Jump to content

Search Engine Results Are Being Redirected


Recommended Posts

My apologies if this post shows up somewhere else too, I've tried posting but can never see the post.

Forum,

I spent all Thanksgiving trying to fix my computer. I've tried all the recommended software programs and have corrected some of my issues. The one that won't go away is what seems to be a common problem, but a problem having multiple solutions that can only be repaired by Experts like YOU looking at HiJackThis log results. Everytime I do a Google Search or for that matter any popular search engine search and then click on a result, I am being redirected to random websites.

Here is the HiJackThis results and the ComboFix results.

ComboFix 09-11-26.02 - Administrator 11/27/2009 11:37.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1461 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1368 [VPS 091127-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Application Data\inst.exe

c:\windows\system32\tmp.reg

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PASSWORD

((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))

.

2009-11-27 16:37 . 2006-08-23 14:54 42752 ----a-r- c:\windows\system32\drivers\jraid_2.sys

2009-11-27 15:49 . 2009-11-27 15:49 -------- d-----w- c:\program files\Trend Micro

2009-11-27 15:33 . 2009-11-27 15:33 57344 ----a-w- c:\documents and settings\All Users\Application Data\SP\sp.DLL

2009-11-27 15:33 . 2009-11-27 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SP

2009-11-27 15:22 . 2009-11-27 15:22 -------- d-----w- c:\windows\system32\wbem\Repository

2009-11-27 15:21 . 2009-11-27 15:21 -------- d-----w- C:\ErdUndoCache

2009-11-27 15:18 . 2007-03-09 01:43 92592 ----a-w- c:\windows\system32\MSDartCmn.dll

2009-11-27 15:18 . 2007-03-09 01:43 61872 ----a-w- c:\windows\system32\MsDartSR.exe

2009-11-27 15:16 . 2009-11-27 15:16 -------- d-----w- C:\~ErdUserProfile.$$$

2009-11-25 22:01 . 2009-11-25 22:01 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

2009-11-25 22:01 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe

2009-11-25 20:48 . 2009-11-25 20:48 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-25 20:46 . 2009-11-25 20:46 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-24 21:25 . 2009-11-24 21:25 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-11-24 21:25 . 2009-11-24 21:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Cooliris

2009-11-24 13:07 . 2009-11-24 13:07 -------- d-----w- c:\program files\QuickTime

2009-11-23 13:53 . 2009-11-23 13:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Chromium

2009-10-30 16:14 . 2009-10-30 16:14 -------- d-----w- c:\windows\OvtCam

2009-10-30 16:13 . 2009-10-30 16:13 -------- d-----w- C:\CtDriverInstTemp

2009-10-30 16:13 . 2001-12-11 05:03 53248 ----a-w- c:\windows\system32\webc3pin.dll

2009-10-30 16:13 . 2001-11-07 09:01 25241 ----a-w- c:\windows\system32\drivers\webc3cam.sys

2009-10-30 16:13 . 2001-11-07 09:01 16453 ----a-w- c:\windows\system32\webc3usd.dll

2009-10-30 16:13 . 2001-11-07 06:00 49152 ----a-w- c:\windows\system32\webc3ext.dll

2009-10-30 16:13 . 2001-11-07 06:00 166504 ----a-w- c:\windows\system32\drivers\webc3vid.sys

2009-10-30 16:13 . 2001-05-23 05:10 49152 ----a-w- c:\windows\system32\webc3vfw.dll

2009-10-30 16:13 . 2000-08-04 06:01 15360 ----a-w- c:\windows\system32\webc3vfw.drv

2009-10-30 16:13 . 2009-10-30 16:13 -------- d-----w- C:\WebCam3Gen

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-27 16:16 . 2007-11-16 13:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-11-27 13:37 . 2006-04-25 00:52 100736 ----a-w- c:\windows\system32\drivers\nvata.sys

