Member Avatar for richbindians

Yeah, unfortunately, my IE and FireFox browser searches with Google and Yahoo are being redirected. Running Windows XP SP3 on Toshiba Satellite laptop. I have scanned with Spybot, MalWareBytes, SASpyware, and the Micorsoft Removal Tool. MBAM found one registry problem, and Spybot found one infected file, but they did not resolve the redirects. The others detected no issues.

I have read the numerous posts on this as well as other forums (seems like an abundance) on this topic and have attempted as many of the "fixes" as I felt comfortable doing. I was tempted to try ComboFix, but saw many warnings agaisnt using without proper direction, so I didn't. Nothing has resolved the issue.

Also, I have discovered that at the same time the search redirect problem started, I could no longer get the computer to hibernate. It goes to the "Preparing to hibernate..." screen, but then immediately flashes back to the desktop. FWIW, these problems all started after I had been looking at some stuff on YouTube.

I have read and gone through the "Read me before posting" thread and gone through the Initial Cleaning Process.

I am the DIY type and get alot of satisfaction from fixing things myself, but I have gotten so frustrated and have now reached the end of my rope. I hate to admit defeat, but I would appreciate any suggestions.

Rich B.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4234

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

06/24/10 2:54:01 PM
mbam-log-2010-06-24 (14-54-01).txt

Scan type: Quick scan
Objects scanned: 136545
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Visicom Media (Adware.KeenValue) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 2 Contributors
  • 3 Replies
  • 154 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by PhilliePhan

Recommended Answers

All 3 Replies

Member Avatar for PhilliePhan

I am the DIY type and get alot of satisfaction from fixing things myself, but I have gotten so frustrated and have now reached the end of my rope. I hate to admit defeat, but I would appreciate any suggestions.

Hi Rich,

Sorry for the delay - we just don't have many volunteers these days.

Combofix would probably be a good next step. However, given that your logs are for the most part clean, let's try a more direct approach and see what shakes out:

Please download TDSSKiller.zip and Extract TDSSKiller.exe from the ZIP to your Desktop.
-- Click START > RUN and type or Copy&Paste the following command into the Run Box and hit ENTER.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\LogIt.txt -v

Let the tool run. If you get a Hidden service detected message, DO NOT take any action. Just press ENTER and allow the tool to continue.

Once it finishes, please post the C:\LogIt.txt for me. Just copy & paste it into your reply.

Let me know if there are any problems along the way. I'll check back as time permits.

Best Luck :)
PP

Member Avatar for richbindians

Can it really be this easy?! Wow, That seems, so far, to have done the trick. No more search redirects in either FF or IE, both loading pages faster too. "Hibernate" issue resolved also.

Looks like TDSSKiller did the job. Problem appears to be infected "C:\WINDOWS\system32\DRIVERS\netbt.sys" file. Log attached.

Thank you, thank you, thank you many times over PhilliePhan!

Rich B.

10:08:44:340 3028	TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

10:08:44:340 3028	================================================================================

10:08:44:340 3028	SystemInfo:



10:08:44:340 3028	OS Version: 5.1.2600 ServicePack: 3.0

10:08:44:340 3028	Product type: Workstation

10:08:44:340 3028	ComputerName: TOSHIBA-USER

10:08:44:340 3028	UserName: Owner

10:08:44:340 3028	Windows directory: C:\WINDOWS

10:08:44:340 3028	Processor architecture: Intel x86

10:08:44:340 3028	Number of processors: 1

10:08:44:340 3028	Page size: 0x1000

10:08:44:340 3028	Boot type: Normal boot

10:08:44:340 3028	================================================================================

10:08:44:700 3028	Initialize success

10:08:44:700 3028	

10:08:44:700 3028	Scanning	Services ...

10:08:45:201 3028	Raw services enum returned 394 services

10:08:45:201 3028	

10:08:45:201 3028	Scanning	Drivers ...

10:08:46:903 3028	ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

10:08:46:923 3028	ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

10:08:46:964 3028	aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

10:08:47:024 3028	AegisP          (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys

10:08:47:084 3028	AFD             (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

10:08:47:294 3028	AgereSoftModem  (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

10:08:47:534 3028	Arp1394         (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

10:08:47:645 3028	AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

10:08:47:685 3028	atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

10:08:47:725 3028	Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

10:08:47:775 3028	audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

10:08:47:825 3028	AvgLdx86        (9c0a7e6d3cb9a8a7ad4e4575d9a42e94) C:\WINDOWS\system32\Drivers\avgldx86.sys

10:08:47:975 3028	AvgMfx86        (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys

10:08:48:015 3028	AvgTdiX         (6e11bbc8dc5af836adc9c5f682fa3186) C:\WINDOWS\system32\Drivers\avgtdix.sys

10:08:48:105 3028	Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

10:08:48:135 3028	cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

10:08:48:195 3028	CdaC15BA        (82c4c6a2343b592c4fd590f625a724a9) C:\WINDOWS\system32\drivers\CDAC15BA.SYS

10:08:48:205 3028	Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

10:08:48:265 3028	Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

10:08:48:406 3028	Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

10:08:48:446 3028	CmBatt          (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

10:08:48:536 3028	Compbatt        (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

10:08:48:576 3028	Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

10:08:48:616 3028	DLABOIOM        (efae981c8ba3dad4103a76bcb5955b07) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

10:08:48:636 3028	DLACDBHM        (8d45ac148fd8c1a25204aeca1397fa7e) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

10:08:48:656 3028	DLADResN        (3e34a0991efdaf8cfa97441c3a51fc81) C:\WINDOWS\system32\DLA\DLADResN.SYS

10:08:48:676 3028	DLAIFS_M        (2aef49904bde7398d0f09b6a603738ef) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

10:08:48:686 3028	DLAOPIOM        (46fa268a829384256179f4ccb6eb308f) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

10:08:48:696 3028	DLAPoolM        (26e89839af248625a4e7c4cf5873375d) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

10:08:48:716 3028	DLARTL_N        (94accf8f7b87fbeaa27266927319e6ba) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

10:08:48:746 3028	DLAUDFAM        (5e914bd7f68dde3fb4bffe005162c1e6) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

10:08:48:816 3028	DLAUDF_M        (8c3cfb22a7fb3be67e0c321fa10b8b50) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

10:08:48:916 3028	dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

10:08:48:996 3028	dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

10:08:49:027 3028	dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

10:08:49:067 3028	DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

10:08:49:087 3028	drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

10:08:49:137 3028	DRVMCDB         (ab6c5c26fff9b3c456aeaf7e0093c2fe) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

10:08:49:277 3028	DRVNDDM         (4a307ade1638d9358b6e
Member Avatar for PhilliePhan

Can it really be this easy?! Wow, That seems, so far, to have done the trick.....
Thank you, thank you, thank you many times over PhilliePhan!

You're welcome - Happy to help!

These days it seems I only have time for these "quick and easy" threads ;)

Anyhoo, I took a quick glance at your Attach.txt. It's good that you updated Java - you should also take a minute and update your Adobe Reader as well. And, you might want to give Limewire the boot - P2P is increasingly dangerous these days.

Other that those, I really didn't have a chance to pore over the logs. Given the MBAM log and lack of symptoms, though, I'd wager you're good to go.

Cheers :)
PP

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.