Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Google redirect virus


chrisn55
 Share

Recommended Posts

Malwarebytes finds no problems. I ran the most recent Combofix and the log is posted below.

It shows a TDL3 Rootkit, but does not remove it. I downloaded and ran TDSSKiller, but it found nothing.

Google searches still get redirected.

Please Help.

Thanks,

Chris

ComboFix 10-12-19.03 - Bell 12/20/2010 8:36.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.286 [GMT -5:00]

Running from: c:\temp\Rootkit removers\ComboFix.exe

AV: System Shield *Disabled/Outdated* {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-11-20 to 2010-12-20 )))))))))))))))))))))))))))))))

.

2010-12-20 13:18 . 2005-10-24 21:10 97792 ----a-w- c:\temp\Rootkit removers\Rootkit revealer\RootkitRevealer.exe

2010-12-17 20:56 . 2010-12-17 20:56 -------- d-----w- c:\windows\ERUNT

2010-12-17 20:52 . 2010-12-17 21:23 -------- d-----w- C:\SDFix

2010-12-17 20:52 . 2010-12-17 20:52 170402 ----a-w- c:\temp\Rootkit removers\OTL.exe

2010-12-17 19:36 . 2010-12-17 19:36 1345624 ----a-w- c:\temp\Rootkit removers\tdsskiller.exe

2010-12-17 19:33 . 2010-12-17 19:33 296448 ----a-w- c:\temp\Rootkit removers\6uv6brh6.exe

2010-12-17 17:14 . 2010-07-22 20:11 1170256 ----a-w- c:\temp\Rootkit removers\TDSS Killer\TDSSKiller.exe

2010-12-17 17:14 . 2007-10-04 15:44 95744 ----a-w- c:\temp\Rootkit removers\rootkit unhooker\rku37300509.exe

2010-12-17 17:14 . 2010-07-08 10:57 1872472 ----a-w- c:\temp\Rootkit removers\SmitfraudFix.exe

2010-12-17 17:14 . 2010-06-03 19:45 1529241 ----a-w- c:\temp\Rootkit removers\SDFix.exe

2010-12-17 17:14 . 2007-10-04 15:44 95744 ----a-w- c:\temp\Rootkit removers\rku37300509.exe

2010-12-17 17:14 . 2010-12-20 13:30 3995286 ----a-r- c:\temp\Rootkit removers\ComboFix.exe

2010-12-17 17:14 . 2010-02-12 15:25 144248 ----a-w- c:\temp\Rootkit removers\catchme.exe

2010-12-17 17:14 . 2010-02-12 15:24 293376 ----a-w- c:\temp\Rootkit removers\cel1hrv9.exe

2010-12-17 15:03 . 2010-12-17 15:03 -------- d-----w- c:\documents and settings\Bell\Application Data\iolo

2010-12-17 14:58 . 2010-12-17 15:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\iolo

2010-12-14 23:48 . 2010-09-23 17:29 511328 ----a-w- c:\program files\Common Files\Microsoft Shared\CAPICOM\CAPICOM.DLL

2010-12-14 23:35 . 2010-12-14 23:35 -------- d-----w- c:\documents and settings\Bell\Local Settings\Application Data\VS Revo Group

2010-12-14 23:35 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2010-12-14 23:35 . 2010-12-14 23:35 -------- d-----w- c:\program files\VS Revo Group

2010-12-14 23:31 . 2010-12-14 23:31 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll

2010-12-14 23:31 . 2010-12-14 23:31 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll

2010-12-14 23:31 . 2010-12-14 23:31 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll

2010-12-14 22:13 . 2010-12-14 22:13 -------- d-----w- c:\documents and settings\Bell\Application Data\Malwarebytes

2010-12-14 22:13 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-14 22:13 . 2010-12-14 22:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2010-12-14 22:13 . 2010-12-14 22:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-14 22:13 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-14 21:36 . 2010-12-14 22:01 -------- d-----w- c:\program files\MemTurbo 4

2010-12-13 21:56 . 2010-12-14 12:50 -------- d-----w- c:\documents and settings\Bell\Local Settings\Application Data\Panda3D

2010-12-13 02:04 . 2010-12-13 02:04 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\ICS

2010-12-13 00:00 . 2010-12-13 00:05 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe

2010-12-12 22:32 . 2009-11-12 00:46 118784 ----a-w- c:\windows\system32\iavlsp.dll

2010-12-12 22:29 . 2010-12-12 22:29 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\iolo

2010-12-12 22:27 . 2010-12-02 20:21 87688 ----a-w- c:\windows\system32\IncContxMenu.dll

2010-12-12 22:27 . 2010-12-02 20:18 2234040 ----a-w- c:\windows\system32\Incinerator.dll

