Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect


  • This topic is locked This topic is locked
13 replies to this topic

#1 AKMAN2011

AKMAN2011

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 29 June 2012 - 02:00 AM

Got a IE and Mozilla redirect bug that sends to other garbage sites. It started out mostly as get-answers-fast(went by too fast to read) then ends up at newsfudge.com. I had Norton Internet Security and Utilites updated for 2012 and this didn't stop/catch this guy. Not sure how it got on here, but think another user less experienced with surfing picked it up. So tried a few browser searches on newsfudge - not much info out there. Went to symantec's help page - figured what the heck, try Norton password eraser...locked up...had to close an unresponsive program, then it rebooted. Got the hal.dll gone missing error. Got that fixed from CD recovery...boot.ini was next thing I replaced. That got me back but had to reinstall all the drivers and tweak some of the settings (fortunately all of my files all appear to be here) and everything else is stored remotely. NPE obviously didn't work or screwed something up but I appear to be "back". So i try IE and Mozilla. Still getting the redirect. First went to newsfudge now appears to be going to a lot more stuff...including norton! Makes me wonder if the NPE toolkit wasn't part of the malware. Windows XP Home Edition 2002 w/ SP3.

BC AdBot (Login to Remove)

 


#2 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:01 PM

Posted 29 June 2012 - 06:07 AM

================================== MBAM Scanner ==================================

Run a scan with MBAM:

Download the free version of Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Post the log back here.


Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

================================== Eset Scanner ==================================

Run Eset online scanner;

Note: You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin
Go to the Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 PM

Posted 29 June 2012 - 09:46 AM

You will also need to run...


Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.



If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. [color=green]In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 29 June 2012 - 05:21 PM

MBAM crashed 25 minutes in. Error signature module ntdll.dll offset 00036822.

Can't cut and paste from error reports contents but file that is related is attached:

