[Ben23]

Seem to be having the same search engine results redirect issue that others have posted on this board. I also cannont open the command prompt window. Some of the issues I'm having are quite similar to the March 2nd post "Trojan.dnschanger-codec Google Redirect [Solved], Google hijacked, No Command window". Results that get redirected seem to get pointed to 209.85.171.9.

I've run a bunch of different malware/spyware removal programs, some of which have detected issues, others which came up clean. I can post a HijackThis log if someone can help me out with this problem. Any help would be greatly appreciated!

[IndiGenus]

Hi Ben23 and welcome to the forums here at G2G!

We're not using HijackThis any more as our primary tool. Please follow the instructions at the following link. If your problem persists then post both the Rooter and OTListIt2 logs back to this link. Do not start a new topic.

http://www.geekstogo.com/forum/Must-Read-B...-Log-t2852.html

[Ben23]

I went through the Malware and Spyware Cleaning Guide. I don't believe the system restore worked, but everything else seems to have worked. Also, my OTListIt2 scan seemed to stop and I received the following notice: "access violation at address 7C9249AB in module 'ntdll.dll' read of address 0000000C"

However, an OTListIt txt file was still generated. Here are the Rooter and OTListIt logs:

Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:73171 Mo/Free:812 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

Wed 03/18/2009|15:31

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
---------- C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
---------- C:\Program Files\McAfee\MPF\MPFSrv.exe
---------- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
---------- C:\WINDOWS\system32\tcpsvcs.exe
---------- C:\WINDOWS\system32\wdfmgr.exe
---------- C:\Program Files\Analog Devices\Core\smax4pnp.exe
---------- C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
---------- C:\WINDOWS\system32\dla\tfswctrl.exe
---------- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
---------- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
---------- C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
---------- C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
---------- C:\Program Files\QuickTime\qttask.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\explorer.exe
---------- C:\WINDOWS\system32\wuauclt.exe
---------- C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
---------- C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Wed 03/18/2009|15:32

----------------------\\ Scan completed at 15:32

[IndiGenus]

Can you please post the log from MalwareBytes'. Should be located within the logs folder of the program folder.

[IndiGenus]

Also, was there an Extras.Txt log file created? It would be in the OTListIt folder. May not have been with the crash. If so please post that too.

[Ben23]

here is the MalwareBytes log. Don't believe there is an Extras.txt log file, but I will look around a little more.

Malwarebytes' Anti-Malware 1.34
Database version: 1864
Windows 5.1.2600 Service Pack 3

3/18/2009 3:21:52 PM
mbam-log-2009-03-18 (15-21-52).txt

Scan type: Quick Scan
Objects scanned: 78439
Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Ben23]

I had run MalwareBytes a few weeks ago and did pick up some detections then. Here are two logs that detected infections:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

2/27/2009 2:37:26 PM
mbam-log-2009-02-27 (14-37-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 71082
Time elapsed: 40 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/2/2009 2:09:01 PM
mbam-log-2009-03-02 (14-09-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 170714
Time elapsed: 1 hour(s), 2 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP767\A0070972.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP767\A0070978.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP767\A0070979.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP767\A0070980.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP767\A0070982.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP767\A0070983.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP767\A0070987.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP767\A0070989.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

[IndiGenus]

Nothing too serious there.

Let's try a little deeper scan.

Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

• Open the OTScanIt2 folder and double-click on OTScanIt.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.
  
  • In the Rootkit Search section select the Yes radio button.
    
  • Under Additional Scans check the boxes beside Reg - ColumnHandlers, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Associations, Reg - NetSvcs, Reg - Protocol Filters, Reg - Protocol Handlers, Reg - SafeBoot Minimal, Reg - SafeBoot Network, Reg - Session Manager Settings, Reg - Uninstall List, Reg - Winsock2 Catalogs, File - Lop Check, File - Purity Scan, Files - Signature Check, and Evnt - EventViewer Logs ( Last 10 Errors).
  
  
• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

[Ben23]

I got that same access violation error, I think it was during the File-Signature Check, or Evnt - EventViewer Logs part of the scan... Notebad did not open up as a result. Any ideas?

[IndiGenus]

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/...rweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, mark the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, in the menu, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.

[Ben23]

I ran the scan, it found two viruses that seem to be related to my McAfee virus scan. If I click on Cure, it opens a menu that gives three options:

delete incurable
rename incurable
move incurable

How should I proceed?

[IndiGenus]

Move

[Ben23]

Finished the scan. Moved the two suspicious items it found and saved the csv file. Whats next?

[IndiGenus]

Please post that log.

[Ben23]

myagtsvc.exe;c:\program files\mcafee\managed virusscan\agent;Probably BACKDOOR.Trojan;Incurable.Moved.;
myasutil4.7.0.631.dll;c:\program files\mcafee\managed virusscan\agent;Probably DLOADER.Trojan;Incurable.Moved.;