infection help 2

[GarryR]

started having trouble a few days ago.... browser hijackin/google search redirect

automatic updates not working for antivirus and spyware removal programs[did a manual update]

Sound from internal speaker stopped .. headphones work ok

epoclick--googleanalystics...ect.

went thru self analysis ....

ran anti virus.- Panda

spyware tools - spybot and Ad Aware

Still not completely right so I found this site

downloaded and ran Malwarebytes

and still struggling

seems OK for a little bit then returns

today

ran TDSS KILLER and Combo fix

THEN discovered the thread "INFECTED_WHAT DO I DO NOW " and am following those directions :::>>>

here is Malwarebytes Log ...with the rest to follow

ran defogger >>>>DDS.TXT follows"

Attach.zip included with ark.txt file

the GMER program with goes BLUE Screen and reboots and or freezes at \cdfs

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4928

Windows 6.0.6000

Internet Explorer 7.0.6000.16982

10/27/2010 2:16:02 PM

mbam-log-2010-10-27 (14-16-02).txt

Scan type: Full scan (C:\|)

Objects scanned: 261142

Time elapsed: 2 hour(s), 5 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

__________________________________________________

DDS (Ver_10-10-21.02) - NTFSx86

Run by Garry at 17:49:29.97 on Wed 10/27/2010

Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_21

Microsoft

Attach.zip

[Maurice Naggar]

Hello GarryR,

Your logs showed some peer-to-peer filesharing apps. LimeWire 5.5.14, and BitTorrent

De-install them before we proceed forward. These types of apps leave an open door for re-infections.

I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Confirm that you have removed these apps.

[GarryR]

Hello GarryR,

Your logs showed some peer-to-peer filesharing apps. LimeWire 5.5.14, and BitTorrent

De-install them before we proceed forward. These types of apps leave an open door for re-infections.

I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.

File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

P2P file sharing: Know the risks

Confirm that you have removed these apps.

apps have been removed

[Maurice Naggar]

Hello GarryR.

You will want to print out or copy these instructions to Notepad for offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not GarryR and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Show all files:

• Click the Start button, and then click Computer.
  
• On the Organize menu, click Folder and Search Options.
  
• Click the View tab.
  
• Locate and uncheck Hide file extensions for known file types.
  
• Locate and uncheck Hide protected operating system files (Recommended).
  
• Locate and click Show hidden files and folders.
  
• Click Apply > OK.
  

Step 3

• Please download

Rootkit Unhooker and save it to your desktop.
Double-click RKUnhookerLE.exe to run it. If running Windows 7 or Vista, do a Right-Click on RKUnhookerLE and select Run As Administrator.
Click the Report tab, then click Scan
Check Drivers, Stealth Code, Files, and Code Hooks
Uncheck the rest, then click OK
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
Wait till the scanner has finished then go File > Save Report
Save the report somewhere you can find it. Click Close
This log may be very large so please use multiple posts if need be.

Note:You may get this warning. If so, please ignore it.

"Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"

Copy the entire contents of the report and paste it in a reply here for review.

Step 4

First, make sure you have saved all your work before you begin, and close your open apps.

Close all open windows on the Task Bar.

Note: If using Firefox browser, right-click on any download links and choose Save As

Please download OTH to your desktop

Please download OTL to your desktop

Double click the OTH file to run it and click Kill All Processes button, your desktop will go blank. (That is normal & expected).

If running on Windows 7 or Vista, to start tools, do a RIGHT-Click and then select "Run As Administrator".

Then press Start OTL button. OTL will now run. If prompted to allow it to run, press YES.

• In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
  
• Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  
• It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  
• Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  
• Exit OTL by clicking the X at top right.
  

Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
  
• Follow the onscreen instructions inside of the command window.
  
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
  

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

• the contents of RootkitUnhooker log
  
• the contents of OTL.txt
  
• the contents of Extras.txt
  
• the contents of checkup.txt
  

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

[GarryR]

Maurice,

Thanks for your help !!!....following directions above I downloaded all 4 programs and ran ERUNT ,no problem...went onto step 3 "run as Admin." and the first window pops up with the WARNING of parasite, How do I IGNORE ?....I have clicked RED "X" and Cancel and both times another window opens up "PROGRAM INTEGRITY DAMAGED" and then closes up without loading......

what am i doing wrong ?

Garry

[Maurice Naggar]

My supposition is that you have a serious infection that is keeping tools from running.

To close a "rogue" press and Hold ALT key & then press F4-key

Are you running OTH ? did you press Kill All Processes

[Maurice Naggar]

Sorry I mis-read where you were in the process.

