Jump to content

Scarawen

Members
  • Posts

    12
  • Joined

  • Last visited

Everything posted by Scarawen

  1. I see. Makes sense. Thanks for the quick reply.
  2. No reason. I just don't use it. I'm cleaning up the web. : P Thanks
  3. It's not very clear how we can delete our profile from the site. I'd like to remove it completely. Thank you
  4. Well, I don't exactly understand but I called in a favor and he thinks he can help. Any last minutes instructions before we self-destruct?
  5. Yes, we managed to find the XP cd. And here's the systemlook txt: ----------------------------------- SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 09:50 on 05/12/2009 by ShannonS (Administrator - Elevation successful) ========== filefind ========== Searching for "*nvata.sys*" C:\Backup\MB\IDE\NVATA.SYS --a--- 105344 bytes [18:39 21/09/2006] [18:39 21/09/2006] DC1F9954B5EDDD147AF7E5C420BE7B93 C:\Drivers\NVATA.SYS --a--- 105344 bytes [18:39 21/09/2006] [18:39 21/09/2006] DC1F9954B5EDDD147AF7E5C420BE7B93 C:\WINDOWS\system32\drivers\nvata.sys --a--- 105344 bytes [04:00 01/01/1980] [18:39 21/09/2006] DED9E8DA7871AE31789FADAEF0FD32EA -=End Of File=- ----------------------------------
  6. kk. Here it is: ---------------------------begin copy--------------------- GMER 1.0.15.15252 - http://www.gmer.net Rootkit scan 2009-12-04 18:52:50 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\ShannonS\LOCALS~1\Temp\axldypog.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB4BCB0B0] ---- Kernel code sections - GMER 1.0.15 ---- .rsrc C:\WINDOWS\system32\drivers\nvata.sys entry point in ".rsrc" section [0xB9E03E2C] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB848F380, 0x346307, 0xE8000020] ---- Devices - GMER 1.0.15 ---- Device \Driver\00000890 -> \Driver\nvata \Device\Harddisk0\DR0 8A6D250C ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\nvata.sys suspicious modification ---- EOF - GMER 1.0.15 ---- -------------------------------end copy---------------------------------- suspicious sounds promising. What next? (and continued thanks, btw!)
  7. I guess I spoke too soon. I am still getting redirects and new tab pop-ups, although not as often. =/ I did the uninstall though. Is there a next step to try?
  8. Hi miekiemoes, Thank you so much for taking time for me. This has been a frustrating week or two. I think I might be ok now. MBAM updated fine after I uninstalled McAfee. And combofix found something to fix. Here's the log: -------------------------------start log-------------------------- ComboFix 09-12-02.08 - ShannonS 12/03/2009 18:22.1.4 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1721 [GMT -5:00] Running from: c:\documents and settings\ShannonS\My Documents\Downloads\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\ShannonS\Application Data\Google\T-Scan c:\documents and settings\ShannonS\Application Data\Google\T-Scan\n.gif c:\documents and settings\ShannonS\Application Data\Google\T-Scan\t.gif c:\documents and settings\ShannonS\Application Data\Google\T-Scan\y.gif c:\recycler\S-1-5-21-3674839307-2539930885-2088783542-1003 c:\windows\system32\OrqBLnmp.ini c:\windows\system32\OrqBLnmp.ini2 c:\windows\system32\sDLVCcdd.ini c:\windows\system32\sDLVCcdd.ini2 c:\windows\Tasks\hbpqgaym.job . ((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 ))))))))))))))))))))))))))))))) . 2009-12-01 14:04 . 2009-12-01 14:04 -------- d-----w- c:\program files\Musicnotes 2009-11-17 19:23 . 2009-11-17 19:23 -------- d-----w- c:\program files\Trend Micro 2009-11-17 18:51 . 2009-11-17 18:52 -------- d-----w- c:\documents and settings\ShannonS\Local Settings\Application Data\Temp 2009-11-17 18:51 . 2009-11-17 18:52 -------- d-----w- c:\documents and settings\ShannonS\Local Settings\Application Data\Google 2009-11-16 23:33 . 2009-11-16 23:33 152576 ----a-w- c:\documents and settings\ShannonS\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-16 22:37 . 2009-11-24 13:22 117760 ----a-w- c:\documents and settings\ShannonS\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-11-16 22:36 . 2009-11-16 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-11-16 22:35 . 2009-12-01 13:39 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-11-16 22:35 . 2009-11-16 22:35 -------- d-----w- c:\documents and settings\ShannonS\Application Data\SUPERAntiSpyware.com 2009-11-16 18:54 . 2009-11-16 18:54 -------- d-----w- c:\documents and settings\ShannonS\Application Data\Malwarebytes 2009-11-16 18:54 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-16 18:54 . 2009-11-16 18:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-16 18:54 . 2009-11-16 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-16 18:54 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-16 18:43 . 2009-11-16 18:43 -------- d-----w- c:\program files\CCleaner 2009-11-10 15:09 . 2009-11-10 15:09 -------- d-----w- c:\documents and settings\Smart-Shopper 2009-11-10 15:09 . 2009-11-10 15:09 -------- d-----w- C:\Application Data 2009-11-10 14:18 . 2009-11-10 14:18 -------- d-sh--w- c:\documents and settings\ShannonS\PrivacIE 2009-11-10 14:13 . 2009-11-10 14:13 -------- d-----w- c:\program files\NOS 2009-11-10 13:48 . 2009-11-11 21:09 -------- d-----w- c:\documents and settings\ShannonS\Local Settings\Application Data\upqoee . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-01 14:21 . 2008-05-14 22:07 99928 ----a-w- c:\documents and settings\ShannonS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-11-25 12:01 . 2008-07-12 18:02 -------- d-----w- c:\program files\Yahoo! 2009-11-21 22:49 . 