Solved Google redirect and who knows what else

Status
Not open for further replies.
A

adam0454

Posts: 9   +0
Hello, I'm a victim of the System Security 2010 virus, and (i think) was able to remove it with Malwarebytes Anti-Malware. However, I do have the google redirect issues and some other issues with gmail (attachments not working, inability to log in sometimes). I run avast antivirus protection, but I suppose that was not enough.

Any help in getting my system clean would be very much appreciated. Thanks in advance!

Logs to follow...
 
Malwarebytes' Anti-Malware 1.46

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4088

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

5/10/2010 9:32:07 PM
mbam-log-2010-05-10 (21-32-07).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 287255
Time elapsed: 1 hour(s), 11 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 10
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\helpers32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\SE2010 (Rogue.Securityessentials2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\security essentials 2010 (Rogue.SecurityEssentials) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-soft-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-software-package.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\Windows\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Securityessentials2010 (Rogue.SecurityEssentials2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Securityessentials2010\SE2010.exe (Rogue.SecurityEssentials) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2MEVO0HE\exe[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FBS4KVWB\SetupSE2010[1].exe (Rogue.SecurityEssentials) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\195C.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\B29E.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\Temp\A60F.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\Temp\B33C.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\warnings.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\helpers32.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Security essentials 2010.lnk (Rogue.SecurityEssentials2010) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Security essentials 2010.lnk (Rogue.SecurityEssentials2010) -> Quarantined and deleted successfully.
C:\Windows\System32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Administrator\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
 
Gmer 1.0.15.15281

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-11 18:01:24
Windows 6.0.6002 Service Pack 2
Running: lohhww1e.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\kwrdypog.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x8079E014]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\System32\svchost.exe[1580] ntdll.dll!NtProtectVirtualMemory 77D74D34 5 Bytes JMP 0083000A
.text C:\Windows\System32\svchost.exe[1580] ntdll.dll!NtWriteVirtualMemory 77D75674 5 Bytes JMP 0084000A
.text C:\Windows\System32\svchost.exe[1580] ntdll.dll!KiUserExceptionDispatcher 77D75DC8 5 Bytes JMP 0082000A
.text C:\Windows\System32\svchost.exe[1580] ole32.dll!CoCreateInstance 76759EA6 5 Bytes JMP 028D000A
.text C:\Windows\System32\svchost.exe[1580] USER32.dll!GetCursorPos 76870B88 5 Bytes JMP 028E000A
.text C:\Windows\Explorer.EXE[1920] ntdll.dll!NtProtectVirtualMemory 77D74D34 5 Bytes JMP 0081000A
.text C:\Windows\Explorer.EXE[1920] ntdll.dll!NtWriteVirtualMemory 77D75674 5 Bytes JMP 0082000A
.text C:\Windows\Explorer.EXE[1920] ntdll.dll!KiUserExceptionDispatcher 77D75DC8 5 Bytes JMP 0080000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[660] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00010002
IAT C:\Windows\system32\services.exe[660] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00010000

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8555BEE4

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
 
DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 18:02:10.44 on Tue 05/11/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3070.2000 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090308-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1335 [VPS 090308-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Nero 8\Nero BackItUp\NBService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Users\Administrator\Desktop\Antivirus\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [WinampAgent] "d:\program files\winamp\winampa.exe"
mRun: [NBKeyScan] "d:\program files\nero 8\nero backitup\NBKeyScan.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Acrobat Assistant 7.0] "d:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
Trusted Zone: gmail.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\e26uf6n0.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\e26uf6n0.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: d:\program files\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: d:\program files\divx\divx web player\npdivx32.dll
FF - plugin: d:\program files\google\picasa3\npPicasa3.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-6-23 150568]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-29 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-29 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-1-29 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-20 138680]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2008-7-29 904192]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-20 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-20 352920]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-2-4 21504]

