kosmic94

I did the second and third things. Can't do the last anyway as I have no boot equipment. GooredFix by jpshortstuff (03.07.10.1) Log created at 14:58 on 15/04/2012 (Flood) Firefox version 11.0 (en-US) ========== GooredScan ========== ========== GooredLog ========== C:\Program Files (x86)\Mozilla Firefox\extensions\ {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [21:29 27/09/2011] {972ce4c6-7e08-4474-a285-3208198ce6fd} [17:47 31/03/2012] C:\Users\Flood\Application Data\Mozilla\Firefox\Profiles\360vmvb8.default\extensions\ battlefieldheroespatcher@ea.com [21:22 30/08/2011] battlefieldplay4free@ea.com [01:23 24/08/2011] foxyproxy@eric.h.jung [02:49 17/03/2012] gcyvknqexv@gcyvknqexv.org [22:01 22/03/2012] {20a82645-c095-46ed-80e3-08825760534b} [03:56 10/05/2010] {455D905A-D37C-4643-A9E2-F6FEFAA0424A} [06:46 29/12/2011] {8f8fe09b-0bd3-4470-bc1b-8cad42b8203a} [16:20 15/05/2011] {9051303c-7e41-4311-a783-d6fe5ef2832d} [04:44 02/04/2012] {9c51bd27-6ed8-4000-a2bf-36cb95c0c947} [18:19 12/02/2010] {ACAA314B-EEBA-48e4-AD47-84E31C44796C} [02:27 25/06/2011] {b9db16a4-6edc-47ec-a1f4-b86292ed211d} [20:10 29/03/2012] {bb6bc1bb-f824-4702-90cd-35e2fb24f25d} [00:04 27/04/2011] {c45c406e-ab73-11d8-be73-000a95be3b12} [00:39 07/01/2011] {e968fc70-8f95-4ab9-9e79-304de2a71ee1} [00:39 07/01/2011] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [20:42 18/06/2009] "{23fcfd51-4958-4f00-80a3-ae97e717ed8b}"="C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\html5video" [22:41 30/12/2010] "{6904342A-8307-11DF-A508-4AE2DFD72085}"="C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\wpa" [22:41 30/12/2010] "wrc@avast.com"="C:\Program Files\Alwil Software\Avast5\WebRep\FF" [00:13 06/03/2011] -=E.O.F=- I'm using Google because I have to. Nothing's been compromised yet, just the redirects, and I doubt this is going to go anywhere. -kosmic94

First scan removed several oddities, but the most interesting were a Javascript exploit and a Win32/backdoor. Second scan found nothing; I don't see the report; I thought it saved a text file, but, I don't see it. Third scan also found nothing it didn't find before. Not worth posting the same report all over again. I am still getting redirected Google searches to GimmieAnswers and Happili and some other dumb site. It happens at random and if I go back to Google I can click the same link and it will go through. -kosmic94

Done. First time I installed with the "Run" button and ran Firefox before restarting the second time, so I went back, uninstalled again, and saved the downloader to the desktop, ran as admin, restarted afterward before running Firefox. Tested a couple searches; no redirects yet, but that doesn't mean anything. Also, I didn't uninstall the personal settings and customizations, so I wouldn't lose everything, if that matters. I mostly get redirected to "GimmieAnswers," and if you search that on Google, it's apparently a well-known virus, but I was directed to some other site, like "hapili," or something, once (it started with an H but I don't think that was the exact name). My ma, who uses Internet Explorer, says it's possible she has also been redirected in this manner, but she doesn't remember for sure. As I don't use IE, I don't know. -kosmic94

