redirecting to other search engines

hi

Not always but something my home page of Google will be redirected to some search engines, thanks to my brothers installing some free software recently. i want my system to be clean but i’m afraid coz i feel little fishy about my computer behavior. please help.

start with this, run a quick scan

Malwarebytes Anti-Malware 1.51. http://filehippo.com/download_malwarebytes_anti_malware/
always update so you have the latest signatures before you scan
click on the remove selected button to quarantine anything found

post the scan log here

Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7003

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/2/2011 5:34:58 PM
mbam-log-2011-07-02 (17-34-58).txt

Scan type: Quick scan
Objects scanned: 160407
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

but mean while i was running avast boot scan i found 2 malware viruses in system32
when i selected to delete the file or to move to chest it showed doing such thing would effect system file or something like that, so i discontinued with rootscan ???

if you can see the screen shot attached

Download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
Click the [Scan] button to start scan
On completion of the scan click [Save log], save it to your desktop and post in your next reply

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-07-02 18:17:57

18:17:57.687 OS Version: Windows 5.1.2600 Service Pack 3
18:17:57.687 Number of processors: 2 586 0x403
18:17:57.687 ComputerName: MAHESHWARI UserName:
18:17:58.296 Initialize success
18:17:58.750 AVAST engine defs: 11070200
18:18:36.312 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-e
18:18:36.328 Disk 0 Vendor: ST3808110AS 3.AAD Size: 76319MB BusType: 3
18:18:38.328 Disk 0 MBR read successfully
18:18:38.328 Disk 0 MBR scan
18:18:38.343 Disk 0 Windows XP default MBR code
18:18:40.343 Disk 0 scanning sectors +156280320
18:18:40.359 Disk 0 malicious Win32:MBRoot code @ sector 156280323 !
18:18:40.359 Disk 0 PE file @ sector 156280345 !
18:18:40.359 Disk 0 scanning C:\WINDOWS\system32\drivers
18:18:49.312 Service scanning
18:18:50.218 Disk 0 trace - called modules:
18:18:50.234 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
18:18:50.234 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86d76ab8]
18:18:50.234 3 CLASSPNP.SYS[f7690fd7] → nt!IofCallDriver → \Device\00000074[0x86dacec0]
18:18:50.234 5 ACPI.sys[f7507620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-e[0x86d7ad98]
18:18:50.359 AVAST engine scan C:\WINDOWS
18:30:23.812 AVAST engine scan C:\Documents and Settings\Administrator
18:33:53.390 AVAST engine scan C:\Documents and Settings\All Users
18:34:56.406 Scan finished successfully
18:37:56.531 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Administrator\Desktop\MBR.dat”
18:37:56.531 The log file has been saved successfully to “C:\Documents and Settings\Administrator\Desktop\aswMBR.txt”

CLick the option “FIX”
then
Re-run aswMBR
Save the new log
Post the new log

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-07-02 19:46:26

19:46:26.187 OS Version: Windows 5.1.2600 Service Pack 3
19:46:26.187 Number of processors: 2 586 0x403
19:46:26.187 ComputerName: MAHESHWARI UserName:
19:46:26.718 Initialize success
19:46:26.796 AVAST engine defs: 11070200
19:46:50.843 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-e
19:46:50.843 Disk 0 Vendor: ST3808110AS 3.AAD Size: 76319MB BusType: 3
19:46:52.843 Disk 0 MBR read successfully
19:46:52.843 Disk 0 MBR scan
19:46:52.843 Disk 0 Windows XP default MBR code
19:46:54.859 Disk 0 scanning sectors +156280320
19:46:54.875 Disk 0 scanning C:\WINDOWS\system32\drivers
19:47:01.062 Service scanning
19:47:02.109 Disk 0 trace - called modules:
19:47:02.125 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
19:47:02.125 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86d76ab8]
19:47:02.125 3 CLASSPNP.SYS[f7690fd7] → nt!IofCallDriver → \Device\00000074[0x86dacec0]
19:47:02.125 5 ACPI.sys[f7507620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-e[0x86d7ad98]
19:47:02.234 AVAST engine scan C:\WINDOWS
19:58:50.906 AVAST engine scan C:\Documents and Settings\Administrator
20:02:35.718 AVAST engine scan C:\Documents and Settings\All Users
20:04:11.640 Scan finished successfully
20:05:29.671 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Administrator\Desktop\MBR.dat”
20:05:29.671 The log file has been saved successfully to “C:\Documents and Settings\Administrator\Desktop\2aswMBR.txt”

