Scarawen
Members-
Posts
12 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by Scarawen
-
delete profile/account
Scarawen replied to Scarawen's topic in Malwarebytes for Windows Support Forum
I see. Makes sense. Thanks for the quick reply. -
delete profile/account
Scarawen replied to Scarawen's topic in Malwarebytes for Windows Support Forum
No reason. I just don't use it. I'm cleaning up the web. : P Thanks -
It's not very clear how we can delete our profile from the site. I'd like to remove it completely. Thank you
-
Google redirect and MBAV no longer updates
Scarawen replied to Scarawen's topic in Resolved Malware Removal Logs
Well, I don't exactly understand but I called in a favor and he thinks he can help. Any last minutes instructions before we self-destruct? -
Google redirect and MBAV no longer updates
Scarawen replied to Scarawen's topic in Resolved Malware Removal Logs
Yes, we managed to find the XP cd. And here's the systemlook txt: ----------------------------------- SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 09:50 on 05/12/2009 by ShannonS (Administrator - Elevation successful) ========== filefind ========== Searching for "*nvata.sys*" C:\Backup\MB\IDE\NVATA.SYS --a--- 105344 bytes [18:39 21/09/2006] [18:39 21/09/2006] DC1F9954B5EDDD147AF7E5C420BE7B93 C:\Drivers\NVATA.SYS --a--- 105344 bytes [18:39 21/09/2006] [18:39 21/09/2006] DC1F9954B5EDDD147AF7E5C420BE7B93 C:\WINDOWS\system32\drivers\nvata.sys --a--- 105344 bytes [04:00 01/01/1980] [18:39 21/09/2006] DED9E8DA7871AE31789FADAEF0FD32EA -=End Of File=- ---------------------------------- -
Google redirect and MBAV no longer updates
Scarawen replied to Scarawen's topic in Resolved Malware Removal Logs
kk. Here it is: ---------------------------begin copy--------------------- GMER 1.0.15.15252 - http://www.gmer.net Rootkit scan 2009-12-04 18:52:50 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\ShannonS\LOCALS~1\Temp\axldypog.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB4BCB0B0] ---- Kernel code sections - GMER 1.0.15 ---- .rsrc C:\WINDOWS\system32\drivers\nvata.sys entry point in ".rsrc" section [0xB9E03E2C] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB848F380, 0x346307, 0xE8000020] ---- Devices - GMER 1.0.15 ---- Device \Driver\00000890 -> \Driver\nvata \Device\Harddisk0\DR0 8A6D250C ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\nvata.sys suspicious modification ---- EOF - GMER 1.0.15 ---- -------------------------------end copy---------------------------------- suspicious sounds promising. What next? (and continued thanks, btw!) -
Google redirect and MBAV no longer updates
Scarawen replied to Scarawen's topic in Resolved Malware Removal Logs
I guess I spoke too soon. I am still getting redirects and new tab pop-ups, although not as often. =/ I did the uninstall though. Is there a next step to try? -
Google redirect and MBAV no longer updates
Scarawen replied to Scarawen's topic in Resolved Malware Removal Logs
Hi miekiemoes, Thank you so much for taking time for me. This has been a frustrating week or two. I think I might be ok now. MBAM updated fine after I uninstalled McAfee. And combofix found something to fix. Here's the log: -------------------------------start log-------------------------- ComboFix 09-12-02.08 - ShannonS 12/03/2009 18:22.1.4 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1721 [GMT -5:00] Running from: c:\documents and settings\ShannonS\My Documents\Downloads\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\ShannonS\Application Data\Google\T-Scan c:\documents and settings\ShannonS\Application Data\Google\T-Scan\n.gif c:\documents and settings\ShannonS\Application Data\Google\T-Scan\t.gif c:\documents and settings\ShannonS\Application Data\Google\T-Scan\y.gif c:\recycler\S-1-5-21-3674839307-2539930885-2088783542-1003 c:\windows\system32\OrqBLnmp.ini c:\windows\system32\OrqBLnmp.ini2 c:\windows\system32\sDLVCcdd.ini c:\windows\system32\sDLVCcdd.ini2 c:\windows\Tasks\hbpqgaym.job . ((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 ))))))))))))))))))))))))))))))) . 2009-12-01 14:04 . 2009-12-01 14:04 -------- d-----w- c:\program files\Musicnotes 2009-11-17 19:23 . 2009-11-17 19:23 -------- d-----w- c:\program files\Trend Micro 2009-11-17 18:51 . 2009-11-17 18:52 -------- d-----w- c:\documents and settings\ShannonS\Local Settings\Application Data\Temp 2009-11-17 18:51 . 2009-11-17 18:52 -------- d-----w- c:\documents and settings\ShannonS\Local Settings\Application Data\Google 2009-11-16 23:33 . 2009-11-16 23:33 152576 ----a-w- c:\documents and settings\ShannonS\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-16 22:37 . 2009-11-24 13:22 117760 ----a-w- c:\documents and settings\ShannonS\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-11-16 22:36 . 2009-11-16 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-11-16 22:35 . 2009-12-01 13:39 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-11-16 22:35 . 2009-11-16 22:35 -------- d-----w- c:\documents and settings\ShannonS\Application Data\SUPERAntiSpyware.com 2009-11-16 18:54 . 2009-11-16 18:54 -------- d-----w- c:\documents and settings\ShannonS\Application Data\Malwarebytes 2009-11-16 18:54 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-16 18:54 . 2009-11-16 18:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-16 18:54 . 2009-11-16 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-16 18:54 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-16 18:43 . 2009-11-16 18:43 -------- d-----w- c:\program files\CCleaner 2009-11-10 15:09 . 2009-11-10 15:09 -------- d-----w- c:\documents and settings\Smart-Shopper 2009-11-10 15:09 . 2009-11-10 15:09 -------- d-----w- C:\Application Data 2009-11-10 14:18 . 2009-11-10 14:18 -------- d-sh--w- c:\documents and settings\ShannonS\PrivacIE 2009-11-10 14:13 . 2009-11-10 14:13 -------- d-----w- c:\program files\NOS 2009-11-10 13:48 . 