Do what you can to run Rootkitunhooker.

If stuck or no joy, proceed forth to step # 4.

[GarryR]

no OTH...yet was following in order directed....I will go attempt ALT key

if that does not work ...should I run OTH first and then back up and attempt Rootkit unhooker ?

[Maurice Naggar]

If need be, run OTH Kill All Processes first

followed by OTH "Run Misc Programs" and select/guide it to execute RootkitUnhooker

then you can return, and run OTL from the OTH menu or just start OTL.scr

[GarryR]

If need be, run OTH Kill All Processes first

followed by OTH "Run Misc Programs" and select/guide it to execute RootkitUnhooker

then you can return, and run OTL from the OTH menu or just start OTL.scr

No Luck with running Rootkit Unhooker...same thing happens as mentioned above.

But I do have other program logs completed and they will follow::

OTL.TXT

OTL logfile created on: 10/30/2010 4:22:43 PM - Run 1

OTL by OldTimer - Version 3.2.17.1 Folder = C:\Users\Garry\Desktop

Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6000.16982)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 547.00 Mb Available Physical Memory | 57.00% Memory free

2.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 83.41 Gb Total Space | 9.49 Gb Free Space | 11.38% Space Free | Partition Type: NTFS

Drive D: | 9.75 Gb Total Space | 5.62 Gb Free Space | 57.63% Space Free | Partition Type: NTFS

Computer Name: GARRY-PC | User Name: Garry | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/10/30 15:14:58 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Garry\Desktop\OTL.scr

PRC - [2010/10/30 15:14:23 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Users\Garry\Desktop\OTH.scr

PRC - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2009/09/17 12:17:32 | 000,293,120 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Global Protection 2010\pavsrvx86.exe

PRC - [2009/09/07 16:40:04 | 000,198,400 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Global Protection 2010\AVENGINE.EXE

PRC - [2009/08/10 13:46:08 | 000,173,312 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Global Protection 2010\PsCtrlS.exe

PRC - [2009/08/10 13:45:52 | 000,169,216 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Global Protection 2010\PavFnSvr.exe

PRC - [2009/04/17 10:17:24 | 000,157,440 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Global Protection 2010\TPSrv.exe

PRC - [2009/04/08 10:56:24 | 000,226,560 | ---- | M] (Panda Security International) -- c:\Program Files\Panda Security\Panda Global Protection 2010\FIREWALL\PSHost.exe

PRC - [2008/06/27 13:23:00 | 000,091,392 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Global Protection 2010\SrvLoad.exe

PRC - [2008/06/19 12:59:50 | 000,108,288 | ---- | M] (Panda Security S.L.) -- C:\Program Files\Panda Security\Panda Global Protection 2010\PsImSvc.exe

PRC - [2008/02/04 17:26:48 | 000,062,768 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Common Files\Panda Security\PavShld\PavPrSrv.exe

PRC - [2006/11/07 22:13:56 | 000,090,112 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\System32\stacsv.exe

PRC - [2006/11/02 05:44:50 | 000,088,064 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\audiodg.exe

PRC - [2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\WINDOWS\System32\agrsmsvc.exe

========== Modules (SafeList) ==========

MOD - [2010/10/30 15:14:58 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Garry\Desktop\OTL.scr

MOD - [2009/08/10 13:46:00 | 000,148,736 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Global Protection 2010\PavTrc.dll

MOD - [2009/08/10 13:45:54 | 000,095,488 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Global Protection 2010\PavOEpl.dll

MOD - [2009/03/30 18:22:58 | 000,518,400 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\System32\PavSHook.dll

MOD - [2009/03/30 18:22:58 | 000,087,296 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\System32\PavLspHook.dll

MOD - [2007/02/08 10:53:40 | 000,107,568 | ---- | M] (Panda Software) -- C:\WINDOWS\System32\SYSTOOLS.DLL

MOD - [2006/11/02 05:38:57 | 001,648,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/10/12 18:50:36 | 001,357,464 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)

SRV - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2009/09/17 12:17:32 | 000,293,120 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Global Protection 2010\pavsrvx86.exe -- (PAVSRV)

SRV - [2009/08/25 13:28:20 | 000,028,928 | ---- | M] (Panda Security, S.L.) [Auto | Stopped] -- C:\Program Files\Panda Security\Panda Global Protection 2010\PskSvc.exe -- (PskSvcRetail)

SRV - [2009/08/10 13:46:08 | 000,173,312 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Global Protection 2010\PsCtrls.exe -- (Panda Software Controller)