=============== Created Last 30 ================

2010-05-11 22:19:56 0 d-----w- c:\programdata\Google
2010-05-11 03:32:03 0 d-----w- c:\programdata\Sun
2010-05-11 03:26:21 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-10 23:25:31 0 d-----w- c:\users\admini~1\appdata\roaming\Malwarebytes
2010-05-10 23:25:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-10 23:25:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-10 23:25:23 0 d-----w- c:\programdata\Malwarebytes
2010-05-10 23:18:27 16 ----a-w- c:\users\admini~1\appdata\roaming\woxcdv.dat
2010-05-03 11:46:24 0 d-----w- c:\program files\iPod
2010-04-25 20:25:26 0 d-----w- c:\programdata\Office Genuine Advantage
2010-04-25 20:18:17 35669 ----a-w- c:\programdata\nvModes.dat
2010-04-25 20:16:51 0 d-----w- c:\program files\NVIDIA Corporation
2010-04-15 08:05:05 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 08:05:05 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 08:05:05 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 08:05:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 08:04:55 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 08:04:54 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 08:04:51 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-15 08:04:51 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-15 08:04:46 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-15 08:04:46 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-15 08:04:46 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 11:36:22 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 11:36:21 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 13:11:53 14 ----a-w- c:\windows\system32\ssprs.tgz
2010-04-13 13:11:53 1024 ----a-w- c:\windows\system32\clauth2.dll
2010-04-13 13:11:53 1024 ----a-w- c:\windows\system32\clauth1.dll
2010-04-13 13:11:53 0 ----a-w- c:\windows\system32\ssprs.dll
2010-04-13 13:11:53 0 ----a-w- c:\windows\system32\serauth2.dll
2010-04-13 13:11:53 0 ----a-w- c:\windows\system32\serauth1.dll
2010-04-13 13:11:53 0 ----a-w- c:\windows\system32\nsprs.tgz
2010-04-13 13:11:53 0 ----a-w- c:\windows\system32\nsprs.dll
2010-04-13 13:10:40 219 ----a-w- c:\windows\system32\lsprst7.tgz
2010-04-13 13:10:40 205 ----a-w- c:\windows\system32\lsprst7.dll
2010-04-13 13:10:40 1025 ----a-w- c:\windows\system32\sysprs7.tgz
2010-04-13 13:10:40 1025 ----a-w- c:\windows\system32\sysprs7.dll
2010-04-13 13:10:39 16 ---h--w- c:\windows\system32\servdat.slm

==================== Find3M ====================

2010-05-06 15:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-03 11:44:23 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-03 11:44:23 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-25 20:18:28 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-11 13:12:02 100776 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-03 23:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 23:27:00 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-04-03 23:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 23:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 23:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-02 09:09:41 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-03-09 19:22:19 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:03:16.74 ===============
 
Mbam log and attach.txt
 

Attachments

  • mbam-log-2010-05-10 (21-32-07).txt
    5.1 KB · Views: 1
  • Attach.txt
    4.4 KB · Views: 2
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.
  5. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code: 
    TDL::
C:\Windows\system32\drivers\atapi.sys
  6. Save the above as CFScript.txt
  7. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    CFScript.gif

  8. After reboot, (in case it asks to reboot), please post the following logs into your next reply:
    • Combofix.txt

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Combofix

I ran combofix twice (once without the CFScript and once with). log.txt is from the first run and Combofix.txt is from the second (with CFScript). Thanks in advance!
 

Attachments

  • log.txt
    17.9 KB · Views: 1
  • Combofix.txt
    16.8 KB · Views: 2
I think it's gone! Haven't had a redirect issue in 2 days :)

Thanks so much for all your help.

Based on the logs, are there any other issues I need to take care of?
 
Very good :)
We'll have to double check, if your computer is totally clean.

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=======================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*] Archives
    [*] Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.
 
yep

sorry about that! I held off the scan for a few days because I haven't been near my desktop in a while.

logs are attached :)
 

Attachments

  • report.zip
    1 KB · Views: 1
  • hijackthis.log
    7.3 KB · Views: 1
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.
 
thanks so much for all your help! so far, things are running smoothly and I've set a new system restore point. hopefully history doesn't repeat itself...

not sure what i would have done without some guidance, so thanks again.
 
Status
Not open for further replies.

Similar threads

Cal Jeffrey
Google proposes Project Ellmann, a chatbot that intimately knows you
Replies
9
Views
306
Nobina
Nobina
M
Routing and hosting via cloudflare and 2 other providers to home web server...
Replies
0
Views
2K
mke
M
Bob O'Donnell
Google unveils AI tools for Gmail, Google Docs, Meet and more
Replies
3
Views
736
Tetr1s
Tetr1s

Latest posts

Back