also @ TechSpot: Windows 8 Release Preview leaked, Microsoft may raise OEM prices

TechSpot

[Resolved] Google randomly redirecting...logs attached

Discussion in 'Virus and Malware Removal' started by mcIrishgurl, Mar 14, 2011.

Thread Status:
Not open for further replies.
Page 1 of 3

  1. mcIrishgurl Newcomer, in training

    google is randomly redirecting ie. i've attached the prelimenary logs. your help is appreciated.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6057

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    3/14/2011 5:30:49 PM
    mbam-log-2011-03-14 (17-30-49).txt

    Scan type: Quick scan
    Objects scanned: 184180
    Time elapsed: 10 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)




    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-03-14 17:47:46
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD400EB-11CPF0 rev.06.04G06
    Running: fpo6du4z.exe; Driver: C:\DOCUME~1\Dawn\LOCALS~1\Temp\kxtdapog.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sectors 78165193 (+166): rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF74640E0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF74640F4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7464120]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7464176]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF74640CC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF74640A4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF74640B8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF746410A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF746414C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7464136]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF74641A0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF746418C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7464160]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A468AF1
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A468AF1
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A468AF1

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400EB-11CPF0______________________06.04G06#4457572d41435441324636313430_033_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----
    mcIrishgurl, Mar 14, 2011
    #1

  2. mcIrishgurl Newcomer, in training

    dds log

    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Dawn at 17:59:47.54 on Mon 03/14/2011
    internet explorer: 8.0.6001.18702
    browserjavaversion: 1.6.0_20
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.884 [GMT -5:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\LXBKJSWX.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Dawn\My Documents\dds.scr
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\System32\wbem\unsecapp.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\LXBKJSWX.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Dawn\My Documents\dds.scr
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\System32\svchost.exe -k LocalService
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============

    Edit: Deleting following as wrong log..
    .
    mcIrishgurl, Mar 14, 2011
    #2

  3. mcIrishgurl Newcomer, in training

    dds log (cont'd)

    Edit: Deleting incorrect log display.
    mcIrishgurl, Mar 14, 2011
    #3

  4. mcIrishgurl Newcomer, in training

    dds log (cont'd)

    Edit: Deleted incorrect log.
    mcIrishgurl, Mar 14, 2011
    #4

  5. mcIrishgurl Newcomer, in training

    dds log (cont'd)

    Edit: Deleted incorrect log.
    mcIrishgurl, Mar 14, 2011
    #5

  6. mcIrishgurl Newcomer, in training

    dds log (cont'd)

    Edit: Deleted incorrect log.
    mcIrishgurl, Mar 14, 2011
    #6

  7. mcIrishgurl Newcomer, in training

    dds log (cont'd)

    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\WINDOWS\system32\driverse\mfehidk.sys [2010-10-13 386840]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\WINDOWS\system32\driverse\mfetdi2k.sys [2011-2-22 84072]
    R1 SASDIFSV;SASDIFSV;c:\Program Files\SUPERAntiSpywaree\SASDIFSV.SYS [2009-9-4 12872]
    R1 SASKUTIL;SASKUTIL;c:\Program Files\SUPERAntiSpywaree\SASKUTIL.SYS [2009-9-4 67656]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\Program Files\Common Files\Mcafee\McSvcHoste\McSvHost.exe" /McCoreSvc [2011-2-22 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\Program Files\Common Files\Mcafee\McSvcHoste\McSvHost.exe" /McCoreSvc [2011-2-22 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\Program Files\Common Files\McAfee\McSvcHoste\McSvHost.exe" /McCoreSvc [2011-2-22 271480]
    R2 McProxy;McAfee Proxy Service;"c:\Program Files\Common Files\McAfee\McSvcHoste\McSvHost.exe" /McCoreSvc [2011-2-22 271480]
    R2 McShield;McShield;c:\Program Files\Common Files\McAfee\SystemCoree\mcshield.exe [2011-2-22 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\Program Files\Common Files\McAfee\SystemCoree\mfefire.exe [2011-2-22 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\WINDOWS\system32e\mfevtps.exe [2011-2-22 141792]
    R3 cfwids;McAfee Inc. cfwids;c:\WINDOWS\system32\driverse\cfwids.sys [2011-2-22 55840]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\WINDOWS\system32\driverse\mfeavfk.sys [2011-2-22 152960]
    R3 mfefirek;McAfee Inc. mfefirek;c:\WINDOWS\system32\driverse\mfefirek.sys [2011-2-22 313288]
    R3 mfendiskmp;mfendiskmp;c:\WINDOWS\system32\driverse\mfendisk.sys [2011-2-22 88544]
    S2 gupdate;Google Update Service (gupdate);c:\Program Files\Google\Updatee\GoogleUpdate.exe [2010-2-1 135664]
    S3 hdlSrv;hdlSrv;c:\Program Files\M-Systems Utilitye\hdlSrv.exe [2002-11-19 65536]
    S3 mfebopk;McAfee Inc. mfebopk;c:\WINDOWS\system32\driverse\mfebopk.sys [2011-2-22 52104]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\WINDOWS\system32\driverse\mfendisk.sys [2011-2-22 88544]
    S3 mferkdet;McAfee Inc. mferkdet;c:\WINDOWS\system32\driverse\mferkdet.sys [2011-2-22 84264]
    S3 SASENUM;SASENUM;c:\Program Files\SUPERAntiSpywaree\SASENUM.SYS [2009-9-4 12872]
    ======