2009-11-25 21:05 . 2007-09-01 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-11-25 20:49 . 2008-10-23 21:01 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-11-25 20:42 . 2007-06-18 12:18 -------- d-----w- c:\program files\Java

2009-11-25 19:31 . 2007-06-27 19:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM

2009-11-25 19:06 . 2009-04-17 13:00 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-11-25 15:54 . 2009-09-22 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-25 15:11 . 2007-09-01 14:26 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-11-25 13:34 . 2008-06-18 20:28 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-11-24 23:54 . 2007-06-06 03:53 1280480 ----a-w- c:\windows\system32\aswBoot.exe

2009-11-24 23:51 . 2007-06-06 03:53 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-11-24 23:49 . 2007-06-06 03:53 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2009-11-24 23:48 . 2007-06-06 03:53 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-11-24 23:47 . 2007-06-06 03:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-11-24 23:47 . 2007-06-06 03:53 97480 ----a-w- c:\windows\system32\AvastSS.scr

2009-11-24 13:07 . 2009-03-17 11:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-11-21 14:02 . 2007-06-15 12:10 -------- d-----w- c:\program files\WinFax

2009-11-11 13:27 . 2007-06-06 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-11-04 13:50 . 2007-06-06 03:37 79592 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-04 08:02 . 2007-06-06 15:14 -------- d-----w- c:\program files\Microsoft Works

2009-11-04 04:02 . 2007-11-08 16:21 -------- d-----w- c:\program files\Google

2009-11-03 01:42 . 2009-10-03 07:05 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-20 16:54 . 2007-06-11 19:55 -------- d-----w- c:\program files\AlmerBackup

2009-10-17 15:53 . 2009-09-21 15:53 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe

2009-10-17 15:53 . 2009-06-19 13:18 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2009-10-05 15:59 . 2009-07-15 17:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso

2009-10-05 15:48 . 2009-10-05 15:48 -------- d-----w- c:\program files\Microsoft

2009-10-02 13:58 . 2008-01-18 17:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Creative

2009-09-23 12:55 . 2009-01-31 17:00 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-09-22 20:32 . 2009-09-22 20:32 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-09-15 10:56 . 2007-06-06 03:53 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-09-15 10:55 . 2008-03-31 11:59 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-09-15 10:55 . 2008-03-31 11:59 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-09-11 14:18 . 2004-10-08 12:01 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 19:54 . 2009-09-22 20:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 19:53 . 2009-09-22 20:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 21:03 . 2004-10-08 12:01 58880 ----a-w- c:\windows\system32\msasn1.dll

2008-10-02 18:55 . 2008-10-02 18:55 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]

@="{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"

[HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]

2009-11-27 15:33 57344 ----a-w- c:\documents and settings\All Users\Application Data\SP\sp.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-10-30 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-25 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-10-30 160592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-10-20 12:26 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Controller.LNK]

backup=c:\windows\pss\Controller.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wfxsvc"=2 (0x2)

"RichVideo"=2 (0x2)

"Nero BackItUp Scheduler 3"=2 (0x2)

"Creative Service for CDROM Access"=2 (0x2)

"CCALib8"=2 (0x2)

"BthServ"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE"=

"c:\\WINDOWS\\system32\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10071:TCP"= 10071:TCP:spport

"17878:TCP"= 17878:TCP:spport

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/31/2009 12:00 PM 64288]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/31/2008 6:59 AM 114768]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 9:33 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 9:33 AM 74480]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/31/2008 6:59 AM 20560]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1169232]

R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [10/8/2004 7:01 AM 14336]

S2 gupdate1c941b647c40b8;Google Update Service (gupdate1c941b647c40b8);c:\program files\Google\Update\GoogleUpdate.exe [11/8/2008 10:23 AM 133104]

S2 rfrpkpf;rfrpkpf;\??\c:\windows\system32\drivers\mhnozdllnlwtk.sys --> c:\windows\system32\drivers\mhnozdllnlwtk.sys [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]

