Jump to content

Google Redirect - need help, please?


Recommended Posts

Hi,

I'd like to ask for some help. I've had the Google Redirect Virus for a week or so. Had Windows XP Recovery Virus last week and was forced to have the whole computer wiped and the system reinstalled. Now the Google Redirect is back. I feel like I'm going round in circles reading all the various suggestions on how to get rid of it.

I've run Microsoft Security Essentials (which found nothing) and done two scans with Malwarebytes (which also found nothing) but I'm still gettting redirected.

I realise the Google Redirect virus has been covered in other threads but they appear to have different info. in them and I'm totally confused as to what to do next.

Can anyone help, please? I'd be most grateful.

Thanks

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Thanks screen317! I really appreciate your help.

The logs are posted below. I didn't have my (Seagate) external hard drive plugged in when I ran the scans. I had to use use the hard drive on Sunday (after I noticed the Google Redirect Virus was on my computer again on Saturday night), but I didn't use Internet Explorer or connect to the web while the hard drive was plugged in. I think I either got the virus from a website on Saturday night or from the USB stick on which I'd had to transfer all my data when I had the system re-installed last week (I had the USB stick checked with an anti-virus though and it said it was clean). Could you advise me on whether it's necessary to run the Malware & DDS scans with the external hard drive plugged in, please? Is it possible that the virus could have affected that too?

Thanks again!

Here are the logs:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6722

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

01/06/2011 09:37:51

mbam-log-2011-06-01 (09-37-51).txt

Scan type: Quick scan

Objects scanned: 152998

Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-------------------------------DDS text from Notepad -------------------------------------

.

DDS (Ver_11-05-19.01) - FAT32x86

Internet Explorer: 8.0.6001.18702

Run by Jamie at 9:39:03 on 2011-06-01

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1523 [GMT 1:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

SVCHOST.EXE

C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

SVCHOST.EXE

SVCHOST.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

SVCHOST.EXE

C:\Acer\Empowering Technology\admServ.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Acer\Empowering Technology\admtray.exe

C:\Acer\Empowering Technology\eRecovery\Monitor.exe

SVCHOST.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Digidesign\Drivers\MMERefresh.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\PROGRA~1\LAUNCH~1\LManager.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Acer\OrbiCam\CameraAssistant.exe

C:\WINDOWS\system32\ElkCtrl.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

SVCHOST.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\DOCUME~1\Jamie\LOCALS~1\Temp\RtkBtMnt.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Jamie\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [LaunchApp] Alaunch

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe

mRun: [<NO NAME>]

mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe

mRun: [Acer ePower Management] c:\acer\empowering technology\epower\Acer ePower Management.exe boot

mRun: [LManager] c:\progra~1\launch~1\LManager.exe

mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe

mRun: [LogitechCameraAssistant] c:\program files\acer\orbicam\CameraAssistant.exe

mRun: [LogitechVideo[inspector]] c:\program files\acer\orbicam\InstallHelper.exe /inspect

mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: cnet.com\download

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: igfxcui - igfxdev.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

============= SERVICES / DRIVERS ===============

.

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2011-5-26 16384]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]

R1 MpKslc3ef466b;MpKslc3ef466b;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{359d6942-cbd7-4b06-8836-8644f1a96776}\MpKslc3ef466b.sys [2011-6-1 28752]

R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]

R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2011-5-26 16400]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2006-6-19 1097728]

S1 MpKsl9278e72c;MpKsl9278e72c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ba873dac-f767-4802-817b-45f5c0ac9df5}\mpksl9278e72c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ba873dac-f767-4802-817b-45f5c0ac9df5}\MpKsl9278e72c.sys [?]

S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2011-5-26 97808]

S3 MBX2DFU;MBX2DFU;c:\windows\system32\drivers\mbx2dfu.sys [2011-5-26 21648]

S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2011-5-26 21904]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-5-26 32512]

.

=============== Created Last 30 ================

.

