Friday, December 30, 2011

Google redirect virus? Please help cleaning

Hi,

Seems I?ve been a bad boy and now I suspect I?m being punished with the Google redirect horror?
The symptoms match: iexplore.exe is open in the processes without IE running, any Google search redirects me to totally unrelated pages and lately my laptop frequently just freezes without any apparent error message. I?ve also been getting random popups saying I?ve won an iPad2 (generated by explorer.exe process); too bad I already have one?

Thanks a million already for your help!

Here are the required logs:

Mbam:
--------------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122105

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

26/12/2011 11:59:28
mbam-log-2011-12-26 (11-59-27).txt

Scan type: Full scan (C:\|)
Objects scanned: 350682
Time elapsed: 1 hour(s), 14 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--------------------------------------------------------------------------------------------------------------------------------------

GMER:
--------------------------------------------------------------------------------------------------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-26 20:55:31
Windows 6.1.7600
Running: gxek03go.exe; Driver: C:\Users\VheymBB\AppData\Local\Temp\uwliipog.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37fcb2e9
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Bind ?????9??? ???-???r?????t?t??n* 49???? ???????|???????????d?j?????????u?????????????????d????????????????????????? ???????????????????????ir????????????????????????????????????????????R????? ???????e?????????????????f?g?h???g?????e????????@nettun.inf,%msft%;Microsof t???????????????????e?????????????????????????????????????????????:??????$? ??4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ???horizationState?8}??????????????????????????Microsoft???????-2??????????????????Microsoft????????`?????????????eBC???????`?????????????? ?????????g???????????????????????????f??{4d36e97d-e325-11ce-bfc1-08002be10318}\0034??????f?f?j?j?l?l?i???????????????????????????p??6"??syst em32\DRIVERS\raspppoe.sys????????????????????????n????N???????????????????N ??????T????D03???MONITOR\SAM0373?????????????????t???????4m??? ??????????????s?????N???????????D??????t?t?????????t??????????????????????? ?N????????????D????????????@nettun.inf,%msft%;Microsoft?-???-????????????N????????????D????{4d36e972-e325-
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Export ???o????ndis5???? ???????o???????????o??????????6?*?????C???system32\drivers\battc.sys??????? ???????o?????o?? ??o????????$?`?,???????????N??o?????????e????@%SystemRoot%\system32\bdesvc. dll,-100????????????????????????????Z??o????????h?????%SystemRoot%\System32\svch ost.exe -k netsvcs????????????????t??????? ?????????????N??o?????????n????@%SystemRoot%\system32\bdesvc.dll,-101???????????o??????????? ???o??????????????localSystem?????????????????????????? B??o????????????????`??o???,??????????????SeChangeNotifyPrivilege?SeImperso natePrivilege????????,??o???????????????????????????????????????o?o?o?o?o?o ?o?o?o?o????? ???????o???????????o?,??????,?B??? ???????????????????????????????????%SystemRoot%\System32\bdesvc.dll????? ???????o???????????o??????????????????????????????0????????????????`??????? ????????????? ??????????? ?????????????????????????????????????????? ???????o?????????????,????????????????e??????o???o???o???o????? ???????o?????o???????????????????????????o????? ???????o???????????o????????????????0
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Bind ????er??????????????*6to4mp???????????????N???????????D??3???????e??{4d36e9 7d-e325-11ce-bfc1-08002be10318}\0012??????????????????????????????????/?????s?????g?g?k?k??????????:????????g?z?????????????????s7-???????9??? ???-???r?????t?t??n* 49???? ???????|???????????d?j?????????u?????????????????d????????????????????????? ???????????????????????ir????????????????????????????????????????????R????? ???????e?????????????????f?g?h???g?????e????????@nettun.inf,%msft%;Microsof t???????????????????e?????????????????????????????????????????????:??????$? ??4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ???horizationState?8}??????????????????????????Microsoft???????-2??????????????????Microsoft????????`?????????????eBC???????`?????????????? ?????????g???????????????????????????f??{4d36e97d-e325-11ce-bfc1-08002be10318}\0034??????f?f?j?j?l?l?i???????????????????????????p??6"??syst em32\DRIVERS\raspppoe.sys????????????????????????n????N???????????????????N ??????T????D03???MONITOR\SAM0373????
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Export ?????????????????????????????????k???k??????d_??????????????????? ???????2???????2???????????\??0.????????????N?????????????????? l?????????????????winusb.sys??HJ??????????tunnel?\C:??? ???????'???????'??????????????????? l??????????????????????????????????????????d????????????N????????????D????? l????????????ms_???????`???????????e??????ta???&????????????????????<?????? i??????????TD??????????????????d???????????????????????????????????b??????? ?????????????????????????????????g??disk.inf?????????????e???h??{745a17a0-74d3-11d0-b6fe-00a0c90f57da}?-51???????????x???????`?`?`?`?u?`?????e??????????disk.inf????????t?????????? ??????????????????????????A??????????????????????????????????????????????te xt?x???????k??????s)??int?????? ???????.???????????????k???-??b3???????q???????????l????0?????????????????????????????????????????????? ???? ?????????????????????1????????6???????????????????????????????volsnap.inf?? ???????????????????????????????????? ?????????????????????1????????????????????? ?????????????????????1???
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@hdf12 0x33 0x06 0x63 0x47 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001@hdf12 0xD2 0x65 0x78 0x8B ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001\gdq0@hdf12 0xD7 0x0C 0xF8 0xC1 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37fcb2e9 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Bind ???p?q??? ???????T?????T?????-?,????????$???<???????????????????????????????????\\?\Root#volmgr#0000#{53f 5630e-b6bf-11d0-94f2-00a0c91efb8b}?????? ???????T???????????-?,????????z?????#?????LPTENUM\MicrosoftRawPort\5&b35a8ac&0&LPT1?????Z??U??? ????????????T??????????????????? ???????T?????????????,????????????&???????????????????????\\?\HDAUDIO#FUNC_ 01&VEN_8384&DEV_76A0&SUBSYS_102801FE&REV_1002#4&26492402&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\eMuxedCaptureTopo???\\?\HDAUDIO#FUNC_01&VEN_8384&DEV_76A0&SUB SYS_102801FE&REV_1002#4&26492402&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\eMuxedCaptureWave???\\?\LPTENUM#MicrosoftRawPort#5&b35a8ac&0& LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}????\\?\DISPLAY#AUO2274#4&2615384a&0&UID67568640#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}?????\\?\DISPLAY#DELA02E#4&2615384a&0&UID50529024#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}?????ACPI\PNP0501\4&1d374948&0????????U????????????????4??U??? ????????????????U???????????????????.??????s???USBSTOR\Disk&Ven_2.0&Prod_&R ev_5.00\2609090
Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Export ???q?q??tunnel????????????????????????????????N??s????????h???????6??z????? ???h?????? :??????i?????{57???r?r????TDI?????Cryptography????????????????????????.NT?? ???????????? ???????o???????????p????????(?4?]??????????????????5????????????????????????6??q?????????e?????????????????| ???|?????????????g????????????????????Tdx?nsi?????RpcSs???????Pointer Class?????X??t?????????e?????p???p?q?q??????????????????em??6-21-2006?????????????V????????????n????? ???????o?????q????Pq?2??????$?h?_???????????N??p?????????e????@%SystemRoot% \System32\dnsapi.dll,-101???????????p??????p?????h??p????????h?????%SystemRoot%\system32\svchost. exe -k NetworkService???????N??p?????????n????@%SystemRoot%\System32\dnsapi.dll,-102?????????q0????p??? 8??p??????????????NT AUTHORITY\NetworkService????????????????????????????q????TDI??????????????? ??t??????? ?????????????,? q???????????????????p???????????e??????????????????????? F??q???????????????q????b??p??????????????????SeChangeNotifyPrivilege?SeCre ateGlobalPrivilege??????????q?????????
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Bind ???`?k?????_???_????????2????????????????[?\?\??????d???????????????1???????????????1???????????????5???????????????1 ???????????????d???????????????1???????????????1???????????????? ???????\???????????-?*??????????????6??????z?_?|???????/??????s????????`??? ???????[???????????/?*??????????????0???????N??a?????????D????*6to4mp??????`?`?_???|?|?|??????? ???????t????????????????]??????????????????????USB???????t?????????????{4d36e972-e325-11ce-bfc1-08002be10318}?fig????N??f???.???????e????d??|????????h???????6??h?????????? ???n?3??? ???h???/?????0?/??blbdrive????????1???????????????2???????????????1???????????????5???????? ????????????\??????????5???????????????1????????????[?\?\???[??????????????? ???????[???????????[?*???????? ??????x86??? ???????[?????????????*??????@??????????????????`???????????_???????????|?|?|???`??? `???f?f?f???e?e????????????????????????? V??g???????????????}?v?|???????????????????????????????|??????????????????? ??????????????ACPI\PNP0103?*PNP0103??dIn???????????|??????????? .??e???e?????
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Export ?????\???????:???????????????0??????????????????????????l?????????????????? ??????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????? ???MSAFD NetBIOS [\Device\NetBT_Tcpip6_{C721F45B-645C-452F-9AF9-D331521F7186}] DATAGRAM 23????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????? ?????????????????????????????????????????l????????????????????????????????? ??????????????????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????????MSAFD NetBIOS [\Device\NetBT_Tcpip6_{01A05210-FE2A-4176-B455-431976E5CE25}] SEQPACKET 22????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????? ????????????????????????????????????????l?????????????????????????????????? ????????????????????????????????????
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@hdf12 0x33 0x06 0x63 0x47 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001@hdf12 0xD2 0x65 0x78 0x8B ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001\gdq0@hdf12 0xD7 0x0C 0xF8 0xC1 ...
Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlId 112
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@CrawlType 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@InProgress 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@DoneAddingCrawlSeeds 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@IsCatalogLevel 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\113@LogStartAddId 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2@CrawlNumberInProgress 113

