Google redirect and MBAV no longer updates

[Scarawen]

I started a thread last week and bumped it twice. If I'm doing something wrong, can someone please explain so I can correct it? Here's the latest set of logs.

I have the Google redirect virus and Malwarebytes no longer updates at all.

mbam_log_2009_11_21__12_55_18_.txt

hijackthis.txt

[miekiemoes]

Hi,

I guess your post was overlooked because you bumped it. We always look at the threads with 0 replies first, because if there's already a reply in it, we assume someone else is already helping, so that's why it may take longer then.

Anyway, I'll close your other thread, so we can proceed here first.

You have McAfee installed. People have reported update issues when McAfee is installed, so please see here:

http://www.malwarebytes.org/forums/index.p...mp;#entry162098

But, since you're also infected, the malware could block the updates as well.

Please do the following...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.

[Scarawen]

Hi miekiemoes,

Thank you so much for taking time for me. This has been a frustrating week or two. I think I might be ok now. MBAM updated fine after I uninstalled McAfee. And combofix found something to fix. Here's the log:

-------------------------------start log--------------------------

ComboFix 09-12-02.08 - ShannonS 12/03/2009 18:22.1.4 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1721 [GMT -5:00]

Running from: c:\documents and settings\ShannonS\My Documents\Downloads\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\ShannonS\Application Data\Google\T-Scan

c:\documents and settings\ShannonS\Application Data\Google\T-Scan\n.gif

c:\documents and settings\ShannonS\Application Data\Google\T-Scan\t.gif

c:\documents and settings\ShannonS\Application Data\Google\T-Scan\y.gif

c:\recycler\S-1-5-21-3674839307-2539930885-2088783542-1003

c:\windows\system32\OrqBLnmp.ini

c:\windows\system32\OrqBLnmp.ini2

c:\windows\system32\sDLVCcdd.ini

c:\windows\system32\sDLVCcdd.ini2

c:\windows\Tasks\hbpqgaym.job

.

((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))

.

2009-12-01 14:04 . 2009-12-01 14:04 -------- d-----w- c:\program files\Musicnotes

2009-11-17 19:23 . 2009-11-17 19:23 -------- d-----w- c:\program files\Trend Micro

2009-11-17 18:51 . 2009-11-17 18:52 -------- d-----w- c:\documents and settings\ShannonS\Local Settings\Application Data\Temp

2009-11-17 18:51 . 2009-11-17 18:52 -------- d-----w- c:\documents and settings\ShannonS\Local Settings\Application Data\Google

2009-11-16 23:33 . 2009-11-16 23:33 152576 ----a-w- c:\documents and settings\ShannonS\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-16 22:37 . 2009-11-24 13:22 117760 ----a-w- c:\documents and settings\ShannonS\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-11-16 22:36 . 2009-11-16 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-11-16 22:35 . 2009-12-01 13:39 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-11-16 22:35 . 2009-11-16 22:35 -------- d-----w- c:\documents and settings\ShannonS\Application Data\SUPERAntiSpyware.com

2009-11-16 18:54 . 2009-11-16 18:54 -------- d-----w- c:\documents and settings\ShannonS\Application Data\Malwarebytes

2009-11-16 18:54 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-16 18:54 . 2009-11-16 18:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-16 18:54 . 2009-11-16 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-16 18:54 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-16 18:43 . 2009-11-16 18:43 -------- d-----w- c:\program files\CCleaner

2009-11-10 15:09 . 2009-11-10 15:09 -------- d-----w- c:\documents and settings\Smart-Shopper

2009-11-10 15:09 . 2009-11-10 15:09 -------- d-----w- C:\Application Data

2009-11-10 14:18 . 2009-11-10 14:18 -------- d-sh--w- c:\documents and settings\ShannonS\PrivacIE

2009-11-10 14:13 . 2009-11-10 14:13 -------- d-----w- c:\program files\NOS

2009-11-10 13:48 . 2009-11-11 21:09 -------- d-----w- c:\documents and settings\ShannonS\Local Settings\Application Data\upqoee

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-01 14:21 . 2008-05-14 22:07 99928 ----a-w- c:\documents and settings\ShannonS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-25 12:01 . 2008-07-12 18:02 -------- d-----w- c:\program files\Yahoo!