2011-06-01 08:29:41 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{359d6942-cbd7-4b06-8836-8644f1a96776}\MpKslc3ef466b.sys

2011-05-30 14:07:47 -------- d-----w- c:\documents and settings\jamie\application data\Malwarebytes

2011-05-30 14:07:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-30 14:07:40 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-05-30 14:07:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-30 14:07:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-30 08:17:43 6962000 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{359d6942-cbd7-4b06-8836-8644f1a96776}\mpengine.dll

2011-05-30 08:10:01 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-05-30 08:10:01 -------- d-----w- c:\windows\system32\wbem\Repository

2011-05-28 15:22:08 -------- d-----w- c:\documents and settings\jamie\local settings\application data\Google

2011-05-27 14:41:18 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-05-27 14:41:18 215920 ----a-w- c:\windows\system32\muweb.dll

2011-05-27 14:41:18 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2011-05-26 19:24:47 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2011-05-26 19:21:48 -------- d-----w- c:\documents and settings\jamie\application data\Digidesign

2011-05-26 19:21:22 -------- d-----w- C:\Digidesign Databases

2011-05-26 19:21:13 -------- d-----w- c:\program files\common files\PACE Anti-Piracy

2011-05-26 19:21:13 -------- d-----w- c:\documents and settings\jamie\local settings\application data\PACE Anti-Piracy

2011-05-26 19:21:13 -------- d-----w- c:\documents and settings\jamie\application data\PACE Anti-Piracy

2011-05-26 19:21:13 -------- d-----w- c:\documents and settings\all users\application data\PACE Anti-Piracy

2011-05-26 19:16:27 -------- d-----w- c:\program files\InterLok

2011-05-26 19:16:25 -------- d-----w- c:\windows\Downloaded Installations

2011-05-26 19:16:20 16384 ----a-w- c:\windows\system32\drivers\DigiFilt.sys

2011-05-26 19:15:44 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-05-26 19:15:44 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys

2011-05-26 19:13:29 196608 ----a-w- c:\windows\system32\Digi32.dll

2011-05-26 19:08:40 -------- d-----w- c:\documents and settings\jamie\local settings\application data\Temp

2011-05-26 18:53:24 -------- d-----w- c:\documents and settings\jamie\local settings\application data\Adobe

2011-05-26 14:23:28 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-26 14:21:40 -------- d-----w- c:\program files\Microsoft Security Client

2011-05-26 13:30:52 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys

2011-05-26 13:13:32 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll

2011-05-26 13:13:32 32656 ----a-w- c:\windows\system32\msonpmon.dll

2011-05-26 13:11:58 -------- d-----w- c:\program files\common files\ODBC

2011-05-26 13:09:57 -------- d-----w- c:\windows\SHELLNEW

2011-05-26 13:09:44 -------- d-----w- c:\documents and settings\jamie\local settings\application data\Microsoft Help

2011-05-26 13:05:59 -------- d-sh--w- c:\documents and settings\jamie\IECompatCache

2011-05-26 13:05:48 -------- d-sh--w- c:\documents and settings\jamie\PrivacIE

2011-05-26 13:05:46 -------- d-sh--w- C:\Recycled

2011-05-26 13:04:45 -------- d-sh--w- c:\documents and settings\jamie\IETldCache

2011-05-26 12:56:26 -------- d-----w- c:\program files\MSXML 4.0

2011-05-26 12:54:50 7680 ------w- c:\windows\system32\dllcache\iecompat.dll

2011-05-26 12:54:37 -------- d-----w- c:\windows\ie8updates

2011-05-26 12:54:33 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2011-05-26 12:54:33 602112 ------w- c:\windows\system32\dllcache\msfeeds.dll

2011-05-26 12:54:33 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-05-26 12:54:33 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2011-05-26 12:54:33 1991680 ------w- c:\windows\system32\dllcache\iertutil.dll

2011-05-26 12:54:33 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2011-05-26 12:54:32 11080704 ------w- c:\windows\system32\dllcache\ieframe.dll

2011-05-26 12:53:25 -------- d--h--w- c:\windows\ie8

2011-05-26 12:47:51 455936 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2011-05-26 12:46:49 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

2011-05-26 12:46:41 45568 ------w- c:\windows\system32\dllcache\wab.exe

2011-05-26 12:46:02 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll

2011-05-26 12:45:55 978944 ------w- c:\windows\system32\dllcache\mfc42.dll

2011-05-26 12:45:55 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2011-05-26 12:45:22 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