In fact, I just had a re-direct happen on a link, and I went back and clicked again, and it went through. I use Firefox. I have only had it happen on Google, although I don't use any other search engine really (I tried a Yahoo search once but that wouldn't be enough for a thorough test). Always I get redirected to a site with some looooong URL and there is an SQL error message that displays. Ad links? I generally never click on ads, no. FSS log: Farbar Service Scanner Version: 01-03-2012 Ran by Flood (administrator) on 30-03-2012 at 18:55:35 Running from "C:\Users\Flood\Desktop" Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Yahoo IP is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ File Check: ======== C:\Windows\System32\nsisvc.dll [2008-01-20 22:49] - [2008-01-20 22:49] - 0024576 ____A (Microsoft Corporation) ACB62BAA1C319B17752553DF3026EEEB C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit C:\Windows\System32\dhcpcsvc.dll [2009-06-22 01:10] - [2009-04-11 03:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7 C:\Windows\System32\drivers\afd.sys => MD5 is legit C:\Windows\System32\drivers\tdx.sys => MD5 is legit C:\Windows\System32\Drivers\tcpip.sys [2011-08-21 19:32] - [2011-06-17 16:14] - 1427344 ____A (Microsoft Corporation) 4DAD14118FBCF7C609F2A4CE21FBCC5F C:\Windows\System32\dnsrslvr.dll [2011-07-14 13:34] - [2011-03-02 12:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0 C:\Windows\System32\mpssvc.dll [2009-06-22 01:11] - [2009-04-11 03:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C C:\Windows\System32\bfe.dll [2009-06-22 01:10] - [2009-04-11 03:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29 C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit C:\Windows\System32\SDRSVC.dll [2008-01-20 22:47] - [2008-01-20 22:47] - 0128000 ____A (Microsoft Corporation) 4FF71B076A7760FE75EA5AE2D0EE0018 C:\Windows\System32\vssvc.exe [2009-06-22 01:11] - [2009-04-11 03:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1 C:\Windows\System32\wscsvc.dll [2009-06-22 01:10] - [2009-04-11 03:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A C:\Windows\System32\wbem\WMIsvc.dll [2009-06-22 01:10] - [2009-04-11 03:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02 C:\Windows\System32\wuaueng.dll [2009-10-02 12:40] - [2009-08-06 22:24] - 2424024 ____A (Microsoft Corporation) FB3796754FE00F0BDC87A36F164A5F4D C:\Windows\System32\qmgr.dll [2009-06-22 01:11] - [2009-04-11 03:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C C:\Windows\System32\es.dll [2009-06-22 01:11] - [2009-04-11 03:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF C:\Windows\System32\cryptsvc.dll [2009-06-22 01:10] - [2009-04-11 03:11] - 0166912 ____A (Microsoft Corporation) 18918613E63F387CDE4D95CA7D49DCF7 C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\rpcss.dll [2009-06-22 01:11] - [2009-04-11 03:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF **** End of log **** -kosmic94