S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\drivers\webc3vid.sys [10/30/2009 11:13 AM 166504]

S3 GoogleDesktopManager-090808-172447;Google Desktop Manager 5.8.809.8522;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/2/2008 1:55 PM 30192]

S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301A.sys [5/13/2004 5:31 PM 141990]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 10:49 PM 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 10:49 PM 8320]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [3/24/2009 6:03 AM 7808]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 9:33 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

netsvc REG_MULTI_SZ SPService

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Service#F]

\Shell\AutoRun\command - Z:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2009-11-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:06]

2009-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-08 15:23]

2009-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-08 15:23]

2007-09-20 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-21 21:08]

2009-11-23 c:\windows\Tasks\Registry Medic Schedule.job

- c:\program files\Registry Medic 5\RegMedic.exe [2007-06-16 02:36]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = 127.0.0.1

IE: Convert link target to Adobe PDF

IE: Convert link target to existing PDF

IE: Convert selected links to Adobe PDF

IE: Convert selected links to existing PDF

IE: Convert selection to Adobe PDF

IE: Convert selection to existing PDF

IE: Convert to Adobe PDF

IE: Convert to existing PDF

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab

DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://betaimg.sling.com/sli/sling_player_ax/WebSlingPlayer.cab?1.1.0.38

DPF: {C7C7225A-9476-47AC-B0B0-FF3B79D55E67} - hxxp://aic.lgservice.com:9001/ozserver31/Viewer/ZTransferX.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://trafficcams.cet.unomaha.edu/activex/AMC.cab

DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab

.

- - - - ORPHANS REMOVED - - - -

AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE

AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI

AddRemove-PictureItSuite_v11 - c:\program files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe ADDREMOVE=1 SKU=SUITE VERSION=11

AddRemove-Tweak UI 2.10 - c:\windows\system32\mshta.exe res://c:\windows\system32\TweakUI.exe/uninstall.hta

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-27 11:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AA8B369]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba11cf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9f11852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9dc0bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9dcda21

SendHandler -> NDIS.sys @ 0xb9dab87b

user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-790525478-776561741-839522115-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3082CB68-16E8-F62F-5027-5C240F4FAD65}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"eabigeghho"=hex:66,61,68,68,62,66,6c,65,61,6a,63,64,00,fc

"daeibglj"=hex:64,62,70,66,69,62,68,66,6c,61,6e,6c,6c,70,62,63,69,6b,6e,6a,64,

6a,69,61,62,70,61,6a,67,64,6b,6d,6f,69,65,6a,69,67,61,64,00,00

"iajggbdlmljpbanado"=hex:69,61,6a,6c,66,6d,66,68,69,62,68,63,67,63,61,66,61,66,

00,00

"hapfipfaoekjlmmf"=hex:69,61,6a,6c,66,6d,66,68,69,62,68,63,67,63,61,66,61,66,

00,2c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)

c:\windows\system32\WININET.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(808)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3152)

c:\windows\system32\WININET.dll

c:\documents and settings\all users\application data\sp\sp.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\IoctlSvc.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

c:\program files\Internet Explorer\IEXPLORE.EXE

.

**************************************************************************

.

Completion time: 2009-11-27 11:55 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-27 16:55

Pre-Run: 259,372,810,240 bytes free

Post-Run: 259,229,511,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 73C3F3A370EC669081B0A3B26E7180E9

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:14:54, on 11/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...20Installer.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - https://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab

O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://oaklandcam.iceweb.net/wg_webeye.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - http://betaimg.sling.com/sli/sling_player_...er.cab?1.1.0.38

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv2.view22.com/view22/app/view22rte.cab

O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab

O16 - DPF: {C7C7225A-9476-47AC-B0B0-FF3B79D55E67} (ZTransferX Control) - http://aic.lgservice.com:9001/ozserver31/V.../ZTransferX.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://trafficcams.cet.unomaha.edu/activex/AMC.cab

O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.cooliris.com/shared/plinstll.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Google Desktop Manager 5.8.809.8522 (GoogleDesktopManager-090808-172447) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate1c941b647c40b8) (gupdate1c941b647c40b8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 13099 bytes

Link to post
Share on other sites

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

Hello mgarlitz and welcome to MalwareBytes' forums.

