Startropic1
2012-03-30, 17:56
So I have run into the problem of having my google search results redirect to spam sites. I did run Spybot and got rid of the stuff it detected, as well as running hijackthis and destroying items in the log that I could identify as not my legit software.
Here's the DDS log:
.
DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.2.0
Run by Joshua at 10:46:43 on 2012-03-30
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchAssistant =
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
TB: {37153479-1976-43C3-A1EE-557513977B64} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {9565115D-C7D6-46D3-BD63-B67B481A4368} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: VShareToolBar: {7ac3e13b-3bca-4158-b330-f66dbb03c1b5} - c:\program files\vshare.tv plugin\BarLcher.dll
uRun: [ctfmon.exe] c:\windows.0\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\joshua.northorphq.003\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [RemoteCenter] c:\program files\creative\sblive\remotecenter\rc\Rcman.exe
uRun: [Steam] "d:\games\sierra\valve\Steam.exe" -silent
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NeroFilterCheck] c:\windows.0\system32\NeroCheck.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector10\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector10" updatewithcreateonce "software\cyberlink\powerdirector\10.0"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows.0\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
StartupFolder: c:\docume~1\joshua~1.003\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\docume~1\joshua~1.003\startm~1\programs\startup\mlbtvn~1.lnk - c:\documents and settings\joshua.northorphq.003\local settings\application data\autobahn\mlb-nexdef-autobahn.exe
StartupFolder: c:\docume~1\joshua~1.003\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: the506.com
Trusted Zone: the506.com\www
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://download.pplive.com/config/pplite/pluginsetup.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15118/CTPID.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{15766AB2-C498-49C2-9079-1FE40F8D06C2} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{42DE0B09-5D7A-4D4F-AB53-0DD93B767FCC} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.0\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows.0\system32\rundll32.exe c:\windows.0\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\joshua.northorphq.003\application data\mozilla\firefox\profiles\zj8xy7h1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com//?loc=ff_address_bar&a=DidCEEIT1u&search=
FF - plugin: c:\documents and settings\joshua.northorphq.003\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPGetRt.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvsharetvplg.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\tabletplugins\npWacomTabletPlugin.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - 4029fc6c-7641-4e23-9d01-58092114d645
FF - user.js: extentions.y2layers.defaultEnableAppsList - PageRage,PageRageGlobal,Buzzdock,BuzzdockTease,SanitySwitch,PageRage,PageRageGlobal,
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-03-29 15:40:52 -------- d-----w- c:\documents and settings\all users.windows.0\application data\Spybot - Search & Destroy
2012-03-14 13:29:57 -------- d-----w- c:\program files\common files\ODBC
2012-03-13 03:41:47 -------- d-----w- c:\windows.0\Performance
2012-03-13 03:41:39 -------- d-----w- c:\documents and settings\joshua.northorphq.003\local settings\application data\Microsoft Corporation
2012-03-13 03:41:21 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-09 15:35:14 -------- d-----w- c:\documents and settings\joshua.northorphq.003\application data\Boilsoft
2012-03-09 15:35:12 -------- d-----w- c:\program files\Boilsoft
2012-03-01 08:25:37 876864 ------w- c:\windows.0\system32\nvhdagenco3220103.dll
2012-03-01 08:25:37 27968 ----a-w- c:\windows.0\system32\nvhdap32.dll
2012-03-01 08:25:37 123712 ----a-w- c:\windows.0\system32\drivers\nvhda32.sys
2012-03-01 07:56:28 -------- d-----w- c:\program files\common files\Creative Labs Shared
2012-03-01 07:25:39 -------- d-----w- c:\windows.0\system32\Lang
2012-03-01 07:24:52 17488 ----a-w- c:\windows.0\gdrv.sys
2012-03-01 07:19:59 2815592 ----a-w- c:\windows.0\ALCWZRD.EXE
2012-03-01 07:19:58 285288 ----a-w- c:\windows.0\system32\ALSNDMGR.CPL
2012-03-01 07:19:58 1691480 ----a-w- c:\windows.0\system32\drivers\Ambfilt.sys
2012-03-01 07:19:57 -------- d-----w- c:\program files\Realtek
2012-03-01 07:19:50 1284712 ------r- c:\windows.0\RtlExUpd.dll
2012-03-01 07:18:47 53248 ----a-r- c:\windows.0\system32\CSVer.dll
2012-03-01 07:17:21 -------- d--h--w- c:\documents and settings\all users.windows.0\application data\{8533ADFA-85F0-4dc1-946A-2A0BA58E78E3}
2012-03-01 07:17:17 -------- d-----w- c:\documents and settings\joshua.northorphq.003\application data\Splashtop
2012-03-01 07:16:16 -------- d-----w- c:\program files\Gigabyte
2012-03-01 07:14:57 20608 ----a-w- c:\windows.0\system32\drivers\usbuhci.sys
2012-03-01 07:14:57 20608 ----a-w- c:\windows.0\system32\dllcache\usbuhci.sys
2012-03-01 07:13:17 207400 ----a-r- c:\windows.0\GSetup.exe
.
