Jump to content

DrRansom

Members
  • Posts

    2
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Just to give an update, I followed the advice of some other posts on this forum and I believe I am in good shape. After a fresh reboot, I have run a couple malware and virus scanners and they come up clean. IE and firefox are working great. Thanks for making this forum such a useful place.
  2. Hi everybody. I am having issues with my google search links redirecting to spam websites. This only looks like it is a problem is internet explorer, although I have also had firefox problems that might be related. I have reset firefox a couple times while trying to figure out what is going on. I have followed the directions from this forum post - http://forums.malwarebytes.org/index.php?showtopic=9573 . Malwarebytes' Anti-Malware - I ran this program and it identified one issue and it said it successfully fixed it. I have attached the "ATTACH" text file, "ARC" text file, "MBAM log". I have also included the text of the "DDS" log below: Thank you in advance for any help and advice! I promise to follow directions as close as possible. DDS LOG below . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_23 Run by Rogers at 18:38:55 on 2011-07-30 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.958.405 [GMT -4:00] . . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k rpcss c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\rundll32.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\rundll32.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Windows\ehome\ehtray.exe C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Windows\system32\taskeng.exe C:\Program Files\Kodak\KODAK Share Button App\Listener.exe C:\Program Files\iPod\bin\iPodService.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Rogers\Desktop\GMERrootkitscanner.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://search.myheritage.com uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: ElnkPubBHO Class: {512acf1b-64d9-4928-b382-a80556f28db4} - c:\program files\earthlink totalaccess\toolbar\toolbar\ElnkPub.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: ElnkProtectionBHO Class: {9579d574-d4d8-4335-9560-fe8641a013bd} - c:\program files\earthlink totalaccess\toolbar\toolbar\ProtctIE.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: ElnkLegacyUninstBHO Class: {e713904c-df05-4c79-bbad-02db923253be} - c:\program files\earthlink totalaccess\toolbar\toolbar\uninsttb.dll TB: EarthLink Toolbar: {c7768536-96f8-4001-b1a2-90ee21279187} - c:\program files\earthlink totalaccess\toolbar\toolbar\Toolbar.dll TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey StartupFolder: c:\users\rogers\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe mPolicies-system: EnableLUA = 0 (0x0) IE: EarthLink Google Search - c:\program files\earthlink totalaccess\toolbar\toolbar\SearchUI.dll/search.html DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab TCP: DhcpNameServer = 192.168.254.254 192.168.254.254 TCP: Interfaces\{0A8142A5-64C7-4DD2-BA59-1E37CC63CFD0} : DhcpNameServer = 192.168.254.254 192.168.254.254 . ================= FIREFOX =================== . FF - ProfilePath - c:\users\rogers\appdata\roaming\mozilla\firefox\profiles\oykxzlb7.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://search.imesh.com/ FF - prefs.js: keyword.URL - hxxp://search.imesh.com/web?src=ffb&q= FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 53798 FF - prefs.js: network.proxy.type - 1 FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - plugin: c:\users\rogers\appdata\roaming\mozilla\plugins\np-mswmp.dll . ============= SERVICES / DRIVERS =============== . R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648] R1 MpKsl89f292f9;MpKsl89f292f9;c:\programdata\microsoft\microsoft antimalware\definition updates\{40559bfa-212d-4142-9e79-19f33ec9ca02}\MpKsl89f292f9.sys [2011-7-30 28752] R1 MpKsld0ac70f9;MpKsld0ac70f9;c:\programdata\microsoft\microsoft antimalware\definition updates\{40559bfa-212d-4142-9e79-19f33ec9ca02}\MpKsld0ac70f9.sys [2011-7-30 28752] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-30 41272] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232] S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392] . =============== Created Last 30 ================ . 2011-07-30 22:25:11 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{40559bfa-212d-4142-9e79-19f33ec9ca02}\MpKsld0ac70f9.sys 2011-07-30 20:55:11 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-30 20:55:05 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-07-30 20:55:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-07-30 20:15:31 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{40559bfa-212d-4142-9e79-19f33ec9ca02}\MpKsl89f292f9.sys 2011-07-30 19:11:24 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2011-07-30 19:11:24 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-07-30 19:01:21 6881616 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{40559bfa-212d-4142-9e79-19f33ec9ca02}\mpengine.dll 2011-07-30 18:59:13 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{57fbffe9-3260-4479-adb1-ff2ee4a06c29}\gapaengine.dll 2011-07-20 21:53:58 0 ---ha-w- c:\windows\system32\neuelfpjsg.tmp 2011-07-18 23:18:11 7074640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll 2011-07-12 14:08:47 54016 ----a-w- c:\windows\system32\drivers\febirb.sys 2011-07-11 17:53:48 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll 2011-07-11 17:48:54 -------- d-----w- c:\program files\Microsoft Security Client 2011-07-04 19:32:19 -------- d-----w- c:\programdata\aI06703BjDaM06703 . ==================== Find3M ==================== . 2011-06-11 23:28:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe . =================== ROOTKIT ==================== . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 6.0.6000 Disk: ST325082 rev.3.AD -> Harddisk0\DR0 -> . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x87E9E4D0]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87ea47d0]; MOV EAX, [0x87ea484c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 ntkrnlpa!IofCallDriver[0x82427F3B] -> \Device\Harddisk0\DR0[0x856ED228] 3 nt[0x824B07E2] -> ntkrnlpa!IofCallDriver[0x82427F3B] -> [0x84CA9F18] 5 acpi[0x804D732A] -> ntkrnlpa!IofCallDriver[0x82427F3B] -> [0x84CA6CA0] \Driver\nvstor[0x85126160] -> IRP_MJ_CREATE -> 0x87E9E4D0 kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; } detected disk devices: \Device\00000044 -> \??\SCSI#Disk&Ven_ST325082&Prod_0AS#4&21479b0c&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks: user & kernel MBR OK Warning: possible TDL3 rootkit infection ! . ============= FINISH: 18:39:44.28 =============== Attach_ARC_MBAMLOG.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.