A strong note of caution: Combofix is not intended for use by the untrained. You must have guided expert help with that, as well as with any specialized anti-malware tool. Do NOT self-medicate. Follow my guidance and only do what I suggest.

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not mgarlitz and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

Spybot's TeaTimer can & will prevent fixes from taking full effect. Keep it disabled while we hunt & remove malware.

Right click the Spybot Icon (blue icon with lock teatimer-systemtray-en.1.png) in the system tray (notification area).

  • If you have the new version, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.

Next: 1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Next, Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 2

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to c:\windows\system32\drivers\mhnozdllnlwtk.sys, then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Step 3

Use your browser to go here at Viruscan.org website

Click the Browse button and then navigate to c:\windows\system32\drivers\mhnozdllnlwtk.sys, then click the Submit button.

Save the results, and post back here in a reply.

Step 4

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 3256.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 5

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

Step 6

Download RootRepeal:

http://rootrepeal.googlepages.com/RootRepeal.zip

  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.

Step 7

Reply with copy of the Virustotal results

the Virscan results

the latest MBAM scan log

the SYSCLEAN log

the RootRepeal log

Advise if the search redirects are still occuring, and if so, if you get that in Internet Explorer or in Firefox or other browser ?

Link to post
Share on other sites

Mark,

As I advise all that have systems in an office/company environment, turn over this case to your company IT tech support for their follow-up and corrective action.

I will NOT remain involved unless this is your own pc AND the company has no IT support.

Good luck.

Link to post
Share on other sites

Maurice,

I am the owner of a small business. One computer. I have no IT tech support. Your help is very much needed and very much appreciated.

Mark

Mark,

As I advise all that have systems in an office/company environment, turn over this case to your company IT tech support for their follow-up and corrective action.

I will NOT remain involved unless this is your own pc AND the company has no IT support.

Good luck.

Link to post
Share on other sites

Here are my findings so far.

The file mhnozdllnlwtk.sys was no longer on my drive; therefore, I was not able to to complete the Virustotal and Viruscan part of your instructions. I scanner my entire drive for the mhnozdllnlwtk.sys file, just in case it was somewhere other than the c:\windows\system32\drivers\ directory. I did see the file name in the log file I sent to you. I'm not sure what happened to it.

Malwarebytes scan did not find any infections.

I just realized that my Avast! has been running resident during my Malwarebytes scan and Trend Micro System Cleaner scan. System Cleaner is still running and I don't want to stop Avast! midway through the scan. Please advise after I get my log posted if I need to start over.

RootRepeal got stuck on "initializing" No harddrive activity. The computer would not respond after clicking start on RootRepeal. I was not able to get RootRepeal to work.

My problem with the Google results redirecting is still present. I am using IE8.

I would point out that it seems all popular search engines behave the same - redirecting to wierd sites. IF I use a search engine like GoodSearch, it seem to work ok.

I anxiously await your further instruction.

THANKS!

Mark

Malwarebytes' Anti-Malware 1.41

Database version: 3259

Windows 5.1.2600 Service Pack 3

11/29/2009 6:00:45 PM

mbam-log-2009-11-29 (18-00-45).txt

Scan type: Quick Scan

Objects scanned: 109008

Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2009-11-29, 18:12:12, Auto-clean mode specified.

2009-11-29, 18:12:12, Initialized Rootkit Driver version 2.2.0.1004.

2009-11-29, 18:12:12, Running scanner "C:\DCE\TSC.BIN"...