b639_appcompat.txt

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="mbam.exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="mbam.dll" SIZE="476232" CHECKSUM="0xCA8391D9" BIN_FILE_VERSION="1.61.0.0" BIN_PRODUCT_VERSION="1.61.0.0" PRODUCT_VERSION="1.61.0.0000" FILE_DESCRIPTION="Malwarebytes Anti-Malware" COMPANY_NAME="Malwarebytes Corporation" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="1.61.0.0000" ORIGINAL_FILENAME="mbam.dll" INTERNAL_NAME="mbam.dll" LEGAL_COPYRIGHT="© Malwarebytes Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x0" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x7BE4D" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.61.0.0" UPTO_BIN_PRODUCT_VERSION="1.61.0.0" LINK_DATE="03/22/2012 20:25:03" UPTO_LINK_DATE="03/22/2012 20:25:03" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="mbam.exe" SIZE="981680" CHECKSUM="0xE614D31E" BIN_FILE_VERSION="1.60.0.80" BIN_PRODUCT_VERSION="1.60.0.80" PRODUCT_VERSION="1.60.0080" FILE_DESCRIPTION="Malwarebytes Anti-Malware" COMPANY_NAME="Malwarebytes Corporation" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="1.60.0080" ORIGINAL_FILENAME="mbam.exe" INTERNAL_NAME="mbam" LEGAL_COPYRIGHT="© Malwarebytes Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xF26B5" LINKER_VERSION="0x1003C" UPTO_BIN_FILE_VERSION="1.60.0.80" UPTO_BIN_PRODUCT_VERSION="1.60.0.80" LINK_DATE="03/22/2012 21:27:13" UPTO_LINK_DATE="03/22/2012 21:27:13" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="mbamcore.dll" SIZE="1082440" CHECKSUM="0x134761F4" BIN_FILE_VERSION="1.61.0.0" BIN_PRODUCT_VERSION="1.61.0.0" PRODUCT_VERSION="1.61.0.0000" FILE_DESCRIPTION="Malwarebytes Anti-Malware" COMPANY_NAME="Malwarebytes Corporation" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="1.61.0.0000" ORIGINAL_FILENAME="mbamcore.dll" INTERNAL_NAME="mbamcore.dll" LEGAL_COPYRIGHT="© Malwarebytes Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x0" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x10D62B" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.61.0.0" UPTO_BIN_PRODUCT_VERSION="1.61.0.0" LINK_DATE="03/22/2012 20:25:22" UPTO_LINK_DATE="03/22/2012 20:25:22" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="mbamext.dll" SIZE="80968" CHECKSUM="0x82262037" BIN_FILE_VERSION="1.61.0.0" BIN_PRODUCT_VERSION="1.61.0.0" PRODUCT_VERSION="1.61.0.0000" FILE_DESCRIPTION="Malwarebytes Anti-Malware" COMPANY_NAME="Malwarebytes Corporation" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="1.61.0.0000" ORIGINAL_FILENAME="mbamext.dll" INTERNAL_NAME="mbamext.dll" LEGAL_COPYRIGHT="© Malwarebytes Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x19B65" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.61.0.0" UPTO_BIN_PRODUCT_VERSION="1.61.0.0" LINK_DATE="03/22/2012 20:26:34" UPTO_LINK_DATE="03/22/2012 20:26:34" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="mbamgui.exe" SIZE="462408" CHECKSUM="0x981D813E" BIN_FILE_VERSION="1.61.0.0" BIN_PRODUCT_VERSION="1.61.0.0" PRODUCT_VERSION="1.61.0.0000" FILE_DESCRIPTION="Malwarebytes Anti-Malware" COMPANY_NAME="Malwarebytes Corporation" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="1.61.0.0000" ORIGINAL_FILENAME="mbamgui.exe" INTERNAL_NAME="mbamgui.exe" LEGAL_COPYRIGHT="© Malwarebytes Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x0" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x7B2CA" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.61.0.0" UPTO_BIN_PRODUCT_VERSION="1.61.0.0" LINK_DATE="03/22/2012 20:26:16" UPTO_LINK_DATE="03/22/2012 20:26:16" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="mbamnet.dll" SIZE="2165320" CHECKSUM="0x566774EA" BIN_FILE_VERSION="1.61.0.0" BIN_PRODUCT_VERSION="1.61.0.0" PRODUCT_VERSION="1.61.0.0000" FILE_DESCRIPTION="Malwarebytes Anti-Malware" COMPANY_NAME="Malwarebytes Corporation" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="1.61.0.0000" ORIGINAL_FILENAME="mbamnet.dll" INTERNAL_NAME="mbamnet.dll" LEGAL_COPYRIGHT="© Malwarebytes Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x0" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x21F03F" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.61.0.0" UPTO_BIN_PRODUCT_VERSION="1.61.0.0" LINK_DATE="03/22/2012 20:25:37" UPTO_LINK_DATE="03/22/2012 20:25:37" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="mbampt.exe" SIZE="40008" CHECKSUM="0x4173FB0" BIN_FILE_VERSION="1.61.0.0" BIN_PRODUCT_VERSION="1.61.0.0" PRODUCT_VERSION="1.61.0.0000" FILE_DESCRIPTION="Malwarebytes Anti-Malware" COMPANY_NAME="Malwarebytes Corporation" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="1.61.0.0000" ORIGINAL_FILENAME="mbampt.exe" INTERNAL_NAME="mbampt.exe" LEGAL_COPYRIGHT="© Malwarebytes Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x0" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xA1BF" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.61.0.0" UPTO_BIN_PRODUCT_VERSION="1.61.0.0" LINK_DATE="03/22/2012 