2008-11-25 14:54 -------- d-----w- c:\documents and settings\ShannonS\Application Data\GrabIt 2009-11-19 03:52 . 2008-05-09 23:31 -------- d-----w- c:\documents and settings\ShannonS\Application Data\Apple Computer 2009-11-17 19:27 . 2008-04-24 16:25 -------- d-----w- c:\program files\Common Files\InstallShield 2009-11-17 19:27 . 2008-05-14 20:18 -------- d-----w- c:\program files\Logitech 2009-11-17 00:47 . 2008-06-22 20:51 -------- d-----w- c:\program files\Java 2009-11-16 22:35 . 2008-11-21 11:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-11-11 20:55 . 2008-12-06 15:16 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore 2009-11-10 15:24 . 2008-07-31 19:32 -------- d-----w- c:\program files\Viewpoint 2009-11-10 15:22 . 2009-04-28 22:47 -------- d-----w- c:\program files\mIRC 2009-11-10 14:14 . 2009-09-10 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-10-23 20:48 . 2009-01-25 17:17 -------- d-----w- c:\documents and settings\ShannonS\Application Data\gtk-2.0 2009-10-11 09:17 . 2008-12-17 11:49 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-09 11:14 . 2009-02-23 00:47 -------- d-----w- c:\program files\Finale Allegro 2007 2009-09-30 06:20 . 2009-09-30 06:20 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe 2009-09-16 18:23 . 2009-09-16 18:23 72920 ---ha-w- c:\windows\system32\mlfcache.dat 2009-09-11 14:18 . 2006-09-27 18:33 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 20:01 . 2009-09-10 20:01 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-11 2001648] "Google Update"="c:\documents and settings\ShannonS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-17 135664] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-05 16380416] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HPAiODevice(hp officejet k series) - 2.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe [2002-11-20 151552] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480] S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [6/15/2009 7:00 PM 33024] S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [6/15/2009 7:00 PM 41344] S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [6/15/2009 7:00 PM 39936] S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [6/15/2009 7:00 PM 59904] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2009-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202243103-4161122911-1327887124-1006Core.job - c:\documents and settings\ShannonS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-17 18:51] 2009-12-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202243103-4161122911-1327887124-1006UA.job - c:\documents and settings\ShannonS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-17 18:51] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\ShannonS\Application Data\Mozilla\Firefox\Profiles\jchlr0uv.default\ FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/|http://www.facebook.com/home.php?ref=home|http://community.babycenter.com/groups/a251165/board_1188 FF - plugin: c:\documents and settings\ShannonS\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Musicnotes\npmusicn.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - HKCU-Run-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe SafeBoot-MCODS AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-03 18:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A71150C]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xba16cf28 \Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8 \Driver\atapi -> atapi.sys @ 0xb9e68852 \Driver\iaStor -> iaStor.sys @ 0xb9e82f80 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9cfebb0 PacketIndicateHandler -> NDIS.sys @ 0xb9d0ba21 SendHandler -> NDIS.sys @ 0xb9ce987b user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(696) c:\windows\system32\WININET.dll c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'lsass.exe'(764) c:\windows\system32\WININET.dll . Completion time: 2009-12-03 18:33 ComboFix-quarantined-files.txt 2009-12-03 23:33 Pre-Run: 162,036,387,840 bytes free Post-Run: 162,375,704,576 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 5E5460237864764AEB889BCD67947D99 -------------------------------------end log--------------------------------- Am I ok now?
  9. I started a thread last week and bumped it twice. If I'm doing something wrong, can someone please explain so I can correct it? Here's the latest set of logs. I have the Google redirect virus and Malwarebytes no longer updates at all. mbam_log_2009_11_21__12_55_18_.txt hijackthis.txt
  10. bump Does it always take this long to be noticed or am I doing something wrong...
  11. bump Is there anything I can do differently to maybe get some feedback? I wasn't sure if a bump was warranted but I'd fallen off the third page. I'm still getting redirected. I think the update problem has to do more with our horrible connection this week. I get 'Error 732' every time I try. I'm including new logs since it's been a few days and I'm impatient and keep trying things that are probably messing me up even more. hijackthis.txt mbam_log_2009_11_21__12_55_18_.txt
  12. Hi I've been battling a google redirect virus for almost a week. This software was recommended, so I DLed and updated it. I still have my virus and now Malwarebytes no longer even updates. I'm a relative beginner at all this. Did something else I did (to try to fight my original virus) mess up Malwarebytes? I think these are the logs that I need to post here. Sorry I don't have the technical savvy to better express my problems! Thanks, Shannon mbam_log_2009_11_21__12_55_18_.txt hijackthis.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.