==================== Find3M ====================
.
2012-03-13 15:28:42 294008 ----a-w- c:\windows.0\system32\nvdrsdb1.bin
2012-03-13 15:28:42 1 ----a-w- c:\windows.0\system32\nvdrssel.bin
2012-03-13 15:28:38 294008 ----a-w- c:\windows.0\system32\nvdrsdb0.bin
2012-03-08 20:41:26 230808 ----a-r- c:\windows.0\system32\cpnprt2.cid
2012-03-01 07:55:40 445016 ----a-w- c:\windows.0\system32\wrap_oal.dll
2012-03-01 07:55:40 109144 ----a-w- c:\windows.0\system32\OpenAL32.dll
2012-02-29 23:58:00 881984 ----a-w- c:\windows.0\system32\nvgenco32.dll
2012-02-29 23:58:00 65536 ----a-w- c:\windows.0\system32\OpenCL.dll
2012-02-29 23:58:00 5918720 ----a-w- c:\windows.0\system32\nvcuda.dll
2012-02-29 23:58:00 4309760 ----a-w- c:\windows.0\system32\nv4_disp.dll
2012-02-29 23:58:00 2522944 ----a-w- c:\windows.0\system32\nvcuvid.dll
2012-02-29 23:58:00 2437440 ----a-w- c:\windows.0\system32\nvcuvenc.dll
2012-02-29 23:58:00 2291712 ----a-w- c:\windows.0\system32\nvapi.dll
2012-02-29 23:58:00 18624512 ----a-w- c:\windows.0\system32\nvoglnt.dll
2012-02-29 23:58:00 17534976 ----a-w- c:\windows.0\system32\nvcompiler.dll
2012-02-29 23:58:00 13417632 ----a-w- c:\windows.0\system32\drivers\nv4_mini.sys
2012-02-29 23:58:00 1000256 ----a-w- c:\windows.0\system32\nvdispco32.dll
2012-02-29 20:30:32 54272 ----a-w- c:\windows.0\system32\nvwddi.dll
2012-02-29 20:30:26 15494464 ----a-w- c:\windows.0\system32\nvcpl.dll
2012-02-29 20:30:26 143680 ----a-w- c:\windows.0\system32\nvcolor.exe
2012-02-29 20:30:24 164160 ----a-w- c:\windows.0\system32\nvsvc32.exe
2012-02-29 20:30:24 108352 ----a-w- c:\windows.0\system32\nvmctray.dll
2012-02-22 14:39:10 141312 ----a-w- c:\windows.0\system32\javacpl.cpl
2012-02-22 14:39:08 637848 ----a-w- c:\windows.0\system32\npdeployJava1.dll
2012-02-22 14:39:08 567184 ----a-w- c:\windows.0\system32\deployJava1.dll
2012-02-20 13:54:24 414368 ----a-w- c:\windows.0\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- c:\windows.0\system32\win32k.sys
2012-01-31 15:12:38 4423680 ----a-w- c:\windows.0\system32\SET1A.tmp
2012-01-11 18:06:48 3072 ------w- c:\windows.0\system32\iacenc.dll
2012-01-09 16:20:26 139784 ----a-w- c:\windows.0\system32\drivers\rdpwd.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6L300R0 rev.BAH41E00 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A87149F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a878740]; MOV EAX, [0x8a8788b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A93EAB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000070[0x8A902F18]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A980940]
\Driver\atapi[0x8A901BB8] -> IRP_MJ_CREATE -> 0x8A87149F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A8712C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:48:26.19 ===============
Edit
Hopefully this helps anyone else running into this problem. :police:Forum sticky. ;)
Note that all instructions given are customized for that member's personal computer only, the tools used may cause damage if run on a machine with different specs/infections. Please do not take fixes given to another user and apply to your own machine.