2009-11-29, 18:12:20, Scanner "C:\DCE\TSC.BIN" has finished running.

2009-11-29, 18:12:20, TSC Log:

Link to post
Share on other sites

Step 1

Use the MS IE Reset Fixit tool

http://go.microsoft.com/?linkid=9646978

Before using the IE Reset Fix-It Tool, please read Knowledge Base Article ID: 923737 at Microsoft.

http://support.microsoft.com/kb/923737

This tool applies to

* Windows Internet Explorer 7 for Windows XP

* Windows Internet Explorer 7 in Windows Vista

* Windows Internet Explorer 8

It is not intended for Windows 7.

Step 2

Using Internet Explorer browser only, go to ESET Online Scanner website:

Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

    Step 3

    Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

    ========================================================

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

    ========================================================

    Double-click gmer.exe. The program will begin to run.

    **Caution**

    These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

    • Click Yes.
    • Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
    • Save it where you can easily find it, such as your desktop.

    If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

    • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
    • Save it where you can easily find it, such as your desktop.

    Reply with copy of the Eset scan log

    and the Gmer.txt log

    and tell me, How is your system now ?

Link to post
Share on other sites

My problem still exists. I also noticed something else ... even with IE8 closed, I am getting an advertisement over my speakers. It was for a Target Store 2 day sale. This issue may well have been there all along, I rarely turn my speakers on. I did a cntrl/alt/delete and noticed that iexplorer is running secretively in the background. If I stop the iexplorer, the advertisement stops. I stand ready for your next instruction. THANKS! Mark

Here are my logs.

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit scan 2009-11-30 14:03:44

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwtdapod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xA61D35EE]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xA61D3E6E]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xA61D4984]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xA61D4EF6]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xA61D4150]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xA61D2498]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xA61D4DCE]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xA61D31F4]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xA61D4C8A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xA61D33B0]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xA61D5028]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xA61D6C6A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xA61D3B0C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xA61D4D2C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xA61D665C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xA61D2A5C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xA61D2DEA]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xA61D45D8]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xA61D762C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xA61D2F2C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xA61D2FD6]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xA61D43E4]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xA61D66EE]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xA61D2474]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xA61D2486]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwMapViewOfSection [0xA61D6D1E]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xA61D3122]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xA61D4F98]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xA61D3EF0]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xA61D263E]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xA61D4E66]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xA61D37F4]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xA61D6C94]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xA61D50CA]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xA61D3718]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xA61D3080]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xA61D2CA8]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQuerySection [0xA61D7036]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xA61D28F8]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xA61D6984]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xA61D2B70]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xA61D2312]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xA61D5454]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xA61D531A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xA61D63FC]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xA61D9E8E]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xA61D750E]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xA61D22AA]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xA61D46BE]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xA61D3D2A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xA61D5CAC]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xA61D67E8]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xA61D7176]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xA61D2780]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xA61D725A]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xA61D7382]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xA61D6588]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xA61D396C]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xA61D38C2]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0xA61D6EEC]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xA61D3A4C]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP A61C8572 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)

.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP A61C894C \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)

.text ntkrnlpa.exe!ZwCallbackReturn + 2C8C 80504528 16 Bytes [b0, 33, 1D, A6, 28, 50, 1D, ...] {MOV AL, 0x33; SBB EAX, 0x1d5028a6; CMPSB ; PUSH 0x6c; SBB EAX, 0x1d3b0ca6; CMPSB }

.text ntkrnlpa.exe!ZwCallbackReturn + 2CC8 80504564 8 Bytes JMP D8A61D2D

.text ntkrnlpa.exe!ZwCallbackReturn + 2D48 805045E4 12 Bytes [EE, 66, 1D, A6, 74, 24, 1D, ...]