SRV - [2009/08/10 13:45:52 | 000,169,216 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Global Protection 2010\PavFnSvr.exe -- (PAVFNSVR)

SRV - [2009/04/17 10:17:24 | 000,157,440 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Global Protection 2010\TPSrv.exe -- (TPSrv)

SRV - [2009/04/08 10:56:24 | 000,226,560 | ---- | M] (Panda Security International) [Auto | Running] -- c:\program files\panda security\panda global protection 2010\firewall\PSHOST.EXE -- (PSHost)

SRV - [2008/07/02 14:09:36 | 000,060,160 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Global Protection 2010\GWMsrv.dll -- (Gwmsrv)

SRV - [2008/06/19 12:59:50 | 000,108,288 | ---- | M] (Panda Security S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Global Protection 2010\PsImSvc.exe -- (PSIMSVC)

SRV - [2008/03/25 21:22:15 | 000,265,912 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2008/02/04 17:26:48 | 000,062,768 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe -- (PavPrSrv)

SRV - [2006/11/07 22:13:56 | 000,090,112 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\WINDOWS\System32\stacsv.exe -- (STacSV)

SRV - [2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\System32\agrsmsvc.exe -- (AgereModemAudio)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- C:\Windows\System32\PavTPK.sys -- (PavTPK.sys)

DRV - File not found [Kernel | On_Demand | Running] -- C:\Windows\System32\PavSRK.sys -- (PavSRK.sys)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Garry\AppData\Local\Temp\catchme.sys -- (catchme)

DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\blbdrive.sys -- (blbdrive)

DRV - File not found [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\av5flt.sys -- (AvFlt)

DRV - [2010/10/12 16:58:02 | 000,815,104 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\tcpip.sys -- (Tcpip6)

DRV - [2010/10/12 16:58:02 | 000,815,104 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\tcpip.sys -- (Tcpip)

DRV - [2010/08/12 08:15:20 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\Lbd.sys -- (Lbd)

DRV - [2010/08/12 08:15:19 | 000,015,008 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)

DRV - [2010/06/28 18:13:09 | 000,013,880 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\COMFiltr.sys -- (ComFiltr)

DRV - [2010/03/23 02:17:06 | 001,170,464 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\RTL85n86.sys -- (RTL85n86)

DRV - [2009/09/30 23:07:44 | 000,075,016 | ---- | M] (Panda Security, S.L.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\APPFLT.SYS -- (APPFLT)

DRV - [2009/09/09 10:29:18 | 000,199,432 | ---- | M] (Panda Security, S.L.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\neti1639.sys -- (NETIMFLT01060039)

DRV - [2009/08/06 12:29:16 | 000,049,160 | ---- | M] (Panda Security, S.L.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\amm8660.sys -- (AmFSM)

DRV - [2009/06/30 17:17:12 | 000,163,336 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\PavProc.sys -- (PavProc)

DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\Windows\system32\Drivers\pavboot.sys -- (pavboot)

DRV - [2009/06/16 13:33:02 | 000,046,728 | ---- | M] (Panda Security, S.L.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\wnmflt.sys -- (WNMFLT)

DRV - [2009/06/16 13:33:00 | 000,159,112 | ---- | M] (Panda Security, S.L.) [TDI Layer] [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\NETFLTDI.SYS -- (NETFLTDI)

DRV - [2009/06/16 13:32:58 | 000,193,800 | ---- | M] (Panda Security, S.L.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\idsflt.sys -- (IDSFLT)

DRV - [2009/06/16 13:32:58 | 000,053,128 | ---- | M] (Panda Security, S.L.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\dsaflt.sys -- (DSAFLT)

DRV - [2009/01/31 15:26:39 | 000,033,408 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\CDRBSDRV.SYS -- (cdrbsdrv)

DRV - [2008/03/28 11:25:06 | 000,022,072 | ---- | M] (Panda Security, S.L.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\fnetmon.sys -- (FNETMON)

DRV - [2008/03/04 15:59:42 | 000,041,144 | ---- | M] (Panda Security, S.L.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ShlDrv51.sys -- (ShldDrv)

DRV - [2007/12/06 09:51:00 | 000,298,496 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\yk60x86.sys -- (yukonwlh)

DRV - [2007/06/18 21:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\motmodem.sys -- (motmodem)

DRV - [2007/01/25 21:19:46 | 002,387,456 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\atikmdag.sys -- (R300)

DRV - [2006/11/28 19:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\AGRSM.sys -- (AgereSoftModem)

DRV - [2006/11/07 22:14:08 | 000,812,032 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\stwrt.sys -- (STHDA)

DRV - [2006/11/02 05:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)