2009-11-21 22:49 . 2008-11-25 14:54 -------- d-----w- c:\documents and settings\ShannonS\Application Data\GrabIt

2009-11-19 03:52 . 2008-05-09 23:31 -------- d-----w- c:\documents and settings\ShannonS\Application Data\Apple Computer

2009-11-17 19:27 . 2008-04-24 16:25 -------- d-----w- c:\program files\Common Files\InstallShield

2009-11-17 19:27 . 2008-05-14 20:18 -------- d-----w- c:\program files\Logitech

2009-11-17 00:47 . 2008-06-22 20:51 -------- d-----w- c:\program files\Java

2009-11-16 22:35 . 2008-11-21 11:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-11-11 20:55 . 2008-12-06 15:16 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-11-10 15:24 . 2008-07-31 19:32 -------- d-----w- c:\program files\Viewpoint

2009-11-10 15:22 . 2009-04-28 22:47 -------- d-----w- c:\program files\mIRC

2009-11-10 14:14 . 2009-09-10 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-10-23 20:48 . 2009-01-25 17:17 -------- d-----w- c:\documents and settings\ShannonS\Application Data\gtk-2.0

2009-10-11 09:17 . 2008-12-17 11:49 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-10-09 11:14 . 2009-02-23 00:47 -------- d-----w- c:\program files\Finale Allegro 2007

2009-09-30 06:20 . 2009-09-30 06:20 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe

2009-09-16 18:23 . 2009-09-16 18:23 72920 ---ha-w- c:\windows\system32\mlfcache.dat

2009-09-11 14:18 . 2006-09-27 18:33 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 20:01 . 2009-09-10 20:01 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-11 2001648]

"Google Update"="c:\documents and settings\ShannonS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-17 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-05 16380416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HPAiODevice(hp officejet k series) - 2.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe [2002-11-20 151552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]

S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [6/15/2009 7:00 PM 33024]

S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [6/15/2009 7:00 PM 41344]

S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [6/15/2009 7:00 PM 39936]

S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [6/15/2009 7:00 PM 59904]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2009-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202243103-4161122911-1327887124-1006Core.job

- c:\documents and settings\ShannonS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-17 18:51]

2009-12-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202243103-4161122911-1327887124-1006UA.job

- c:\documents and settings\ShannonS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-17 18:51]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\ShannonS\Application Data\Mozilla\Firefox\Profiles\jchlr0uv.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/|http://www.facebook.com/home.php?ref=home|http://community.babycenter.com/groups/a251165/board_1188

FF - plugin: c:\documents and settings\ShannonS\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Musicnotes\npmusicn.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe

SafeBoot-MCODS

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-03 18:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A71150C]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba16cf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9e68852

\Driver\iaStor -> iaStor.sys @ 0xb9e82f80

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9cfebb0

PacketIndicateHandler -> NDIS.sys @ 0xb9d0ba21

SendHandler -> NDIS.sys @ 0xb9ce987b

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)

c:\windows\system32\WININET.dll

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(764)

c:\windows\system32\WININET.dll

.

Completion time: 2009-12-03 18:33

ComboFix-quarantined-files.txt 2009-12-03 23:33

Pre-Run: 162,036,387,840 bytes free

Post-Run: 162,375,704,576 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5E5460237864764AEB889BCD67947D99

-------------------------------------end log---------------------------------

Am I ok now?

[miekiemoes]

Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[Scarawen]

I guess I spoke too soon. I am still getting redirects and new tab pop-ups, although not as often. =/ I did the uninstall though. Is there a next step to try?

[miekiemoes]

Ok, I already suspected that the redirects were still present, that's why I asked how things were now..