.text ntkrnlpa.exe!ZwCallbackReturn + 2EC4 80504760 9 Bytes [70, 2B, 1D, A6, 12, 23, 1D, ...] {JO 0x2d; SBB EAX, 0x1d2312a6; CMPSB ; PUSH ESP}

.text ntkrnlpa.exe!ZwCallbackReturn + 2ECE 8050476A 6 Bytes [1D, A6, 1A, 53, 1D, A6] {SBB EAX, 0x1d531aa6; CMPSB }

.text ...

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7FC5360, 0x3535DF, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1356] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\nvata \Device\Harddisk0\DR0 8AA81369

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b00026

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b00026@001f6be80c18 0xF8 0x28 0xAC 0x41 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\111111111111

Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000272b00026 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000272b00026@001f6be80c18 0xF8 0x28 0xAC 0x41 ...

Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\111111111111 (not active ControlSet)

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3082CB68-16E8-F62F-5027-5C240F4FAD65}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3082CB68-16E8-F62F-5027-5C240F4FAD65}@eabigeghho 0x66 0x61 0x68 0x68 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3082CB68-16E8-F62F-5027-5C240F4FAD65}@daeibglj 0x64 0x62 0x70 0x66 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3082CB68-16E8-F62F-5027-5C240F4FAD65}@iajggbdlmljpbanado 0x69 0x61 0x6A 0x6C ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3082CB68-16E8-F62F-5027-5C240F4FAD65}@hapfipfaoekjlmmf 0x69 0x61 0x6A 0x6C ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\nvata.sys suspicious modification

---- EOF - GMER 1.0.15 ----

ESET

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.16915 (vista_gdr.090826-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=4149afd6db3e5940bc45526945ebbf71

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-11-30 06:00:08

# local_time=2009-11-30 01:00:08 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=768 16777215 100 0 77578332 77578332 0 0

# compatibility_mode=1280 16777191 100 0 0 0 0 0

# compatibility_mode=2560 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=82820

# found=4

# cleaned=4

# scan_time=2087

C:\Downloads\almerbackup[1].4.8.cracked-tsrh\almerbackup.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Downloads\Nero-8.2.8.0 with Serial\Nero-8.2.8.0_eng_update.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Downloads\registry fix\registryfix.exe a variant of Win32/Adware.ErrorClean application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Program Files\AlmerBackup\almerbackup.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

I just looked at the ESET log file. It references:

C:\Downloads\almerbackup[1].4.8.cracked-tsrh\almerbackup.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Downloads\Nero-8.2.8.0 with Serial\Nero-8.2.8.0_eng_update.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Downloads\registry fix\registryfix.exe a variant of Win32/Adware.ErrorClean application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Program Files\AlmerBackup\almerbackup.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C

All of these files have been on my computer for at least year. I could be wrong, but I do not believe these files are related to my current problem.

Mark

Link to post
Share on other sites

See this Microsoft article, and try the methods listed there (as needed) to see if issues in Internet Explorer can be cleared up.

http://windows.microsoft.com/en-US/windows...ternet-Explorer

Next, close all open browsers at this point. Disable your antivirus program for the time being

Start Internet Explorer (fresh) and go here and run an online scan with BitDefender

Click the Start Scanner now. Next a popup window will appear {make sure your browser is not blocking popups}.

Click the box to agree to the Terms and conditions, and click Start here.

You should see a message to load BitDefenders ActiveX control. Right-click the yellow bar and select Install.

Press the INSTALL button when prompted again.

When the ActiveX Control has loaded, click on "Start scan" and grab a coffee or favorite drink and take a long break.

pepsi.gifpopcorn.gif

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop.

Then click on the saved file and allow it to open with your browser. Go to Edit > Select All then copy the log and paste it back here.

Now, re-enable your antivirus program.

