Jump to content

Firefox Hijacked - logs attached


Recommended Posts

Hi Ive got a problem - google search results in firefox look ok but often when I click on them it takes to me to some weird search sites and various other sites such as ITpro and ask jeeves among others.

I have ran MBAM which found nothing, and also my AV software (Comodo) found nothing. Ive attched MBAM, GMER and DDS logs

thanks for your time

Attach.zip

Link to post
Share on other sites

Hi Chomper Harris,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

TDSSKiller

  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Next double-click the tdsskiller Folder on your desktop.
  • Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"


  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply

Link to post
Share on other sites

Hi , many thanks for your prompt reply.

Here is the contents of tdsskiller.txt

14:10:09:625 3552 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

14:10:09:626 3552 ================================================================================

14:10:09:626 3552 SystemInfo:

14:10:09:626 3552 OS Version: 6.1.7600 ServicePack: 0.0

14:10:09:626 3552 Product type: Workstation

14:10:09:661 3552 ComputerName: MATTY-PC

14:10:09:671 3552 UserName: Matty

14:10:09:672 3552 Windows directory: C:\Windows

14:10:09:672 3552 Processor architecture: Intel x86

14:10:09:672 3552 Number of processors: 2

14:10:09:672 3552 Page size: 0x1000

14:10:09:688 3552 Boot type: Normal boot

14:10:09:688 3552 ================================================================================

14:10:09:772 3552 UnloadDriverW: NtUnloadDriver error 2

14:10:09:772 3552 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

14:10:09:997 3552 wfopen_ex: Trying to open file C:\Windows\system32\config\system

14:10:09:999 3552 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

14:10:09:999 3552 wfopen_ex: Trying to KLMD file open

14:10:10:000 3552 wfopen_ex: File opened ok (Flags 2)

14:10:10:012 3552 wfopen_ex: Trying to open file C:\Windows\system32\config\software

14:10:10:014 3552 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

14:10:10:014 3552 wfopen_ex: Trying to KLMD file open

14:10:10:015 3552 wfopen_ex: File opened ok (Flags 2)

14:10:10:021 3552 Initialize success

14:10:10:021 3552

14:10:10:023 3552 Scanning Services ...

14:10:11:253 3552 Raw services enum returned 440 services

14:10:11:348 3552

14:10:11:349 3552 Scanning Kernel memory ...