---- EOF - GMER 1.0.15 ----
--------------------------------------------------------------------------------------------------------------------------------------

DDS also freezes my laptop or just runs for hours without generating anything.

Doing my own research I came across ?bootkit remover?, unfortunately no success?
Here are the results.

Just opening the boot_cleaner.exe:
--------------------------------------------------------------------------------------------------------------------------------------
Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Enterprise Edition (build 7600), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`075a9e00

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]

Done;
Press any key to quit...
--------------------------------------------------------------------------------------------------------------------------------------

When running this script:
--------------------------------------------------------------------------------------------------------------------------------------
@ECHO OFF
START
boot_cleaner.exe fix \\.\PhysicalDrive0
EXIT
--------------------------------------------------------------------------------------------------------------------------------------

I get:
--------------------------------------------------------------------------------------------------------------------------------------
Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Enterprise Edition (build 7600), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`075a9e00
Restoring boot code at \\.\PhysicalDrive0...
ATA_Write(): DeviceIoControl() ERROR 1
ERROR: Can't write first sector of the disk.

Done;
Press any key to quit...
--------------------------------------------------------------------------------------------------------------------------------------

Source: http://www.techspot.com/vb/topic175253.html

scumbag steve day of the dead rocksmith blackbeard widespread panic widespread panic richard stallman

Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)