DRV - [2006/11/02 05:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)

DRV - [2006/11/02 05:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)

DRV - [2006/11/02 05:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)

DRV - [2006/11/02 05:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)

DRV - [2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)

DRV - [2006/11/02 05:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)

DRV - [2006/11/02 05:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)

DRV - [2006/11/02 05:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)

DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)

DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)

DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)

DRV - [2006/11/02 05:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)

DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)

DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)

DRV - [2006/11/02 05:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)

DRV - [2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)

DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)

DRV - [2006/11/02 05:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)

DRV - [2006/11/02 05:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)

DRV - [2006/11/02 05:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)

DRV - [2006/11/02 05:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)

DRV - [2006/11/02 05:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)

DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)

DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)

DRV - [2006/11/02 05:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)

DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)

DRV - [2006/11/02 05:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)

DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)

DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)

DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)

DRV - [2006/11/02 05:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)

DRV - [2006/11/02 05:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)

DRV - [2006/11/02 05:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)

DRV - [2006/11/02 05:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)

DRV - [2006/11/02 05:15:23 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)

DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)

DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)

DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)

DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)

DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)

DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)

DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)

DRV - [2006/11/02 03:36:49 | 000,108,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)

DRV - [2006/11/02 03:30:56 | 002,589,184 | ---- | M] (Intel

[Maurice Naggar]

NOTE: Your Vista is out-of-date. It appears to be the original Vista and is without service pack 1 or 2

The User Account Control is not ON and needs to be ON.

Also, you will need to migrate to Internet Explorer version 8 soon.

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

Check and reset some IE browser settings:

1. Open Internet Explorer.

2. Click "Tools," and then click "Internet Options."

3. Click "Connections," and then click "LAN Settings."

4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected.

5. Apply changes & OK

Step 2

• Please RIGHT-click OTL.scr and choose Run As Administrator to start it.
  
• Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  *****************************************************************
  :processes
  killallprocesses
  :files
  recycler /alldrives
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [EMPTYFLASH]
  [Reboot]
  *****************************************************************
  
• Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  
• Close any browser(s) windows that may be open.
  
• Using your mouse, click on the red-lettered button Run Fix.
  
• Once you see a message box "Fix complete! Click OK to open the fix log."
  Click the OK button
  
• The log will open in Notepad (your default text editor).
  
• Save the log. Post a copy of that log in your next reply.
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 3

Temporarily disable your Panda Security antivirus (turn off AV ).

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to ESET Online Scanner website:

http://www.eset.com/onlinescan/

• Accept the Terms of Use and press Start button;
  
• Approve the install of the required ActiveX Control, then follow on-screen instructions;
  
• Enable (check) the Remove found threats option, and run the scan.
  
• After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
    

  Look at contents of this file using Notepad or Wordpad.

  The Frequently Asked Questions for ESET Online Scanner can be viewed here

  http://www.eset.com/onlinescan/cac4.php?page=faq

  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
    
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    
  • Do not use the system while the scan is running. Once the full scan is underway, go take a long break
    

Re-enable the antivirus program.

Reply with copy of the Eset scan log

and copy of contents of C:\Combofix.txt

[GarryR]

NOTE: Your Vista is out-of-date. It appears to be the original Vista and is without service pack 1 or 2

The User Account Control is not ON and needs to be ON.

Also, you will need to migrate to Internet Explorer version 8 soon.

???

I ran windows update as late as 10/26..so how does Vista get updated ?

How do I Turn on USER ACCOUNT CONTROL?

I normally run firefox an not IE....does an IE8 migration still needed ?

[GarryR]

NOTE: Your Vista is out-of-date. It appears to be the original Vista and is without service pack 1 or 2

The User Account Control is not ON and needs to be ON.

Also, you will need to migrate to Internet Explorer version 8 soon.

???

I ran windows update as late as 10/26..so how does Vista get updated ?

How do I Turn on USER ACCOUNT CONTROL?

I normally run firefox an not IE....does an IE8 migration still needed ?

OK..step one done....

step two ...got to RUN FIX and got message @[resethosts]...STREAM WRITE ERROR...I click OK and it freezes there......wait ...wait ....and

then finally I rebooted sysem to get back here ...it did produce a log on reboot ...saved log and here it is::

*************

Files\Folders moved on Reboot...

C:\Windows\System32\drivers\etc\Hosts moved successfully.

Registry entries deleted on Reboot...

***********

I will not proceed until further direction

sorry for all these troubles and questions

your help is much appreciated

Garry

[GarryR]

your last direction is to included a copy of contents of C:\Combofix.txt

that was run on 10/27...

should I run it again and then copy a current log or include the one from 10/27 ?

