MarshalK

Members
 View Profile  See their activity

  • Content Count

    8

  • Joined

  • Last visited

 Content Type 

Posts posted by MarshalK

  2. Rootkit infestation? redirct search engines

    in Malware Removal

    Posted

    WVCheck log:

    Windows Validation Check

    Version: 1.9.12.5

    Log Created On: 1720_03-05-2011

    -----------------------

    Windows Information

    -----------------------

    Windows Version: Windows XP Service Pack 3

    Windows Mode: Normal

    Systemroot Path: C:\WINDOWS

    WVCheck's Auto Update Check

    -----------------------

    Auto-Update Option: Download updates and install them automatically.

    -----------------------

    Last Success Time for Update Detection: 2011-05-03 20:39:17

    Last Success Time for Update Download: 2011-04-27 02:21:26

    Last Success Time for Update Installation: 2011-04-27 07:02:34

    WVCheck's Registry Check Check

    -----------------------

    Antiwpa: Not Found

    -----------------------

    Chew7Hale: Not Found

    -----------------------

    WVCheck's File Dump

    -----------------------

    WVCheck found no known bad files.

    WVCheck's Dir Dump

    -----------------------

    WVCheck found no known bad directories.

    WVCheck's Missing File Check

    -----------------------

    WVCheck found no missing Windows files.

    WVCheck's MBAM Quarantine Check

    -----------------------

    There were no bad files quarantined by MBAM.

    WVCheck's HOSTS File Check

    -----------------------

    WVCheck found no bad lines in the hosts file.

    WVCheck's MD5 Check

    EXPERIMENTAL!!

    -----------------------

    user32.dll - b26b135ff1b9f60c9388b4a7d16f600b

    -------- End of File, program close at 1723_03-05-2011 --------

  6. Rootkit infestation? redirct search engines

    in Malware Removal

    Posted

    Rooter:

    Rooter.exe (v1.0.2) by Eric_71

    .

    SeDebugPrivilege granted successfully ...

    .

    Windows XP . (5.1.2600) Service Pack 3

    [32_bits] - x86 Family 15 Model 2 Stepping 5, GenuineIntel

    .

    [wscsvc] STOPPED (state:1) : Security Center -> Disabled !

    [sharedAccess] RUNNING (state:4)

    Windows Firewall -> Enabled

    .

    Internet Explorer 8.0.6001.18702

    .

    A:\ [Removable]

    C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:157 Go )

    F:\ [Network] .. ( Total:76 Go - Free:16 Go )

    G:\ [Network] .. ( Total:76 Go - Free:16 Go )

    H:\ [Network] .. ( Total:76 Go - Free:16 Go )

    I:\ [Network] .. ( Total:76 Go - Free:16 Go )

    J:\ [Network] .. ( Total:76 Go - Free:16 Go )

    K:\ [Network] .. ( Total:76 Go - Free:16 Go )

    L:\ [Network] .. ( Total:76 Go - Free:16 Go )

    M:\ [Network] .. ( Total:76 Go - Free:16 Go )

    N:\ [Network] .. ( Total:76 Go - Free:16 Go )

    O:\ [Network] .. ( Total:76 Go - Free:16 Go )

    P:\ [Network] .. ( Total:76 Go - Free:16 Go )

    S:\ [CD_Rom]

    U:\ [Network] .. ( Total:76 Go - Free:16 Go )

    Y:\ [Network] .. ( Total:76 Go - Free:16 Go )

    Z:\ [Network] .. ( Total:76 Go - Free:16 Go )

    .

    Scan : 16:00.22

    Path : U:\Desktop\Rooter.exe

    User : AP2010 ( Administrator -> YES )

    .

    ----------------------\\ Processes

    .

    Locked [system Process] (0)