2009-11-11 21:09 -------- d-----w- c:\documents and settings\ShannonS\Local Settings\Application Data\upqoee . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-01 14:21 . 2008-05-14 22:07 99928 ----a-w- c:\documents and settings\ShannonS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-25 12:01 . 2008-07-12 18:02 -------- d-----w- c:\program files\Yahoo! 2009-11-21 22:49 . 2008-11-25 14:54 -------- d-----w- c:\documents and settings\ShannonS\Application Data\GrabIt 2009-11-19 03:52 . 2008-05-09 23:31 -------- d-----w- c:\documents and settings\ShannonS\Application Data\Apple Computer 2009-11-17 19:27 . 2008-04-24 16:25 -------- d-----w- c:\program files\Common Files\InstallShield 2009-11-17 19:27 . 2008-05-14 20:18 -------- d-----w- c:\program files\Logitech 2009-11-17 00:47 . 2008-06-22 20:51 -------- d-----w- c:\program files\Java 2009-11-16 22:35 . 2008-11-21 11:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-11-11 20:55 . 2008-12-06 15:16 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore 2009-11-10 15:24 . 2008-07-31 19:32 -------- d-----w- c:\program files\Viewpoint 2009-11-10 15:22 . 2009-04-28 22:47 -------- d-----w- c:\program files\mIRC 2009-11-10 14:14 . 2009-09-10 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-10-23 20:48 . 2009-01-25 17:17 -------- d-----w- c:\documents and settings\ShannonS\Application Data\gtk-2.0 2009-10-11 09:17 . 2008-12-17 11:49 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-09 11:14 . 2009-02-23 00:47 -------- d-----w- c:\program files\Finale Allegro 2007 2009-09-30 06:20 . 2009-09-30 06:20 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe 2009-09-16 18:23 . 2009-09-16 18:23 72920 ---ha-w- c:\windows\system32\mlfcache.dat 2009-09-11 14:18 . 2006-09-27 18:33 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 20:01 . 2009-09-10 20:01 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-11 2001648] "Google Update"="c:\documents and settings\ShannonS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-17 135664] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-05 16380416] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HPAiODevice(hp officejet k series) - 2.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe [2002-11-20 151552] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480] S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [6/15/2009 7:00 PM 33024] S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [6/15/2009 7:00 PM 41344] S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [6/15/2009 7:00 PM 39936] S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [6/15/2009 7:00 PM 59904] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2009-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202243103-4161122911-1327887124-1006Core.job - c:\documents and settings\ShannonS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-17 18:51] 2009-12-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202243103-4161122911-1327887124-1006UA.job - c:\documents and settings\ShannonS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-17 18:51] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\ShannonS\Application Data\Mozilla\Firefox\Profiles\jchlr0uv.default\ FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/|http://www.facebook.com/home.php?ref=home|http://community.babycenter.com/groups/a251165/board_1188 FF - plugin: c:\documents and settings\ShannonS\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Musicnotes\npmusicn.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - HKCU-Run-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe SafeBoot-MCODS AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-03 18:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A71150C]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xba16cf28 \Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8 \Driver\atapi -> atapi.sys @ 0xb9e68852 \Driver\iaStor -> iaStor.sys @ 0xb9e82f80 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9cfebb0 PacketIndicateHandler -> NDIS.sys @ 0xb9d0ba21 SendHandler -> NDIS.sys @ 0xb9ce987b user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(696) c:\windows\system32\WININET.dll c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'lsass.exe'(764) c:\windows\system32\WININET.dll . Completion time: 2009-12-03 18:33 ComboFix-quarantined-files.txt 2009-12-03 23:33 Pre-Run: 162,036,387,840 bytes free Post-Run: 162,375,704,576 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 5E5460237864764AEB889BCD67947D99 -------------------------------------end log--------------------------------- Am I ok now? -
I started a thread last week and bumped it twice. If I'm doing something wrong, can someone please explain so I can correct it? Here's the latest set of logs. I have the Google redirect virus and Malwarebytes no longer updates at all. mbam_log_2009_11_21__12_55_18_.txt hijackthis.txt
-
bump Is there anything I can do differently to maybe get some feedback? I wasn't sure if a bump was warranted but I'd fallen off the third page. I'm still getting redirected. I think the update problem has to do more with our horrible connection this week. I get 'Error 732' every time I try. I'm including new logs since it's been a few days and I'm impatient and keep trying things that are probably messing me up even more. hijackthis.txt mbam_log_2009_11_21__12_55_18_.txt
-
Hi I've been battling a google redirect virus for almost a week. This software was recommended, so I DLed and updated it. I still have my virus and now Malwarebytes no longer even updates. I'm a relative beginner at all this. Did something else I did (to try to fight my original virus) mess up Malwarebytes? I think these are the logs that I need to post here. Sorry I don't have the technical savvy to better express my problems! Thanks, Shannon mbam_log_2009_11_21__12_55_18_.txt hijackthis.txt