2011-05-26 12:44:51 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2011-05-26 12:43:43 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2011-05-26 12:43:40 81920 ------w- c:\windows\system32\dllcache\fontsub.dll

2011-05-26 12:43:40 119808 ------w- c:\windows\system32\dllcache\t2embed.dll

2011-05-26 12:43:34 293376 ------w- c:\windows\system32\browserchoice.exe

2011-05-26 12:43:16 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2011-05-26 12:42:34 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2011-05-26 12:40:58 203136 ------w- c:\windows\system32\dllcache\rmcast.sys

2011-05-26 12:40:47 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll

2011-05-26 12:40:33 337408 ------w- c:\windows\system32\dllcache\netapi32.dll

2011-05-26 12:39:48 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-05-26 12:39:48 218112 ------w- c:\windows\system32\dllcache\wordpad.exe

2011-05-26 11:49:48 -------- d-----w- c:\windows\ServicePackFiles

2011-05-26 11:47:04 19569 ----a-w- c:\windows\003065_.tmp

2011-05-26 11:32:45 -------- d-----w- c:\windows\system32\PreInstall

2011-05-26 11:31:19 -------- d-sh--w- c:\documents and settings\jamie\UserData

2011-05-26 11:16:57 -------- d-----w- c:\windows\system32\appmgmt

2011-05-26 11:10:11 -------- d-----w- c:\windows\Acer

2011-05-26 11:08:15 245824 ----a-r- c:\windows\Instexec.exe

2011-05-26 11:07:59 167936 ----a-w- c:\windows\system32\VxLib.dll

2011-05-26 11:07:59 1645320 ----a-w- c:\windows\system32\gdiplus.dll

2011-05-26 11:07:59 151552 ----a-w- c:\windows\system32\VLib.dll

2011-05-26 11:07:57 39424 ----a-w- c:\windows\system32\VxLibRes.dll

2011-05-26 11:07:57 -------- d-----w- c:\program files\Acer

2011-05-26 11:06:25 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe

2011-05-26 11:05:08 81920 ----a-w- c:\windows\system32\packet.dll

2011-05-26 11:05:08 61440 ----a-w- c:\windows\system32\WanPacket.dll

2011-05-26 11:05:08 233472 ----a-w- c:\windows\system32\wpcap.dll

2011-05-26 11:05:07 78208 ----a-w- c:\windows\system32\drivers\epm-shd.sys

2011-05-26 11:05:07 53299 ----a-w- c:\windows\system32\pthreadVC.dll

2011-05-26 11:05:07 4096 ----a-w- c:\windows\system32\drivers\epm-psd.sys

2011-05-26 11:05:07 32512 ----a-w- c:\windows\system32\drivers\npf.sys

2011-05-26 11:05:07 -------- d-----w- c:\program files\WinPCap

2011-05-26 11:04:46 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys

2011-05-26 11:03:07 61440 ----a-w- c:\windows\system32\acerGina.dll

2011-05-26 11:02:38 -------- d-----w- c:\program files\Launch Manager

2011-05-26 11:02:36 5120 ----a-w- c:\windows\system32\FILTRCOI.DLL

2011-05-26 11:02:36 16896 ----a-w- c:\windows\system32\drivers\DKbFltr.SYS

2011-05-26 11:01:38 53248 ----a-w- c:\windows\system32\acpimof.dll

2011-05-26 11:01:38 225350 ----a-w- c:\windows\system32\Epm-Po.dll

2011-05-26 11:00:36 208896 ----a-w- c:\windows\system32\NVUNINST.EXE

2011-05-26 11:00:34 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll

2011-05-26 11:00:34 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll

2011-05-26 11:00:34 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe

2011-05-26 11:00:34 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll

2011-05-26 11:00:34 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll

2011-05-26 11:00:34 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll

2011-05-26 11:00:33 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll

2011-05-26 10:57:00 -------- d-----w- c:\windows\system32\SoftwareDistribution

2011-05-26 10:55:11 5504 ----a-w- c:\windows\system32\drivers\mstee.sys

2011-05-26 10:55:09 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2011-05-26 10:55:08 16384 ----a-w- c:\windows\system32\ipsink.ax