    Edit: Deleted partial incorrect log content.
    mcIrishgurl, Mar 14, 2011
    #7

  8. mcIrishgurl Newcomer, in training

    attach log

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/31/2007 1:05:20 PM
    System Uptime: 3/14/2011 5:07:03 PM (1 hours ago)
    .
    Motherboard: Lite-On Tech. | | 0888h
    Processor: Intel(R) Celeron(R) CPU 2.00GHz | mPGA-478 | 2000/100mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 32 GiB total, 11.717 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP217: 2/6/2011 8:05:57 AM - System Checkpoint
    RP218: 2/7/2011 9:43:13 AM - System Checkpoint
    RP219: 2/8/2011 10:05:21 AM - System Checkpoint
    RP220: 2/9/2011 12:23:28 PM - System Checkpoint
    RP221: 2/10/2011 1:20:38 AM - Software Distribution Service 3.0
    RP222: 2/10/2011 11:33:49 AM - Installed HP Product Detection.
    RP223: 2/10/2011 12:15:39 PM - Installed LightScribe System Software 1.14.25.1.
    RP224: 2/10/2011 12:34:53 PM - Removed System Requirements Lab for Intel
    RP225: 2/11/2011 12:43:19 PM - System Checkpoint
    RP226: 2/12/2011 3:51:34 PM - System Checkpoint
    RP227: 2/13/2011 6:35:56 PM - System Checkpoint
    RP228: 2/14/2011 6:56:26 PM - System Checkpoint
    RP229: 2/15/2011 7:18:50 PM - System Checkpoint
    RP230: 2/17/2011 1:57:05 AM - System Checkpoint
    RP231: 2/18/2011 2:44:53 AM - System Checkpoint
    RP232: 2/19/2011 2:52:54 AM - System Checkpoint
    RP233: 2/20/2011 3:43:48 AM - System Checkpoint
    RP234: 2/21/2011 5:46:41 AM - System Checkpoint
    RP235: 3/22/2011 2:37:41 AM - System Checkpoint
    RP236: 2/22/2011 10:16:48 PM - System Checkpoint
    RP237: 2/23/2011 10:28:05 PM - System Checkpoint
    RP238: 2/25/2011 1:31:48 AM - System Checkpoint
    RP239: 2/26/2011 2:02:07 AM - System Checkpoint
    RP240: 2/27/2011 2:18:36 AM - System Checkpoint
    RP241: 2/28/2011 3:18:30 AM - System Checkpoint
    RP242: 3/1/2011 3:37:02 AM - System Checkpoint
    RP243: 3/2/2011 4:36:59 AM - System Checkpoint
    RP244: 3/3/2011 5:38:40 AM - System Checkpoint
    RP245: 3/4/2011 6:38:05 AM - System Checkpoint
    RP246: 3/5/2011 7:38:02 AM - System Checkpoint
    RP247: 3/6/2011 8:15:00 AM - System Checkpoint
    RP248: 3/7/2011 8:52:49 AM - System Checkpoint
    RP249: 3/8/2011 10:00:56 AM - System Checkpoint
    RP250: 3/9/2011 10:38:21 AM - System Checkpoint
    RP251: 3/10/2011 3:00:56 AM - Software Distribution Service 3.0
    RP252: 3/11/2011 3:38:24 AM - System Checkpoint
    RP253: 3/12/2011 4:38:26 AM - System Checkpoint
    RP254: 3/13/2011 7:02:34 AM - System Checkpoint
    RP255: 3/14/2011 7:38:23 AM - System Checkpoint
    .
    ==== Installed Programs ======================

    Edit: Deleted partial incorrect log content.
    mcIrishgurl, Mar 14, 2011
    #8