20:26:18" UPTO_LINK_DATE="03/22/2012 20:26:18" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="mbamservice.exe" SIZE="654408" CHECKSUM="0x6071DCB7" BIN_FILE_VERSION="1.61.0.0" BIN_PRODUCT_VERSION="1.61.0.0" PRODUCT_VERSION="1.61.0.0000" FILE_DESCRIPTION="Malwarebytes Anti-Malware" COMPANY_NAME="Malwarebytes Corporation" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="1.61.0.0000" ORIGINAL_FILENAME="mbamservice.exe" INTERNAL_NAME="mbamservice.exe" LEGAL_COPYRIGHT="© Malwarebytes Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x0" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xA8652" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.61.0.0" UPTO_BIN_PRODUCT_VERSION="1.61.0.0" LINK_DATE="03/22/2012 20:26:06" UPTO_LINK_DATE="03/22/2012 20:26:06" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="ssubtmr6.dll" SIZE="46416" CHECKSUM="0x5F639061" BIN_FILE_VERSION="1.1.0.3" BIN_PRODUCT_VERSION="1.1.0.3" PRODUCT_VERSION="1.01.0003" FILE_DESCRIPTION="Subclassing and Timer Assistant, modified for configurable message response, multi control support and bug fixed for timer errors." COMPANY_NAME="vbAccelerator" PRODUCT_NAME="SSubTmr6" FILE_VERSION="1.01.0003" ORIGINAL_FILENAME="SSubTmr6.dll" INTERNAL_NAME="SSubTmr6" LEGAL_COPYRIGHT="&lt;none&gt;" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x10708" LINKER_VERSION="0x10001" UPTO_BIN_FILE_VERSION="1.1.0.3" UPTO_BIN_PRODUCT_VERSION="1.1.0.3" LINK_DATE="01/26/2003 13:41:23" UPTO_LINK_DATE="01/26/2003 13:41:23" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="unins000.exe" SIZE="711240" CHECKSUM="0x9F687639" BIN_FILE_VERSION="51.52.0.0" BIN_PRODUCT_VERSION="0.0.0.0" FILE_DESCRIPTION="Setup/Uninstall" FILE_VERSION="51.52.0.0" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xBC1EC" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="51.52.0.0" UPTO_BIN_PRODUCT_VERSION="0.0.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="Language Neutral [0x0]" />
<MATCHING_FILE NAME="Chameleon\firefox.exe" SIZE="199240" CHECKSUM="0x23896C3D" MODULE_TYPE="WIN32" PE_CHECKSUM="0x3F95B" LINKER_VERSION="0x0" LINK_DATE="03/22/2012 20:26:29" UPTO_LINK_DATE="03/22/2012 20:26:29" />
<MATCHING_FILE NAME="Chameleon\iexplore.exe" SIZE="199240" CHECKSUM="0x23896C3D" MODULE_TYPE="WIN32" PE_CHECKSUM="0x3F95B" LINKER_VERSION="0x0" LINK_DATE="03/22/2012 20:26:29" UPTO_LINK_DATE="03/22/2012 20:26:29" />
<MATCHING_FILE NAME="Chameleon\mbam-chameleon.exe" SIZE="199240" CHECKSUM="0x23896C3D" MODULE_TYPE="WIN32" PE_CHECKSUM="0x3F95B" LINKER_VERSION="0x0" LINK_DATE="03/22/2012 20:26:29" UPTO_LINK_DATE="03/22/2012 20:26:29" />
<MATCHING_FILE NAME="Chameleon\mbam-killer.exe" SIZE="984648" CHECKSUM="0x18D7A178" BIN_FILE_VERSION="1.60.0.47" BIN_PRODUCT_VERSION="1.60.0.47" PRODUCT_VERSION="1.60.0.0047" FILE_DESCRIPTION="Malwarebytes Anti-Malware" COMPANY_NAME="Malwarebytes Corporation" PRODUCT_NAME="Malwarebytes Anti-Malware" FILE_VERSION="1.60.0.0047" ORIGINAL_FILENAME="mbamcore.dll" INTERNAL_NAME="mbamcore.dll" LEGAL_COPYRIGHT="© Malwarebytes Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x0" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFFF20" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.60.0.47" UPTO_BIN_PRODUCT_VERSION="1.60.0.47" LINK_DATE="12/06/2011 23:28:10" UPTO_LINK_DATE="12/06/2011 23:28:10" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="Chameleon\rundll32.exe" SIZE="199240" CHECKSUM="0x23896C3D" MODULE_TYPE="WIN32" PE_CHECKSUM="0x3F95B" LINKER_VERSION="0x0" LINK_DATE="03/22/2012 20:26:29" UPTO_LINK_DATE="03/22/2012 20:26:29" />
<MATCHING_FILE NAME="Chameleon\svchost.exe" SIZE="199240" CHECKSUM="0x23896C3D" MODULE_TYPE="WIN32" PE_CHECKSUM="0x3F95B" LINKER_VERSION="0x0" LINK_DATE="03/22/2012 20:26:29" UPTO_LINK_DATE="03/22/2012 20:26:29" />
<MATCHING_FILE NAME="Chameleon\winlogon.exe" SIZE="199240" CHECKSUM="0x23896C3D" MODULE_TYPE="WIN32" PE_CHECKSUM="0x3F95B" LINKER_VERSION="0x0" LINK_DATE="03/22/2012 20:26:29" UPTO_LINK_DATE="03/22/2012 20:26:29" />
</EXE>
<EXE NAME="ntdll.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="ntdll.dll" SIZE="718336" CHECKSUM="0x912EFCE4" BIN_FILE_VERSION="5.1.2600.6055" BIN_PRODUCT_VERSION="5.1.2600.6055" PRODUCT_VERSION="5.1.2600.6055" FILE_DESCRIPTION="NT Layer DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.6055 (xpsp_sp3_gdr.101209-1647)" ORIGINAL_FILENAME="ntdll.dll" INTERNAL_NAME="ntdll.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xAFD30" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.6055" UPTO_BIN_PRODUCT_VERSION="5.1.2600.6055" LINK_DATE="12/09/2010 15:15:09" UPTO_LINK_DATE="12/09/2010 15:15:09" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 PM