    ______ System (4)

    ______ \SystemRoot\System32\smss.exe (932)

    ______ \??\C:\WINDOWS\system32\csrss.exe (996)

    ______ \??\C:\WINDOWS\system32\winlogon.exe (1020)

    ______ C:\WINDOWS\system32\services.exe (1068)

    ______ C:\WINDOWS\system32\lsass.exe (1080)

    ______ C:\WINDOWS\system32\svchost.exe (1308)

    ______ C:\WINDOWS\system32\svchost.exe (1380)

    ______ C:\WINDOWS\System32\svchost.exe (1508)

    ______ C:\WINDOWS\system32\svchost.exe (1652)

    ______ C:\WINDOWS\system32\svchost.exe (1768)

    ______ C:\WINDOWS\system32\spoolsv.exe (1912)

    ______ C:\WINDOWS\system32\svchost.exe (176)

    ______ C:\Program Files\Symantec\pcAnywhere\awhost32.exe (352)

    ______ C:\Program Files\Java\jre6\bin\jqs.exe (496)

    ______ C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (640)

    ______ C:\Program Files\LogMeIn\x86\RaMaint.exe (952)

    ______ C:\Program Files\LogMeIn\x86\LogMeIn.exe (1092)

    ______ C:\WINDOWS\system32\nvsvc32.exe (1560)

    ______ C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (1640)

    ______ C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (2004)

    ______ C:\WINDOWS\system32\svchost.exe (2032)

    ______ C:\Program Files\UPHClean\uphclean.exe (212)

    ______ C:\WINDOWS\system32\SearchIndexer.exe (296)

    ______ C:\WINDOWS\System32\alg.exe (2276)

    ______ C:\Program Files\LogMeIn\x86\LogMeIn.exe (3596)

    ______ C:\WINDOWS\Explorer.EXE (2628)

    ______ C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (764)

    ______ C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (1592)

    ______ C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (1488)

    ______ C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (2208)

    ______ C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe (3608)

    ______ C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (2756)

    ______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (2800)

    ______ C:\Program Files\Aladdin Systems\iClean\iClean.exe (2928)

    ______ C:\WINDOWS\system32\ctfmon.exe (2956)

    ______ C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (636)

    ______ C:\Program Files\Trend Micro\Client Server Security Agent\Misc\xpupg.exe (3192)

    ______ C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe (3088)

    ______ C:\WINDOWS\system32\igfxsrvc.exe (3800)

    ______ C:\Program Files\Internet Explorer\iexplore.exe (2528)

    ______ C:\Program Files\Internet Explorer\iexplore.exe (1624)

    ______ C:\Program Files\Internet Explorer\iexplore.exe (3672)

    ______ U:\Desktop\Rooter.exe (3284)

    .

    ----------------------\\ Device\Harddisk0\

    .

    \Device\Harddisk0 [sectors : 63 x 512 Bytes]

    .

    \Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:250056705024)

    .

    ----------------------\\ Scheduled Tasks

    .

    C:\WINDOWS\Tasks\desktop.ini

    C:\WINDOWS\Tasks\SA.DAT

    .

    ----------------------\\ Registry

    .

    .

    ----------------------\\ Files & Folders

    .

    ----------------------\\ Scan completed at 16:00.27

    .

    U:\Rooter$\Rooter_1.txt - (03/05/2011 | 16:00.27)

  7. Rootkit infestation? redirct search engines

    in Malware Removal

    Posted

    Mbam Log after quick scan (I actually ran a full scan before visiting this site - here is the short version )

    5/3/2011 12:06 PM

    Scan type: Full scan (C:\|)

    Objects scanned: 573511

    Time elapsed: 44 minute(s), 26 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 1

    Registry Data Items Infected: 1

    Folders Infected: 0

    Files Infected: 3

    Then I ran the quickscan as per your instructions:

    Malwarebytes' Anti-Malware 1.50.1.1100

    www.malwarebytes.org

    Database version: 6499

    Windows 5.1.2600 Service Pack 3

    Internet Explorer 8.0.6001.18702

    5/3/2011 3:20:16 PM

    mbam-log-2011-05-03 (15-20-16).txt

    Scan type: Quick scan

    Objects scanned: 190854

    Time elapsed: 3 minute(s), 51 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 0

    Registry Data Items Infected: 1

    Folders Infected: 0

    Files Infected: 2

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    (No malicious items detected)

    Registry Data Items Infected:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    c:\documents and settings\TEMP\application data\cleanhdd.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.

    c:\documents and settings\TEMP\application data\cleanhdd.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

  8. Rootkit infestation? redirct search engines

    in Malware Removal

    Posted

    We are having an issue where when we search in google, yahoo, etc. the search resolves to a malicious site (blocked by Trend Micro Worry Free Standard - Version 6.3)

    I ran malwarebytes originally (before I found this site) and it removed a few problems - then, following your check list I ran the ERUNT, OTM and Malwarebytes again. Mbam found some more of the same and I am also in a conversation with them as the software (version 6499 will not update to 6500. It gives the following error: PROGRAM_ERROR_UPDATING (0, 0, SGRegGetPath).

    Here is the OTM log:

    All processes killed

    ========== FILES ==========

    < ipconfig /flushdns /c >

    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    U:\Desktop\cmd.bat deleted successfully.

    U:\Desktop\cmd.txt deleted successfully.

    ========== COMMANDS ==========

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

    HOSTS file reset successfully

    [EMPTYTEMP]

    User: Administrator

    ->Temp folder emptied: 36012 bytes

    ->Temporary Internet Files folder emptied: 82389 bytes

    ->Java cache emptied: 0 bytes

    ->Flash cache emptied: 456 bytes

    User: administrator.TITLECO

    ->Temp folder emptied: 0 bytes

    ->Temporary Internet Files folder emptied: 33170 bytes

    User: All Users

    User: Andy

    ->Temp folder emptied: 37233 bytes

    ->Temporary Internet Files folder emptied: 54605 bytes

    ->Java cache emptied: 0 bytes

    User: AP2010

    ->Temp folder emptied: 107610326 bytes

    ->Temporary Internet Files folder emptied: 3326689 bytes

    ->Java cache emptied: 2945856 bytes

    ->Flash cache emptied: 43323 bytes

    User: Default User

    ->Temp folder emptied: 0 bytes

    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService

    ->Temp folder emptied: 0 bytes

    ->Temporary Internet Files folder emptied: 33237 bytes

    User: NetworkService

    ->Temp folder emptied: 0 bytes

    ->Temporary Internet Files folder emptied: 33237 bytes

    User: TEMP

    ->Temp folder emptied: 596864 bytes

    ->Temporary Internet Files folder emptied: 122814 bytes

    ->Java cache emptied: 3340912 bytes

    ->Flash cache emptied: 43443 bytes

    %systemdrive% .tmp files removed: 0 bytes

    %systemroot% .tmp files removed: 2402044 bytes

    %systemroot%\System32 .tmp files removed: 2577 bytes

    %systemroot%\System32\dllcache .tmp files removed: 0 bytes

    %systemroot%\System32\drivers .tmp files removed: 0 bytes

    Windows Temp folder emptied: 33691441 bytes

    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 87194216 bytes

    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 231.00 mb

    Restore point Set: OTM Restore Point (0)

    OTM by OldTimer - Version 3.1.17.2 log created on 05032011_141901

    Files moved on Reboot...

    Registry entries deleted on Reboot...