RogueKiller Log is first, then Listparts64 log. DDS.txt and Attach.txt are attachments. By "router" do you mean a device for WiFi? If so, no. I have an ethernet cable which runs from my computer to a device which has a cable (like a TV cable) running to the wall. I presume this is a modem. However, I followed what you said - disconnected the computer from the modem, then the cable to the wall, then the power cord, then reverse order. The modem is of the brand "Scientific Atlanta," and the model number appears to be DPC2100R2. RKiller log: RogueKiller V7.3.2 [03/20/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo...13-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version Started in : Normal mode User: Flood [Admin rights] Mode: Remove -- Date: 03/30/2012 18:00:29 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 2 ¤¤¤ [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0) [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD6400AAKS-22A7B2 ATA Device +++++ --- User --- [MBR] 4f7d41f34f33dd16cebf6f24dcb24be0 [bSP] 07a876173e57f344a5cfd45c3cad0390 : Acer tatooed MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 10001 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20484096 | Size: 600477 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[3].txt >> RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt Listparts64 log: ListParts by Farbar Version: 12-03-2012 03 Ran by Flood (administrator) on 30-03-2012 at 18:07:03 Windows Vista (X64) Running From: C:\Users\Flood\Desktop Language: 0409 ************************************************************ ========================= Memory info ====================== Percentage of memory in use: 37% Total physical RAM: 3838.27 MB Available physical RAM: 2417.34 MB Total Pagefile: 7863.03 MB Available Pagefile: 6177.19 MB Total Virtual: 8192 MB Available Virtual: 8191.91 MB ======================= Partitions ========================= 1 Drive c: (OS) (Fixed) (Total:586.4 GB) (Free:227.6 GB) NTFS ==>[Drive with boot components (obtanied from BCD)] 2 Drive d: (EForceXP) (CDROM) (Total:0.3 GB) (Free:0 GB) CDFS Disk ### Status Size Free Dyn Gpt -------- ---------- ------- ------- --- --- Disk 0 Online 596 GB 0 B Disk 1 No Media 0 B 0 B Disk 2 No Media 0 B 0 B Disk 3 No Media 0 B 0 B Disk 4 No Media 0 B 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 OEM 10 GB 32 KB Partition 2 Primary 586 GB 10 GB ====================================================================================================== Disk: 0 Partition 1 Type : 27 Hidden: Yes Active: No There is no volume associated with this partition. ====================================================================================================== Disk: 0 Partition 2 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 C OS NTFS Partition 586 GB Healthy System (partition with boot components) ====================================================================================================== ****** End Of Log ****** -kosmic94 DDS(1).txt Attach(1).txt

RogueKiller V7.3.2 [03/20/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version Started in : Normal mode User: Flood [Admin rights] Mode: Scan -- Date: 03/29/2012 19:41:00 ¤¤¤ Bad processes: 3 ¤¤¤ [sUSP PATH] ChiFuncExt.exe -- C:\Windows\ChiFuncExt.exe -> KILLED [TermProc] [sUSP PATH] CNYHKey.exe -- C:\Windows\CNYHKey.exe -> KILLED [TermProc] [sUSP PATH] ModLEDKey.exe -- C:\Windows\ModLedKey.exe -> KILLED [TermProc] ¤¤¤ Registry Entries: 2 ¤¤¤ [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD6400AAKS-22A7B2 ATA Device +++++ --- User --- [MBR] 4f7d41f34f33dd16cebf6f24dcb24be0 [bSP] 07a876173e57f344a5cfd45c3cad0390 : Acer tatooed MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 10001 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20484096 | Size: 600477 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt -kosmic94

Okay. Here's updated DDS, in case it will be helpful. -kosmic94 Attach.txt DDS.txt

The virus? Whatever's redirecting Google searches? If I knew exactly what was wrong, that would mean I was knowledgeable about computer tech, and if I was, I would simply fix the issue myself. Unfortunately, I can't do that. I guess I'll have to? I don't know, if you think no one will know what the issue is, maybe it's not worth it. My mother has used this computer for transactions before and there has been no theft of any kind, but that could just mean that the virus wasn't on here when she was using it for those things, or it could mean the virus is not a threat, or is just adware, or annoyance-ware or some such thing. If I knew, I would deal with it myself. I'm here because I don't. What I can say is that if there's nothing more that can be done, we will simply have to continue using this computer and just cross our fingers, because we certainly cannot afford a new one right now, and there is too much vitally important data on here to re-install the OS. -kosmic94

Just guessing, but perhaps an NMap scan to my own IP could tell if there is a backdoor open? That way I'd know if I'm in much danger or not. Bear in mind I really know nothing about nmap or computer tech at all, I'm just guessing here from what little I do know. -kosmic94

I meant I was looking for a plugin for my program, Free Download Manager, so that, when I click a download link in Firefox, it will download with FDM instead of the built-in downloader... I don't believe it's standard for Windows to try to start several times and fail each time and then have to run CHKDSK as an emergency solution to allow bootup. I have run a full scan with avast before now and nothing came up. Just this morning I did a quick scan and nothing came up, and the first thing I did when I got this infection was to run a "Comprehensive Scan" (a custom scan I input that scans every single file on the entire computer on max heuristics) and it found nothing of consequence. If you really think it's worth it I can go do it again but it sounds like a waste of time. Do you think anyone else might be able to figure out what's wrong? -kosmic94

By the way, I should note that as to the hard drive scan/comp crash I mentioned, by "a while ago" I mean before I started having Google redirect problems and the avast shield alerts, so before I noticed at least these symptoms of the virus. -kosmic94

The first scan that was stopped is because I realized I didn't disable the avast shields and wanted to make sure that hadn't interfered with the rootkit scan (which apparently it didn't, since Stinger didn't/couldn't do the scan anyway): McAfee® Labs Stinger Version 10.2.0.562 built on Mar 29 2012 Copyright © 2011 McAfee, Inc. All Rights Reserved. Virus data file v9999.0000 created on Mar 29 2012. Ready to scan for 4228 viruses, trojans and variants. Scan initiated on Thu Mar 29 11:12:59 2012 Rootkit scan result : Not Scanned No files scanned Scan initiated on Thu Mar 29 11:13:37 2012 Rootkit scan result : Not Scanned Master Boot Record(s):....1 Possibly Infected:.............0 Boot Sector(s):.................1 Possibly Infected: ............0 Number of clean files: 24334 As a matter of fact, I was just looking for the Download Manager plugin for this version of Firefox on Google and still got redirected when I clicked a link, to a site called "Gimmie Answers," and all you see there is just this SQL error statement. I can go get a screenshot if you like. Also, I don't know if this is related to the virus or not, but a while ago, my computer couldn't start for anything, and after rebooting several times, it finally ran CHKDSK on its own, which repaired a couple errors and allowed it to start. Again, not sure if that's related to this virus or not, but thought I'd mention it. -kosmic94

ESET log: ESETSmartInstaller@High as CAB hook log: OnlineScanner64.ocx - registred OK OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=f1453587d422d6478e7fb538e15e43f4 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-03-29 02:23:16 # local_time=2012-03-28 10:23:16 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=6.0.6002 NT Service Pack 2 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=768 16777215 100 0 0 0 0 0 # compatibility_mode=5892 16776574 100 45 131167324 169569011 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=451762 # found=10 # cleaned=10 # scan_time=17490 C:\Downloads\index(5).html HTML/Hoax.FastDownload.A.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Downloads\Games\SoftonicDownloader_for_bus-simulator.exe a variant of Win32/SoftonicDownloader.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Downloads\Software\cnet_alienarena-7_51-win20110316_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Downloads\Software\cnet_smrecorder_installer_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Downloads\Software\Counter Strike(1).exe a variant of MSIL/Solimba.A application (deleted - quarantined) 00000000000000000000000000000000 C C:\Downloads\Software\Counter Strike.exe a variant of MSIL/Solimba.A application (deleted - quarantined) 00000000000000000000000000000000 C C:\Downloads\Software\installer_counter-strike.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C C:\Downloads\Software\RAR+Password+Cracker.exe MSIL/Solimba.A application (deleted - quarantined) 00000000000000000000000000000000 C C:\Downloads\Software\registrybooster.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C C:\Downloads\wrrk\system\WarRock.exe a variant of Win32/Packed.Themida application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C -kosmic94

Oh, however, I installed their 32-bit Java, since it was recommended for 32-bit browsers (plus the x64 looked hard to get to anyway). -kosmic94

I did as you instructed with the Java, and even rebooted my computer after installing it, but I do not see the control access in the control panel, nor do I see any way to access controls in its installed folder. So you know, I am using Vista Home Premium x64. Two other bits of pertinent information: First, my avast antivirus no longer seems to be starting automatically on startup, and, second, both times I restarted, after removing the Java, and after installing the new, the computer took an incredibly long time on the "Shutting Down" screen. I am on the part about going into the Java controls. I await your instructions before proceeding. -kosmic94