Link to post
Share on other sites

Things have gone from bad to worse. Yesterday I wanted to see how the system would behave in safe mode. I got a blue screen of death. I then tried to do a normal boot and I got the bsd also. I tried to boot under last know good configuration - same bsd. Sadly I had my system restore disabled as part of my trying to get the computer working so when I booted with ERD Commander, the system restore did not have any restore points. I'm dead in the water right now. No data is lost, but I can not boot up. Any ideas as to what I can do? Or am I looking at buying a new hard drive, installing the OS and then copying my data files over? Who would have thought that trying to boot in safe mode would cause things to crash?????

Link to post
Share on other sites

It is quite late now, but it is never, ever suggested to disable System Restore or delete system restore points!

At the start of all this, I had asked that you not run anything other than what I guided you on.

Just so you know also, starting an infected system in Safe mode can cause malwares to make things worse (as you found out) and that is why I rarely do that, and if so, only after having done other preliminaries.

If you have the Windows XP PRO operating system CD, then you can attempt to use the Recovery Console, for limited tasks.

Let me know if you have that CD.

Advise if you had made a recent offline backup of this system.

Otherwise, you may consider getting a Hiren's boot cd. So that you can possibly save your files & documents.

It may be downloaded here http://www.hirensbootcd.net/details/10.0.html

A quite sizable download of nearly 190-200 MB

Obviously you'll have to do that using another system, one with a CD burner.

Extract all of the download into a unique folder. Then double click on "BurnToCD.cmd"

The other alternative, if you know how & have another system, is to remove this HD and place it as a secondary drive in another so that then you could save your personal files & documents

Link to post
Share on other sites

P.S. Re-read this thread. This system should already have the Recovery Console on it.

Very carefully, when you first reboot or Restart this system, one of the choices is for "Microsoft Windows Recovery Console".

Please restart system and see if you can select that. You usually only have a few seconds to make choice.

Let me know.

If and only if you miss the bootup choices, retry again and tap and re-tap F8 right away as (BIOS) system is starting up.

Do not wait for Windows GUI to load.

Link to post
Share on other sites

The system did have the recovery console as a boot up option. The option to use the recovery console no longer shows up. No matter what mode I try to boot in, safe, normal, or last known good, the windows splash screen comse on for a couple seconds, then the blue screen flashes on for a half a second, then the computer restarts - asking how I want to boot, in safe, normal ... etc. Using a program called ERD Commander, I can boot up in windows shell and see that I have not lost any data. Is there anything the recovery console on the windows cd can help me with OR am I faced with saving my data and reloading the OS? Thanks for you help.

Link to post
Share on other sites

The bootup option into Recovery Console must still be there. Did you press F8 right away when system is restarting?

Or if you have the XP CD, do you know how to start in Recovery Console?

Use Recovery Console and attempt to get back old registry saved by Combofix.

You would restart/reboot system. Repeat the F8 procedure. From Advanced Bootup, select Recovery Console.

You must be able to login with administrator-rights account. Either yours or the "administrator".

Once logged in:

Type in the following carefully:

C:
CD \
CD Windows
CD ERDNT
CD Subs
BATCH ERDNT.CON

Press enter-key after each of the lines. Take care to type it exactly like here.

Please notice the space after CD --- the Change Directory directive ! on 4 lines here.

Link to post
Share on other sites

When I press F8 upon startup the Boot Menu comes up - listing my hard drive and cdroms as options for first boot. The black screen the has the recovery console and windows xp boot option does not come up. That said, I do know how to boot from the windows install disc and get into the recovery console from there. I will follow your instructions EXACTLY and get back with you shortly.

Link to post
Share on other sites

Do a little tweak to force the STOP code to show.

When the pc is booting up (after the BIOS has done its POST test and before Windows starts loading), Tap F8 Function key to get bootup options. Tap & keep repeat tapping F8 !

You will actually see "Disable automatic restart on system failure" as an option . Select that and give it a try.

The standard Windows duh-fault is to reboot when a critical error occurs. The above process will turn that off.

I'm afraid you will still get the blue screen, but at least now you will have the code.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.