Posted 29 June 2012 - 08:15 PM

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 30 June 2012 - 04:49 PM

MBAM clean looks like it worked. MBAM log attached. 7 Trojan Items detected. ESET to follow.

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.29.12

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Xxxxxx Xxxxxxxxx :: DAN [administrator]

Protection: Enabled

6/29/2012 6:59:23 PM
mbam-log-2012-06-29 (18-59-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 288884
Time elapsed: 37 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\{fce2e324-2357-c921-40df-863d6e732892}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{fce2e324-2357-c921-40df-863d6e732892}\n.) Good: (wbemess.dll) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\WINDOWS\assembly\GAC\Desktop.ini (Trojan.0access) -> Delete on reboot.
C:\WINDOWS\Installer\{fce2e324-2357-c921-40df-863d6e732892}\n (Trojan.Sirefef) -> Delete on reboot.
C:\WINDOWS\Installer\{fce2e324-2357-c921-40df-863d6e732892}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{fce2e324-2357-c921-40df-863d6e732892}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.

(end)

Edited by AKMAN2011, 30 June 2012 - 05:04 PM.


#7 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 30 June 2012 - 04:52 PM

After removing the 7 items via MBAM, MBAM then detected a Trojan trying to execute something from the C: Drive. I quarantined it.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 PM

Posted 30 June 2012 - 09:23 PM

Ok lets do these as it looks like a rootkit is active.


Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click on Change Parameters
  • Put a check in the box of Detect TDLFS file system
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.




Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 30 June 2012 - 10:36 PM

ESET Results:

C:\Documents and Settings\Daniel Wetherall\Local Settings\Application Data\{fce2e324-2357-c921-40df-863d6e732892}\n a variant of Win32/Kryptik.AHMG trojan
C:\WINDOWS\Installer\{fce2e324-2357-c921-40df-863d6e732892}\U\80000000.@ a variant of Win32/Sirefef.FA trojan
Operating memory multiple threats

#10 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 30 June 2012 - 11:10 PM

TDS Killer does not appear to have found anything in 367 files.

#11 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 30 June 2012 - 11:13 PM

AVG toolbar somehow got installed and is the default webpage now instead of about:blank I'm guessing as part of installing TDS killer?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 PM

Posted 01 July 2012 - 08:29 AM

Hello, no AVG has nothing to do with TDSS. TDSS is a Kaspersky tool.

Lets get a deeper look to see if its still the rootkit. Start a new topic named
ESET found U\80000000.@ a variant of Win32/Sirefef.FA trojan


Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.

Include this link back here

http://www.bleepingcomputer.com/forums/topic458725.html/page__pid__2748161#entry2748161

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 AKMAN2011

AKMAN2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 02 July 2012 - 12:06 AM

This is the last scan that you asked me to post per this thread. I'll start a new thread as requested.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-30 20:14:05
-----------------------------
20:14:05.159 OS Version: Windows 5.1.2600 Service Pack 3
20:14:05.159 Number of processors: 1 586 0x209
20:14:05.159 ComputerName: DAN UserName:
20:14:05.970 Initialize success
20:19:53.269 AVAST engine defs: 12063001
20:20:13.609 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:20:13.609 Disk 0 Vendor: Maxtor_6E040L0 NAR61590 Size: 39205MB BusType: 3
20:20:13.629 Disk 0 MBR read successfully
20:20:13.629 Disk 0 MBR scan
20:20:13.699 Disk 0 Windows XP default MBR code
20:20:13.709 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
20:20:13.719 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 39166 MB offset 64260
20:20:13.729 Disk 0 scanning sectors +80276805
20:20:13.789 Disk 0 scanning C:\WINDOWS\system32\drivers
20:20:34.389 Service scanning
20:21:13.004 Modules scanning
20:21:30.039 Disk 0 trace - called modules:
20:21:30.069 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
20:21:30.419 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87382030]
20:21:30.419 3 CLASSPNP.SYS[f77f5fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87375d98]
20:21:30.609 AVAST engine scan C:\WINDOWS
20:22:24.907 AVAST engine scan C:\WINDOWS\system32
20:27:57.736 AVAST engine scan C:\WINDOWS\system32\drivers
20:28:31.495 AVAST engine scan C:\Documents and Settings\Daniel
20:46:54.971 AVAST engine scan C:\Documents and Settings\All Users
20:51:34.483 Scan finished successfully
21:01:15.887 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Daniel\Desktop\MBR.dat"
21:01:16.118 The log file has been saved successfully to "C:\Documents and Settings\Daniel\Desktop\aswMBR.txt"

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 PM

Posted 02 July 2012 - 01:18 PM

Thanks..
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 3 days and ALL logs are answered.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users