Download GMER's application from here:

http://www.majorgeeks.com/GMER_d5198.html

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Attach the results in your next reply or upload here if it's too big: http://www.bleepingcomputer.com/submit-malware.php?channel=8

Warning ! Please, do not select the "Show all" checkbox during the scan.

[Scarawen]

kk. Here it is:

---------------------------begin copy---------------------

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit scan 2009-12-04 18:52:50

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\ShannonS\LOCALS~1\Temp\axldypog.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB4BCB0B0]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\nvata.sys entry point in ".rsrc" section [0xB9E03E2C]

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB848F380, 0x346307, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device \Driver\00000890 -> \Driver\nvata \Device\Harddisk0\DR0 8A6D250C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\nvata.sys suspicious modification

---- EOF - GMER 1.0.15 ----

-------------------------------end copy----------------------------------

suspicious sounds promising. What next? (and continued thanks, btw!)

[miekiemoes]

This file does indeed appear to be infected. This is a system critical file. Without it, your system won't boot.

That's why, if you're infected with this variant, I always suggest to backup any important data anyway, just in case - this before we try to fix this.

Let's have a look first where we can find copies of that file on your system....

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  *nvata.sys*

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Also, do you have your XP cd?

[Scarawen]

Yes, we managed to find the XP cd. And here's the systemlook txt:

-----------------------------------

SystemLook v1.0 by jpshortstuff (29.08.09)

Log created at 09:50 on 05/12/2009 by ShannonS (Administrator - Elevation successful)

========== filefind ==========

Searching for "*nvata.sys*"

C:\Backup\MB\IDE\NVATA.SYS --a--- 105344 bytes [18:39 21/09/2006] [18:39 21/09/2006] DC1F9954B5EDDD147AF7E5C420BE7B93

C:\Drivers\NVATA.SYS --a--- 105344 bytes [18:39 21/09/2006] [18:39 21/09/2006] DC1F9954B5EDDD147AF7E5C420BE7B93

C:\WINDOWS\system32\drivers\nvata.sys --a--- 105344 bytes [04:00 01/01/1980] [18:39 21/09/2006] DED9E8DA7871AE31789FADAEF0FD32EA

-=End Of File=-

----------------------------------

[miekiemoes]

Yes, we managed to find the XP cd. And here's the systemlook txt:

Good, because replacing systemfiles is ALWAYS a risk, especially this one.

How familiar are you with Computers?

We can do this via the Recovery console, however, I prefer to do this with a bootcd such as hiren or bartpe or UBCD4win, this because I have seen failures when replacing this file via recovery console > result > can't boot at all anymore. So, if we use a bootcd, it's safer since, whatever happens, you will still be able to access your data. Better safe than sorry. I'll give instructions afterwards how to fix this issue.

Do you have any of above mentioned bootcd's ? Just let me know. If not, then I'll give instructions how to create one, as this is always a good thing to have, also for future problems.

[Scarawen]

Well, I don't exactly understand but I called in a favor and he thinks he can help. Any last minutes instructions before we self-destruct?

[miekiemoes]

Hi,

Please visit the website to download the bootcd > http://www.hirensbootcd.net/details/10.0.html

Just extract everything into a folder & double click on "BurnToCD.cmd" in order to burn it to cd.

Hiren cd is easy to understand, so that's why I recommend this one and is always a good thing to have for future problems.

Then, Boot the computer using the Hiren CD which you just burned. When you get to this screen, select "Start Mini Windows Xp"

It will then look like this:

In the Hiren Boot "Mini Windows Xp"

1) Locate this file - C:\WINDOWS\system32\drivers\nvata.sys

2) Rename it to nvata.SYS.BAD

3) Then copy the file from - C:\Drivers\NVATA.SYS to the C:\WINDOWS\SYSTEM32\DRIVERS folder.

or you can also use the one from C:\Backup\MB\IDE\NVATA.SYS to copy to your C:\WINDOWS\SYSTEM32\DRIVERS folder.

When finsihed, restart the machine & boot back to your normal OS

Let me know how that went.

[miekiemoes]

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.