14:10:11:351 3552 Devices to scan: 2

14:10:11:351 3552

14:10:11:351 3552 Driver Name: USBSTOR

14:10:11:351 3552 IRP_MJ_CREATE : 85F8C1F8

14:10:11:351 3552 IRP_MJ_CREATE_NAMED_PIPE : 82904359

14:10:11:351 3552 IRP_MJ_CLOSE : 85F8C1F8

14:10:11:351 3552 IRP_MJ_READ : 85F8C1F8

14:10:11:351 3552 IRP_MJ_WRITE : 85F8C1F8

14:10:11:351 3552 IRP_MJ_QUERY_INFORMATION : 82904359

14:10:11:352 3552 IRP_MJ_SET_INFORMATION : 82904359

14:10:11:352 3552 IRP_MJ_QUERY_EA : 82904359

14:10:11:352 3552 IRP_MJ_SET_EA : 82904359

14:10:11:352 3552 IRP_MJ_FLUSH_BUFFERS : 82904359

14:10:11:352 3552 IRP_MJ_QUERY_VOLUME_INFORMATION : 82904359

14:10:11:352 3552 IRP_MJ_SET_VOLUME_INFORMATION : 82904359

14:10:11:352 3552 IRP_MJ_DIRECTORY_CONTROL : 82904359

14:10:11:352 3552 IRP_MJ_FILE_SYSTEM_CONTROL : 82904359

14:10:11:352 3552 IRP_MJ_DEVICE_CONTROL : 85F8C1F8

14:10:11:352 3552 IRP_MJ_INTERNAL_DEVICE_CONTROL : 85F8C1F8

14:10:11:352 3552 IRP_MJ_SHUTDOWN : 82904359

14:10:11:353 3552 IRP_MJ_LOCK_CONTROL : 82904359

14:10:11:353 3552 IRP_MJ_CLEANUP : 82904359

14:10:11:353 3552 IRP_MJ_CREATE_MAILSLOT : 82904359

14:10:11:353 3552 IRP_MJ_QUERY_SECURITY : 82904359

14:10:11:353 3552 IRP_MJ_SET_SECURITY : 82904359

14:10:11:353 3552 IRP_MJ_POWER : 85F8C1F8

14:10:11:353 3552 IRP_MJ_SYSTEM_CONTROL : 85F8C1F8

14:10:11:353 3552 IRP_MJ_DEVICE_CHANGE : 82904359

14:10:11:353 3552 IRP_MJ_QUERY_QUOTA : 82904359

14:10:11:353 3552 IRP_MJ_SET_QUOTA : 82904359

14:10:11:377 3552 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

14:10:11:377 3552

14:10:11:377 3552 Driver Name: adpu320

14:10:11:377 3552 IRP_MJ_CREATE : 859C9D6B

14:10:11:377 3552 IRP_MJ_CREATE_NAMED_PIPE : 859C9D6B

14:10:11:377 3552 IRP_MJ_CLOSE : 859C9D6B

14:10:11:377 3552 IRP_MJ_READ : 859C9D6B

14:10:11:377 3552 IRP_MJ_WRITE : 859C9D6B

14:10:11:378 3552 IRP_MJ_QUERY_INFORMATION : 859C9D6B

14:10:11:378 3552 IRP_MJ_SET_INFORMATION : 859C9D6B

14:10:11:378 3552 IRP_MJ_QUERY_EA : 859C9D6B

14:10:11:378 3552 IRP_MJ_SET_EA : 859C9D6B

14:10:11:378 3552 IRP_MJ_FLUSH_BUFFERS : 859C9D6B

14:10:11:378 3552 IRP_MJ_QUERY_VOLUME_INFORMATION : 859C9D6B

14:10:11:378 3552 IRP_MJ_SET_VOLUME_INFORMATION : 859C9D6B

14:10:11:378 3552 IRP_MJ_DIRECTORY_CONTROL : 859C9D6B

14:10:11:378 3552 IRP_MJ_FILE_SYSTEM_CONTROL : 859C9D6B

14:10:11:378 3552 IRP_MJ_DEVICE_CONTROL : 859C9D6B

14:10:11:378 3552 IRP_MJ_INTERNAL_DEVICE_CONTROL : 859C9D6B

14:10:11:378 3552 IRP_MJ_SHUTDOWN : 859C9D6B

14:10:11:378 3552 IRP_MJ_LOCK_CONTROL : 859C9D6B

14:10:11:378 3552 IRP_MJ_CLEANUP : 859C9D6B

14:10:11:379 3552 IRP_MJ_CREATE_MAILSLOT : 859C9D6B

14:10:11:379 3552 IRP_MJ_QUERY_SECURITY : 859C9D6B

14:10:11:379 3552 IRP_MJ_SET_SECURITY : 859C9D6B

14:10:11:379 3552 IRP_MJ_POWER : 859C9D6B

14:10:11:379 3552 IRP_MJ_SYSTEM_CONTROL : 859C9D6B

14:10:11:379 3552 IRP_MJ_DEVICE_CHANGE : 859C9D6B

14:10:11:379 3552 IRP_MJ_QUERY_QUOTA : 859C9D6B

14:10:11:379 3552 IRP_MJ_SET_QUOTA : 859C9D6B

14:10:11:379 3552 Driver "adpu320" infected by TDSS rootkit!

14:10:11:399 3552 C:\Windows\system32\DRIVERS\adpu320.sys - Verdict: 1

14:10:11:399 3552 File "C:\Windows\system32\DRIVERS\adpu320.sys" infected by TDSS rootkit ... 14:10:11:401 3552 Processing driver file: C:\Windows\system32\DRIVERS\adpu320.sys

14:10:11:459 3552 vfvi6

14:10:11:874 3552 dsvbh1

14:10:15:780 3552 fdfb1

14:10:15:780 3552 Backup copy found, using it..

14:10:16:007 3552 will be cured on next reboot

14:10:16:008 3552 Reboot required for cure complete..

14:10:16:038 3552 Cure on reboot scheduled successfully

14:10:16:038 3552

14:10:16:039 3552 Completed

14:10:16:040 3552

14:10:16:041 3552 Results:

14:10:16:041 3552 Memory objects infected / cured / cured on reboot: 1 / 0 / 0

14:10:16:041 3552 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

14:10:16:042 3552 File objects infected / cured / cured on reboot: 1 / 0 / 1

14:10:16:043 3552

14:10:16:044 3552 fclose_ex: Trying to close file C:\Windows\system32\config\system

14:10:16:048 3552 fclose_ex: Trying to close file C:\Windows\system32\config\software

14:10:16:049 3552 UnloadDriverW: NtUnloadDriver error 1

14:10:16:054 3552 MyDeleteFileW: MyNtCreateFile (C:\Windows\system32\drivers\klmd.sys) error 32

14:10:16:054 3552 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Hi Chomper Harris,

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 19.

  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "JDK 6 Update 19 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u19-windows-i586-p.exe to install the newest version

Now please run Malwarebytes Antimalware, update and run a quick scan and post the log in your next reply and let me know how the computer is running now.

Link to post
Share on other sites

thanks, java updated, MBAM updated, nothingfound, see log below - all running fine now, thankyou very much

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3937

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

31/03/2010 16:42:11

mbam-log-2010-03-31 (16-42-11).txt

Scan type: Quick scan

Objects scanned: 101647

Time elapsed: 10 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi Chomper Harris,

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure

Remove GMER

Delete the GMER icon from your desktop.

Delete TDSSKiller and DDS from your desktop.

Update your AntiVirus Software and keep your other programs up-to-date

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Security Updates for Windows, Internet Explorer & Microsoft Office

Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.