2010-12-12 22:27 . 2010-12-02 20:20 11776 ----a-w- c:\windows\system32\smrgdf.exe

2010-12-12 22:27 . 2010-12-02 20:20 29696 ----a-w- c:\windows\system32\iolobtdfg.exe

2010-12-12 22:24 . 2010-12-12 22:24 74703 ----a-w- c:\windows\system32\mfc45.dll

2010-12-12 22:07 . 2010-12-12 22:07 -------- d-----w- c:\documents and settings\Administrator

2010-12-12 01:09 . 2010-12-12 18:56 -------- d-----w- c:\program files\FilmFanatic

2010-12-11 23:28 . 2010-12-12 23:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Ahead\Lib\NeroCheck .exe
c:\program files\Common Files\Ahead\Lib\NMBgMonitor .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Lexmark 2300 Series\ezprint .exe
c:\program files\Lexmark 2300 Series\lxcgmon .exe
c:\program files\Lexmark Fax Solutions\fm3032 .exe
c:\program files\QuickTime\qttask .exe
c:\program files\SecEss\SE11 .exe
c:\windows\BBSTORE\DSS\DSSAGENT .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

"{796b75f6-6187-47e2-8f1f-c16e059e6e19}"= "c:\program files\FilmFanatic\bar\1.bin\paSrcAs.dll" [2010-12-12 53248]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_CLASSES_ROOT\clsid\{796b75f6-6187-47e2-8f1f-c16e059e6e19}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{631acb68-57c3-48af-9cc5-fcec0837ffd3}]

2010-12-12 01:09 684032 ----a-w- c:\progra~1\FILMFA~2\bar\1.bin\pabar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-09-29 03:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d5e9b421-c309-41de-9014-800a2adcdeb0}]

2010-12-12 01:09 53248 ----a-w- c:\program files\FilmFanatic\bar\1.bin\paSrcAs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

"{0b84b4b4-8af8-4f1f-91fe-074a666f6425}"= "c:\program files\FilmFanatic\bar\1.bin\pabar.dll" [2010-12-12 684032]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{0b84b4b4-8af8-4f1f-91fe-074a666f6425}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

"{0B84B4B4-8AF8-4F1F-91FE-074A666F6425}"= "c:\program files\FilmFanatic\bar\1.bin\pabar.dll" [2010-12-12 684032]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{0b84b4b4-8af8-4f1f-91fe-074a666f6425}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"smss32.exe"="c:\windows\system32\smss32.exe" [N/A]

c:\documents and settings\GUEST 1\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\lxcgcoms.exe"=

"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [2/21/2010 6:34 PM 16896]

R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [2/21/2010 6:34 PM 52224]

S2 FilmFanaticService;FilmFanatic Service;c:\progra~1\FILMFA~2\bar\1.bin\pabarsvc.exe [12/11/2010 8:09 PM 28766]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [12/14/2010 6:35 PM 27064]

S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2/23/2010 5:10 PM 167808]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - RKREVEAL150

*Deregistered* - RKREVEAL150

.

Contents of the 'Scheduled Tasks' folder

2010-10-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-12-17 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2010-09-29 03:44]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.callofduty.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

LSP: c:\windows\system32\iavlsp.dll

Trusted Zone: fastestdeploy.com

Trusted Zone: fastestdeploy.com

DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-20 08:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: _WD800JD-98JNC0______________________ rev.01C05 -> Harddisk0\DR0 -> \Device\00000032

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x82AC7EC5]<<

c:\docume~1\Bell\LOCALS~1\Temp\catchme.sys

_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0xff958872; SUB DWORD [EBP-0x4], 0xff95812e; PUSH EDI; CALL 0xffffffffffffdf33; }

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x82D95030]

3 CLASSPNP[0xF8646FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82A0C030]

[0x82A10360] -> IRP_MJ_CREATE -> 0x82AC7EC5

error: Read Incorrect function.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\0000005b -> \??\IDE#DiskWDC_WD800JD-98JNC0______________________05.01C05#VT3149&A00&H00&DFF&2020202057202D4443574D413739353536353839#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,14,6a,89,63,83,13,46,98,d0,aa,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,14,6a,89,63,83,13,46,98,d0,aa,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(708)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2532)

c:\windows\system32\WININET.dll

c:\windows\system32\iavlsp.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-12-20 08:54:06

ComboFix-quarantined-files.txt 2010-12-20 13:54

ComboFix2.txt 2010-12-17 19:04

Pre-Run: 58,370,617,344 bytes free

Post-Run: 58,512,232,448 bytes free

- - End Of File - - 8D3A6583248BF8670FFC70E56C1AE02F

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

Please uninstall Limewire before we continue.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.