If someone posts instructions in their own topic, "this worked for me", it will be removed, possibly without notice. Just so you know. :)
http://forums.spybot.info/showthread.php?t=288
Here's the DDS log:
.
DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.2.0
Run by Joshua at 10:46:43 on 2012-03-30
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchAssistant =
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
TB: {37153479-1976-43C3-A1EE-557513977B64} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {9565115D-C7D6-46D3-BD63-B67B481A4368} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: VShareToolBar: {7ac3e13b-3bca-4158-b330-f66dbb03c1b5} - c:\program files\vshare.tv plugin\BarLcher.dll
uRun: [ctfmon.exe] c:\windows.0\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\joshua.northorphq.003\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [RemoteCenter] c:\program files\creative\sblive\remotecenter\rc\Rcman.exe
uRun: [Steam] "d:\games\sierra\valve\Steam.exe" -silent
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NeroFilterCheck] c:\windows.0\system32\NeroCheck.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector10\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector10" updatewithcreateonce "software\cyberlink\powerdirector\10.0"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows.0\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
StartupFolder: c:\docume~1\joshua~1.003\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\docume~1\joshua~1.003\startm~1\programs\startup\mlbtvn~1.lnk - c:\documents and settings\joshua.northorphq.003\local settings\application data\autobahn\mlb-nexdef-autobahn.exe
StartupFolder: c:\docume~1\joshua~1.003\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: the506.com
Trusted Zone: the506.com\www
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://download.pplive.com/config/pplite/pluginsetup.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15118/CTPID.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{15766AB2-C498-49C2-9079-1FE40F8D06C2} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{42DE0B09-5D7A-4D4F-AB53-0DD93B767FCC} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.0\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows.0\system32\rundll32.exe c:\windows.0\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\joshua.northorphq.003\application data\mozilla\firefox\profiles\zj8xy7h1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com//?loc=ff_address_bar&a=DidCEEIT1u&search=
FF - plugin: c:\documents and settings\joshua.northorphq.003\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPGetRt.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvsharetvplg.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\tabletplugins\npWacomTabletPlugin.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - 4029fc6c-7641-4e23-9d01-58092114d645
FF - user.js: extentions.y2layers.defaultEnableAppsList - PageRage,PageRageGlobal,Buzzdock,BuzzdockTease,SanitySwitch,PageRage,PageRageGlobal,
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-03-29 15:40:52 -------- d-----w- c:\documents and settings\all users.windows.0\application data\Spybot - Search & Destroy
2012-03-14 13:29:57 -------- d-----w- c:\program files\common files\ODBC
2012-03-13 03:41:47 -------- d-----w- c:\windows.0\Performance
2012-03-13 03:41:39 -------- d-----w- c:\documents and settings\joshua.northorphq.003\local settings\application data\Microsoft Corporation
2012-03-13 03:41:21 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2012-03-09 15:35:14 -------- d-----w- c:\documents and settings\joshua.northorphq.003\application data\Boilsoft
2012-03-09 15:35:12 -------- d-----w- c:\program files\Boilsoft
2012-03-01 08:25:37 876864 ------w- c:\windows.0\system32\nvhdagenco3220103.dll
2012-03-01 08:25:37 27968 ----a-w- c:\windows.0\system32\nvhdap32.dll
2012-03-01 08:25:37 123712 ----a-w- c:\windows.0\system32\drivers\nvhda32.sys
2012-03-01 07:56:28 -------- d-----w- c:\program files\common files\Creative Labs Shared
2012-03-01 07:25:39 -------- d-----w- c:\windows.0\system32\Lang
2012-03-01 07:24:52 17488 ----a-w- c:\windows.0\gdrv.sys
2012-03-01 07:19:59 2815592 ----a-w- c:\windows.0\ALCWZRD.EXE
2012-03-01 07:19:58 285288 ----a-w- c:\windows.0\system32\ALSNDMGR.CPL
2012-03-01 07:19:58 1691480 ----a-w- c:\windows.0\system32\drivers\Ambfilt.sys
2012-03-01 07:19:57 -------- d-----w- c:\program files\Realtek
2012-03-01 07:19:50 1284712 ------r- c:\windows.0\RtlExUpd.dll
2012-03-01 07:18:47 53248 ----a-r- c:\windows.0\system32\CSVer.dll
2012-03-01 07:17:21 -------- d--h--w- c:\documents and settings\all users.windows.0\application data\{8533ADFA-85F0-4dc1-946A-2A0BA58E78E3}
2012-03-01 07:17:17 -------- d-----w- c:\documents and settings\joshua.northorphq.003\application data\Splashtop
2012-03-01 07:16:16 -------- d-----w- c:\program files\Gigabyte
2012-03-01 07:14:57 20608 ----a-w- c:\windows.0\system32\drivers\usbuhci.sys
2012-03-01 07:14:57 20608 ----a-w- c:\windows.0\system32\dllcache\usbuhci.sys
2012-03-01 07:13:17 207400 ----a-r- c:\windows.0\GSetup.exe
.