[Maurice Naggar]

On UAC, see How do I enable User Account Control in Windows Vista?

http://support.microsoft.com/kb/969417

Yes, even if you use Firefox, you still need to keep Internet Explorer up-to-date. You should get IE 8.

Do NOT rerun Combofix. I simply want to review the log from that last run.

Copy and Paste contents of C:\Combofix.txt

Have you done Step 3 from above: the ESET scan? Need to have copy of that log after you are done.

[GarryR]

On UAC, see How do I enable User Account Control in Windows Vista?

http://support.microsoft.com/kb/969417

Yes, even if you use Firefox, you still need to keep Internet Explorer up-to-date. You should get IE 8.

Do NOT rerun Combofix. I simply want to review the log from that last run.

Copy and Paste contents of C:\Combofix.txt

Have you done Step 3 from above: the ESET scan? Need to have copy of that log after you are done.

UAC is now on..thanks

in process of updateing vista SP 1 and 2

here is combofix txt

have not run ESET yet as step 2 did not run properly....Will complete updates and then attempt step 2 OTL and then step 3 ESET scan and post results

COMBOFIX.txt

ComboFix 10-10-26.03 - Garry 10/27/2010 9:35.1.2 - x86

Microsoft

[GarryR]

I think I am caught up

Vista and IE8 up to date

UAC >>ON

Step one > DON

Step Two >>OTL would not complete ,ran again after all updates were complete,got same error message as mentioned in above reply

moved on to step 3 >>>results follow

STEP 3 ESET SCAN

It did find one infected file and cleaned it

*******Eset Result log*****

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

[Maurice Naggar]

You need to tell me if the browser hijacking or google search redirect is still occuring?

You already have the DDS tool.

Run DDS for a fresh report.

The Copy and paste the contents of DDS.txt and answer my question above.

[GarryR]

You need to tell me if the browser hijacking or google search redirect is still occuring?

You already have the DDS tool.

Run DDS for a fresh report.

The Copy and paste the contents of DDS.txt and answer my question above.

the hijackin and redirect appear to have stopped,no instances today

DDS (Ver_10-10-21.02) - NTFSx86

Run by Garry at 20:48:11.48 on Mon 11/01/2010

Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_22

Microsoft

[Maurice Naggar]

Insure that you have latest update of Flash Player

See http://aumha.net/viewtopic.php?f=26&t=44545

Older versions of Adobe Reader pose a potential security risk.

De-install your Adobe Reader:

Start button > in Start menu -- Control Panel > Uninstall a Program (listed under Programs).

{In Classic view, double click Program and features}.

Get latest Adobe Reader version

http://get.adobe.com/reader/

Be sure to un-check the box for Free McAfee Security Scan or any "toolbar" (if offered )

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner sub-tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with latest copy of MBAM scan log, and tell me, How is the system now?

[GarryR]

thanks again for all your help.. things seem to be getting better

here is where I am

Adobe Reader won't let me uninstall ...I get message "System Admin. has set policies to prevent this installation"

I went into properties and tried to change "permissions " it would not let me another error message appeared

"access denied"

how are things currently NOW....

real slow/long time to start up or reboot ...is that due to all the programs we been adding on my desktop ?

the sound which disappeared is not back 100% just pops in and out with no regularity to it/...

all else appears ok as far as i can tell

I won't proceed with other directions until I hear from you

thanks again

Garry

[GarryR]

UPDATE::;...installed flash OK..installed Adobe Reader 9.4 and It removed all older versions

so I proceeded with the MBAM scan and here are the results...GOOD !

the only issue is the sound from internal speaker....headphones are OK...the sound from speaker works sporadically...

is there any help ther you can provide ???

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5023

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18975

11/2/2010 3:12:38 PM

mbam-log-2010-11-02 (15-12-38).txt

Scan type: Quick scan

Objects scanned: 144968

Time elapsed: 14 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[GarryR]

oh yeah, one more thing..on startup/reboot

I get error message :

Cannot save file C:\windows\ERDNT\autobackup\11-1\2010\SOFTWARE..... and then about 5 more of the same with the last word changing only...

[GarryR]

oh yeah, one more thing..on startup/reboot

I get error message :

Cannot save file C:\windows\ERDNT\autobackup\11-1\2010\SOFTWARE..... and then about 5 more of the same with the last word changing only...

I have shutdown and restarted 3 times this evening and it has not happened again

[Maurice Naggar]

Advise me of how system is today. We can likely wrap this up this evening.