The log looks clear of the MBR rootkit now. Are you still getting the search engine redirects ?

Now the MBR Rootkit is clear you should run avast and MBAM scans again and see if anything that might otherwise have been hidden is now detectable.

well thanks… but what about the viruses found in boot scan ? ??? :-\

mean while i will do what you asked.

Well it shows you sent one to the chest, presumably you did the same with the other ?

That said it doesn’t change the fact that you should run the avast and MBAM scans again.

I finished Avast boot scan & MBAM scan, but i couldn’t find the log file of avast boot scan … i have took a screen shot , please find it in attachment (if you can say where to find the avast scan report in a file it will be helpful next time)

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7003

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/2/2011 11:11:12 PM
mbam-log-2011-07-02 (23-11-12).txt

Scan type: Quick scan
Objects scanned: 160295
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Generally you can’t repair trojans only true virus infections when the infected element may be removed. So in this case repair won’t work.

I’m not seeing any file types on these detections either (can’t be folders) and other than the asr_ at the start of the name the rest of the name appears to be randomly generated. Considering their location in the system32 folder at the very least they are highly suspicious.

The image was that from the avastUI, Scan Computer, Scan Logs and was that for the boot-time scan ?

This certainly needs further investigation by a malware removal specialist, so lets get that ball rolling:

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.

the scan is getting stuck :-\

the did the above things exactly, and when i hit the RUN SCAN button, after few seconds the scanning process is getting stuck on : Scanning HKEY_USERS\S-1-5-21-141700133-436374069-1547161642-500\Internet Explorer Settings…

i tried twice but it is taking almost half hour scanning the same file stated above. both the time.

what shall i do ???

well i meant the OTC scan was getting stuck in the middle as stated in my previous post. i’m waiting for some solution. is it common to happen ?.

i tried again but scan getting stuck in same place.

Is it sticking on Firefox elements ?

If so we will use the little brother to this

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
%USERPROFILE%..|smtmp;true;true;true /FP
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

[quote Download OTL to your Desktop
[/quote]
i don’t know why, even the OTL is getting stuck while scanning the firefox setting… :o , same as OTS is getting stuck while scanning internet explorer setting :cry:

please suggest me something :frowning:

OK whilst I dislike using this programme lets go for it

Please download DDS and save it to your desktop.

[*]Disable any script blocking protection[*] Double click dds.scr to run the tool. [*]When done, DDS.txt will open. [*]Click Yes at the next prompt for Optional Scan. [*]Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:
[*]Under the reply panel is the Attachments Panel
[*]Browse for the attachment file you want to upload, then click the green Upload button
[*]Once it has uploaded, click the Manage Current Attachments drop down box
[*]Click on
http://www.geekstogo.com/forum/style_images/11168623649/folder_attach_images/attach_add.png
to insert the attachment into your post

files attached.

When done, DDS.txt will open. [b]Click Yes at the next prompt for Optional Scan.[/b]

As you stated above, i didn’t get the option to click yes for next prompt for optional scan but rather when the scan finished i could only see OK to finish the scan.
but yes the 2 files opened (dds.txt & attach.txt) at the end.

OK we will now have to use combofix to remove what I can see - this is why I dislike DDS

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

[*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

[*]Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

1 or 2 infected files found i think :slight_smile: but what about the other infection in system32 folder :stuck_out_tongue: