Please help

[goliatron]

I turn on my computer from sleep mode and got a blue screen. This was after I did a system recovery because of a malware issue that kept opening up seperate links when searching in google. Now it seems that the problem is worse. Google won't open at all and if it does it goes to a strange site about a goldfish or whatever...

I tried malwarebytes scan and it didn't work.

Here's the dds and I attached the other file below.

Please help me!

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31

Run by Doug at 3:20:50 on 2012-08-22

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3326.2213 [GMT -4:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Common Files\Steam\SteamService.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Windows\system32\sppsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe

C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [steam] "c:\program files\steam\Steam.exe" -silent

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

LSP: mswsock.dll

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{0001B223-68F3-453B-97E5-FBE1815A6103} : DhcpNameServer = 75.75.75.75 75.75.76.76

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\doug\appdata\roaming\mozilla\firefox\profiles\vokrvy91.default\

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll

FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll

.

============= SERVICES / DRIVERS ===============

.

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-8-22 655944]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-5-16 2348352]

R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-7-5 3048136]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-2-29 382272]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-8-22 22344]

R3 PRESONUS_AUDIOBOX_MIDI;Presonus AudioBox WDM MIDI Device;c:\windows\system32\drivers\psabusbm.sys [2012-2-22 31864]

R3 PRESONUS_AUDIOBOX_USB;Presonus AudioBox USB driver;c:\windows\system32\drivers\psabusbu.sys [2012-2-22 401016]

R3 PRESONUS_AUDIOBOX_WDM;Presonus AudioBox USB WDM;c:\windows\system32\drivers\psabusba.sys [2012-2-22 40568]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-6-14 160944]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-9 250568]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-5 113120]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]

S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-9-1 1343400]

.

=============== Created Last 30 ================

.

2012-08-22 07:08:41 -------- d-----w- c:\users\doug\appdata\roaming\Malwarebytes

2012-08-22 07:08:19 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-22 07:08:19 -------- d-----w- c:\programdata\Malwarebytes

2012-08-22 07:08:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-08-17 16:34:47 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{3b333707-f263-468c-9a73-e849d21e1ca9}\mpengine.dll

2012-08-16 14:26:33 -------- d-----w- c:\program files\Microsoft Security Client

2012-08-16 01:49:01 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-08-10 04:18:05 109568 ----a-w- c:\programdata\microsoft\windows\drm\F7E7.tmp

2012-08-05 15:57:03 -------- d-----w- c:\program files\StarCraft II

2012-07-27 20:51:30 184248 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

2012-07-25 21:20:01 -------- d-----w- c:\program files\iTunes

2012-07-25 21:20:01 -------- d-----w- c:\program files\iPod

2012-07-25 21:17:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2012-07-25 21:17:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2012-07-25 21:17:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2012-07-25 21:17:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2012-07-25 21:17:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2012-07-25 21:17:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2012-07-25 21:17:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

.

==================== Find3M ====================

.

2012-08-22 07:13:32 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-22 07:13:32 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-12 02:40:48 2345984 ----a-w- c:\windows\system32\win32k.sys

2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll

2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll

2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll

2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys

2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll

2012-05-31 16:25:14 237072 ----a-w- c:\windows\system32\MpSigStub.exe

.

============= FINISH: 3:23:07.66 ===============

Attach.txt

[aliB]

hi :weclome:

• Download RogueKiller and save it on your desktop.
  
• Quit all programs
  
• Start RogueKiller.exe.
  
• Wait until Prescan has finished ...
  
• Click on Scan
  

• Wait for the end of the scan.
  
• The report has been created on the desktop.
  
• Click on the Delete button.
  

• The report has been created on the desktop.
  

Please post: All RKreport.txt text files located on your desktop.

THEN

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
  
• Select All Users
  
• Under the Custom Scan box paste this in
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  services.*
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  qmgr.dll
  /md5stop
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
  CREATERESTOREPOINT
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs
    

[goliatron]

Hey aliB

Followed your instructions.

Rogue Killer blue screened once so I ran again and this report popped out.

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User: Doug [Admin rights]

Mode: Scan -- Date: 08/22/2012 12:49:31

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] c2c_service.exe -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 3 ¤¤¤

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{55b0df7f-1683-4ade-5b3d-9b45856671d5}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{55b0df7f-1683-4ade-5b3d-9b45856671d5}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{55b0df7f-1683-4ade-5b3d-9b45856671d5}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND

[susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> FOUND

[ZeroAccess][sig found] services.exe : c:\windows\system32\services.exe --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1001FALS-00J7B1 ATA Device +++++

--- User ---

[MBR] bf4be8792966eb43af0c3d48bf04b9d4

[bSP] 0e9b5c5d03992784813665a5d9840ae7 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] 2010189312a45800f43bffd8bab0a3e9

[bSP] 0e9b5c5d03992784813665a5d9840ae7 : Windows 7 MBR Code

Partition table:

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo

Finished : << RKreport[1].txt >>

RKreport[1].txt

The second program won't complete at all without blue screening. Said something like "ataport.sys"

[aliB]

hi

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks
  
  
  
• When finished, it shall produce a log for you.
  
• Please include the C:\ComboFix.txt in your next reply.
  

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

[goliatron]

Blue screened again.

[aliB]

hi

Download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application
  
  
• Then click on Change parameters.
  
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  
• Click the Start Scan button.
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
  
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
• Get the report by selecting Reports
  
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

Please copy and paste its contents on your next reply.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!