  9. mcIrishgurl Newcomer, in training

    attach log (cont'd)

    Edit: Deleted incorrect log content.
    mcIrishgurl, Mar 14, 2011
    #9

  10. mcIrishgurl Newcomer, in training

    attach log (cont'd)

    Edit: Deleted incorrect log content.
    mcIrishgurl, Mar 14, 2011
    #10

  11. mcIrishgurl Newcomer, in training

    attach log (cont'd)

    Edit: Deleted incorrect log content.
    mcIrishgurl, Mar 14, 2011
    #11

  12. Bobbye Helper on the Fringe

    Can you please tell me where you downloaded DDS? We use DDS (Ver_10-12-12.02) - NTFSx86 . You have used DDS (Ver_11-03-05.01) - NTFSx86 .

    The version we use does not have SteelWerX Registry Console Tool 2.0
    Written by Bobbi Flekman 2006 (C)

    Please uninstall the version of DDS you have and use the following:
    • Download DDS by sUBs and save it to your desktop.

      After downloading the tool, disconnect from the internet and disable all antivirus protection.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    • Notepad will open with the results, click no to the Optional_Scan
    • Follow the instructions that pop up for posting the results.
    • When done, DDS will open two (2) logs: Please paste both in your next reply.
      [o]DDS.txt
      [o]Attach.txt
    • Close the program window, and delete the program from your desktop.
    • Enable your Antivirus protection and reconnect to the internet.
    Please note: You may have to disable any script protection running if the scan fails to run.

    It will generate 2 logs: DDS.txt and Attach.txt. Paste those 2 logs in your next reply. Please do not zip the Attach log.

    After you do that, I will go in and delete all the entries for the wrong version. You will find all the steps and links we use in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    Bobbye, Mar 14, 2011
    #12

  13. mcIrishgurl Newcomer, in training

    new attach (cont'd)

    Edit: Deleting incorrect log.
    mcIrishgurl, Mar 14, 2011
    #13

  14. mcIrishgurl Newcomer, in training

    new attach (cont'd)

    Edit to delete incorrect log.
    mcIrishgurl, Mar 14, 2011
    #14

  15. mcIrishgurl Newcomer, in training

    just waiting on your next step bobbye....the previous posts show the new dds and attach logs. please note that i downloaded from the link u posted and it still included that steelworks thing.
    mcIrishgurl, Mar 15, 2011
    #15

  16. Bobbye Helper on the Fringe

    Please don't run DDS again until we find out what's going on. It shouldn't have the SteelWer Registry Console Tool in it. I've asked about it and will get back to you as soon as I hear something.
    Bobbye, Mar 15, 2011
    #16

  17. mcIrishgurl Newcomer, in training

    ok.....i'm assuming that is also causing my system to run real slow as it hadn't prior to running that dds tool. i was only being redirected, but now it's slowwwww also.....well, hopefully you hear something soon....thanks again....
    mcIrishgurl, Mar 15, 2011
    #17

  18. mcIrishgurl Newcomer, in training

    just checking in to see if you found anything out about that steelwerks tool in the dds..thanks
    mcIrishgurl, Mar 16, 2011
    #18

  19. Bobbye Helper on the Fringe

    Sorry, I haven't had time to get back. We don't know where that version came from! Neither of us have ever seen a DDS log like that and for our purposes, it's no good at all. I'd like you to uninstall the DDS program you have now and delete the logs.

    Reboot the computer.

    Go back and download again, from this site. If the same thing happens again, we will have to contact the site and the author
    • Download DDS by sUBs and save it to your desktop.

      After downloading the tool, disconnect from the internet and disable all antivirus protection.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    • Notepad will open with the results, click no to the Optional_Scan
    • Follow the instructions that pop up for posting the results.
    • When done, DDS will open two (2) logs: Please paste both in your next reply.
      [o]DDS.txt
      [o]Attach.txt
    • Close the program window, and delete the program from your desktop.
    • Enable your Antivirus protection and reconnect to the internet.
    Please note: You may have to disable any script protection running if the scan fails to run.

    That program running is from 2006- I've never even seen it previously. Be sure you follow the directions exactly> save the download to the desktop> do not run it from the site. Leave the new logs.
    Bobbye, Mar 16, 2011
    #19

  20. mcIrishgurl Newcomer, in training

    ok bobbye will do....and what's odd is that my mcaffee just said it removed a trojan and when i looked to delete that dds, it was already gone! so i'm assuming the trojan was that bad dds! trying again now and will post in a few!
    mcIrishgurl, Mar 16, 2011
    #20
Page 1 of 3
Thread Status:
Not open for further replies.