==================== Find3M ====================
.
2012-03-13 15:28:42 294008 ----a-w- c:\windows.0\system32\nvdrsdb1.bin
2012-03-13 15:28:42 1 ----a-w- c:\windows.0\system32\nvdrssel.bin
2012-03-13 15:28:38 294008 ----a-w- c:\windows.0\system32\nvdrsdb0.bin
2012-03-08 20:41:26 230808 ----a-r- c:\windows.0\system32\cpnprt2.cid
2012-03-01 07:55:40 445016 ----a-w- c:\windows.0\system32\wrap_oal.dll
2012-03-01 07:55:40 109144 ----a-w- c:\windows.0\system32\OpenAL32.dll
2012-02-29 23:58:00 881984 ----a-w- c:\windows.0\system32\nvgenco32.dll
2012-02-29 23:58:00 65536 ----a-w- c:\windows.0\system32\OpenCL.dll
2012-02-29 23:58:00 5918720 ----a-w- c:\windows.0\system32\nvcuda.dll
2012-02-29 23:58:00 4309760 ----a-w- c:\windows.0\system32\nv4_disp.dll
2012-02-29 23:58:00 2522944 ----a-w- c:\windows.0\system32\nvcuvid.dll
2012-02-29 23:58:00 2437440 ----a-w- c:\windows.0\system32\nvcuvenc.dll
2012-02-29 23:58:00 2291712 ----a-w- c:\windows.0\system32\nvapi.dll
2012-02-29 23:58:00 18624512 ----a-w- c:\windows.0\system32\nvoglnt.dll
2012-02-29 23:58:00 17534976 ----a-w- c:\windows.0\system32\nvcompiler.dll
2012-02-29 23:58:00 13417632 ----a-w- c:\windows.0\system32\drivers\nv4_mini.sys
2012-02-29 23:58:00 1000256 ----a-w- c:\windows.0\system32\nvdispco32.dll
2012-02-29 20:30:32 54272 ----a-w- c:\windows.0\system32\nvwddi.dll
2012-02-29 20:30:26 15494464 ----a-w- c:\windows.0\system32\nvcpl.dll
2012-02-29 20:30:26 143680 ----a-w- c:\windows.0\system32\nvcolor.exe
2012-02-29 20:30:24 164160 ----a-w- c:\windows.0\system32\nvsvc32.exe
2012-02-29 20:30:24 108352 ----a-w- c:\windows.0\system32\nvmctray.dll
2012-02-22 14:39:10 141312 ----a-w- c:\windows.0\system32\javacpl.cpl
2012-02-22 14:39:08 637848 ----a-w- c:\windows.0\system32\npdeployJava1.dll
2012-02-22 14:39:08 567184 ----a-w- c:\windows.0\system32\deployJava1.dll
2012-02-20 13:54:24 414368 ----a-w- c:\windows.0\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- c:\windows.0\system32\win32k.sys
2012-01-31 15:12:38 4423680 ----a-w- c:\windows.0\system32\SET1A.tmp
2012-01-11 18:06:48 3072 ------w- c:\windows.0\system32\iacenc.dll
2012-01-09 16:20:26 139784 ----a-w- c:\windows.0\system32\drivers\rdpwd.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6L300R0 rev.BAH41E00 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A87149F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a878740]; MOV EAX, [0x8a8788b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A93EAB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000070[0x8A902F18]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A980940]
\Driver\atapi[0x8A901BB8] -> IRP_MJ_CREATE -> 0x8A87149F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A8712C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:48:26.19 ===============
Edit
Hopefully this helps anyone else running into this problem. :police:Forum sticky. ;)
Note that all instructions given are customized for that member's personal computer only, the tools used may cause damage if run on a machine with different specs/infections. Please do not take fixes given to another user and apply to your own machine.
If someone posts instructions in their own topic, "this worked for me", it will be removed, possibly without notice. Just so you know. :)
http://forums.spybot.info/showthread.php?t=288