The PC I am working on is going to random URL's when search links are clicked
e.g. search "Computers" click a link and either a porn site will load or something similar to the link clicked but not the destination URL shown in the search result.
I've managed to get rid of some 49 "bugs" using Malware bytes, logs below
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3
25/08/2009 10:01:38
mbam-log-2009-08-25 (10-01-38).txt
Scan type: Quick Scan
Objects scanned: 106179
Time elapsed: 7 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 19
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 16
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACfqptkllovm.dll (Rogue.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
C:\Documents and Settings\Administrator\Start Menu\Programs\AV Care (Rogue.AVCare) -> Quarantined and deleted successfully.
Files Infected:
\\?\globalroot\systemroot\system32\UACfqptkllovm.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacbbr.dll (Rogue.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACfqptkllovm.dll (Rogue.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\UACe59d.tmp (Rogue.Agent) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\Documents and Settings\Administrator\Start Menu\Programs\AV Care\AV Care.lnk (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\UACerrors.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACrqnduplooi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACwmnrjesdkp.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACrgixboxltl.sys (Trojan.Agent) -> Quarantined and deleted successfully.
---------
Malwarebytes' Anti-Malware 1.40
Database version: 2693
Windows 5.1.2600 Service Pack 3
25/08/2009 11:31:38
mbam-log-2009-08-25 (11-31-38).txt
Scan type: Quick Scan
Objects scanned: 108984
Time elapsed: 10 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\kbiwkmiltivklj.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\e.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\d.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
-----------------------
I have also run rootrepeal, and see this.....
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/26 10:02
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9FB7000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A4E000 Size: 8192 File Visible: No Signed: -
Status: -
Name: RKREVEAL150.SYS
Image Path: C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS
Address: 0xF7A30000 Size: 4128 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA88AA000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\WINDOWS\system32\kbiwkmdxuuhrqh.dat
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\kbiwkmiltivklj.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\kbiwkmswxfmnxu.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\kbiwkmtrdbbjkv.dat
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\drivers\kbiwkmftepappk.sys
Status: Invisible to the Windows API!
Stealth Objects
-------------------
Object: Hidden Module [Name: kbiwkmswxfmnxu.dll]
Process: Explorer.EXE (PID: 1416) Address: 0x10000000 Size: 28672
Hidden Services
-------------------
Service Name: kbiwkmyxwmnrer
Image Path: C:\WINDOWS\system32\drivers\kbiwkmftepappk.sys
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACrgixboxltl.sys
==EOF==
I am thinking the files shown as "invisible to Windows API" are the root kit causing the browser HiJack.
Please can you check and advise how I get rid of them,
thanks
Rich...
Sign In
Create Account