2011-05-26 10:55:08 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys

2011-05-26 10:55:07 11136 ----a-w- c:\windows\system32\drivers\slip.sys

2011-05-26 10:55:05 19200 ----a-w- c:\windows\system32\drivers\wstcodec.sys

2011-05-26 10:55:04 85248 ----a-w- c:\windows\system32\drivers\nabtsfec.sys

2011-05-26 10:55:02 17024 ----a-w- c:\windows\system32\drivers\ccdecode.sys

2011-05-26 10:54:55 91136 ----a-w- c:\windows\system32\kswdmcap.ax

2011-05-26 10:54:55 61952 ----a-w- c:\windows\system32\kstvtune.ax

2011-05-26 10:54:55 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2011-05-26 10:54:55 43008 ----a-w- c:\windows\system32\ksxbar.ax

2011-05-26 10:54:55 28672 ----a-w- c:\windows\system32\vidcap.ax

2011-05-26 10:54:55 20992 ----a-w- c:\windows\system32\dshowext.ax

2011-05-26 10:54:30 208896 ----a-w- c:\windows\system32\nvudisp.exe

2011-05-26 10:54:30 -------- d-----w- c:\windows\nview

2011-05-26 10:53:11 180224 ----a-w- c:\windows\ADDITEM.EXE

2011-05-26 10:53:11 159821 ----a-w- c:\windows\EMEAPAGE.EXE

.

==================== Find3M ====================

.

2011-05-26 10:53:12 179 ----a-w- c:\windows\HotFix.bat

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:12 1857920 ----a-w- c:\windows\system32\win32k.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST9120821A rev.3.06 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x840D04D0]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x840d67f0]; MOV EAX, [0x840d686c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x84102AB8]

3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000087[0x84144140]

5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x84151940]

\Driver\atapi[0x841D7F38] -> IRP_MJ_CREATE -> 0x840D04D0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x840D031B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 9:39:36.75 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-05-19.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 26/05/2011 11:58:52

System Uptime: 01/06/2011 09:29:12 (0 hours ago)

.

Motherboard: Acer | | Grapevine

Processor: Intel® Core2 CPU T5600 @ 1.83GHz | U1 | 1828/166mhz

.

==== Disk Partitions =========================

.

C: is FIXED (FAT32) - 53 GiB total, 31.761 GiB free.

D: is FIXED (FAT32) - 54 GiB total, 53.556 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1: 26/05/2011 11:58:58 - System Checkpoint

RP2: 26/05/2011 12:01:38 - Installed Acer ePower Management

RP3: 26/05/2011 12:03:06 - Installed Acer eNet Management

RP4: 26/05/2011 12:06:24 - Installed eRecovery

RP5: 26/05/2011 12:07:17 - Installed Windows XP KB909667.

RP6: 26/05/2011 12:07:56 - Installed Acer OrbiCam

RP7: 26/05/2011 12:09:11 - Installed eDataSecurity

RP8: 26/05/2011 12:16:20 - Removed Adobe Reader 7.0

RP9: 26/05/2011 12:32:25 - Software Distribution Service 3.0

RP10: 26/05/2011 12:47:07 - Installed Windows XP Service Pack 3.

RP11: 26/05/2011 13:48:33 - Software Distribution Service 3.0

RP12: 26/05/2011 14:09:24 - Installed Microsoft Office Enterprise 2007

RP13: 26/05/2011 14:13:31 - Printer Driver Send To Microsoft OneNote Driver Installed

RP14: 26/05/2011 15:23:27 - Software Distribution Service 3.0

RP15: 26/05/2011 20:05:28 - Installed Adobe Reader X (10.0.1).

