drivers\Beep.SYS
0xF775F000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
0xF777F000 \SystemRoot\System32\drivers\vga.sys
0xBA256000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF7A05000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF77B7000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA48F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA607000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xBA223000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xBA1CA000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF7817000 \SystemRoot\System32\Drivers\tcpipBM.SYS
0xBA1A4000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA17C000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA5E7000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xBA15A000 \SystemRoot\System32\drivers\afd.sys
0xF7557000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA12F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA0BF000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA46F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA28A000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7537000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA457000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA282000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA27A000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA023000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB9F49000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA276000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA07F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7AB4000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xBF012000 \SystemRoot\System32\ATMFD.DLL
0xB9264000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB882F000 \SystemRoot\system32\DRIVERS\srv.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 18):
0 System Idle Process
4 System
604 C:\WINDOWS\system32\smss.exe
684 csrss.exe
708 C:\WINDOWS\system32\winlogon.exe
752 C:\WINDOWS\system32\services.exe
764 C:\WINDOWS\system32\lsass.exe
936 C:\WINDOWS\system32\svchost.exe
984 svchost.exe
1172 C:\WINDOWS\system32\svchost.exe
1196 svchost.exe
1364 svchost.exe
1492 C:\Program Files\SUPERAntiSpyware\SASCore.exe
2040 C:\WINDOWS\explorer.exe
564 C:\WINDOWS\system32\ctfmon.exe
180 C:\Program Files\Internet Explorer\iexplore.exe
1860 wmiprvse.exe
1912 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`05e21800 (NTFS)

PhysicalDrive0 Model Number: ST380815AS, Rev: 4.ADA

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 AM

Posted 15 January 2012 - 07:48 PM

74 GB \\.\PhysicalDrive0 MBR Code Faked!

This is not good! It's going to take more specialised tools to remove this unfortunately.

Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users