RP16: 26/05/2011 20:11:54 - Installed Pro Tools LE

RP17: 26/05/2011 20:12:50 - Installed Digidesign Shared Plug-Ins

RP18: 26/05/2011 20:13:04 - Installed Free Bomb Factory Plug-Ins

RP19: 26/05/2011 20:24:04 - Software Distribution Service 3.0

RP20: 27/05/2011 15:47:48 - Unsigned driver install

RP21: 27/05/2011 15:48:46 - Software Distribution Service 3.0

RP22: 27/05/2011 16:20:40 - Unsigned driver install

RP23: 28/05/2011 16:47:38 - Software Distribution Service 3.0

RP24: 28/05/2011 22:03:47 - Software Distribution Service 3.0

RP25: 30/05/2011 08:50:52 - Software Distribution Service 3.0

RP26: 30/05/2011 09:08:34 - Restore Operation

RP27: 30/05/2011 09:17:34 - Software Distribution Service 3.0

RP28: 30/05/2011 16:11:11 - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

Acer eDataSecurity Management

Acer eDataSecurity Management 1.00.26

Acer eLock Management

Acer Empowering Technology framework

Acer eNet Management

Acer ePerformance Management

Acer ePower Management

Acer ePresentation Management

Acer eSettings Management

Acer GridVista

Acer OrbiCam Driver

Acer OrbiCam Software

Acer Screensaver

Adobe Reader X (10.0.1)

Digidesign Free Bomb Factory Plug-Ins 7.4

Digidesign Pro Tools LE 7.4

Digidesign Shared Plug-Ins 7.4

HDAUDIO Soft Data Fax Modem with SmartCP

High Definition Audio Driver Package - KB888111

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB976002-v5)

Intel® PROSet/Wireless Software

Interlok driver setup x32

Launch Manager

Learn2 Player (Uninstall Only)

LightScribe 1.4.97.1

Malwarebytes' Anti-Malware

mCore

Microsoft .NET Framework 1.0 Hotfix (KB953295)

Microsoft .NET Framework 1.0 Hotfix (KB979904)

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft Antimalware

Microsoft Application Error Reporting

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Security Client

Microsoft Security Essentials

Microsoft Software Update for Web Folders (English) 12

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable - KB2467175

mMHouse

mPfMgr

mProSafe

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

mWlsSafe

mXML

NTI Backup NOW! 4.5

NTI CD & DVD-Maker

NVIDIA Drivers

Otto

PowerDVD

PowerProducer

QuickTime

RealPlayer Basic

Realtek High Definition Audio Driver

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB2466156)

Security Update for 2007 Microsoft Office System (KB2509488)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft Office Access 2007 (KB979440)

Security Update for Microsoft Office Excel 2007 (KB2464583)

Security Update for Microsoft Office Groove 2007 (KB2494047)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB2535818)

Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)

Security Update for Microsoft Office Publisher 2007 (KB2284697)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2497640)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982665)

Sonic Encoders

Synaptics Pointing Device Driver

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Microsoft Office Outlook 2007 (KB2509470)

Update for Outlook 2007 Junk Email Filter (KB2536413)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update Rollup 2 for Windows XP Media Center Edition 2005

Viewpoint Media Player

WebFldrs XP

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Media Format Runtime

Windows XP Media Center Edition 2005 KB2502898

Windows XP Media Center Edition 2005 KB912067

Windows XP Media Center Edition 2005 KB973768

Windows XP Service Pack 3

.

==== Event Viewer Messages From Past Week ========

.

30/05/2011 09:10:49, error: Microsoft Antimalware [2004] - Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x80070002 Error description: The system cannot find the file specified. Signature version: 0.0.0.0;0.0.0.0 Engine version: 0.0.0.0

29/05/2011 17:02:18, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.

29/05/2011 17:02:18, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Background Intelligent Transfer Service service, but this action failed with the following error: An instance of the service is already running.

27/05/2011 21:58:02, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.105.593.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6903.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

27/05/2011 18:30:33, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

27/05/2011 15:24:24, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0018DE6BABE8 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

26/05/2011 19:10:46, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0016D4585CFB has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

26/05/2011 19:07:20, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0018DE6BABE8. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

26/05/2011 18:19:19, error: Dhcp [1002] - The IP address lease 172.27.192.61 for the Network Card with network address 0016D4585CFB has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

26/05/2011 17:58:00, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

26/05/2011 14:39:59, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}

.

==== End Of File ===========================

Link to post
Share on other sites

  • Staff

Hi,

Best to leave it plugged in just to be sure.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.