Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Redirect Virus [Solved]

Started by JaredX , Feb 23 2010 06:44 PM

This topic is locked

#1
JaredX

Posted 23 February 2010 - 06:44 PM

New Member

Member
5 posts

Recently I have been getting redirected by links from google and other search engines. I went through the "How to fix Google Redirects" but am still having the problem.

Here is my hijackthis log file if it helps:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:15 PM, on 2/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.10.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Reboot.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.10.dll/206 (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Thanks in advance.

#2
Transience

Posted 23 February 2010 - 08:38 PM

Unofficial Music Guru

Retired Staff
2,448 posts

Hello and welcome to Geeks to Go! I'm Dave and I'll be helping you out.

The first thing I need you to do is go to this page and follow the instructions there: Malware Cleaning Guide - Please Read Before Starting a New Topic. These are the steps that we need you to perform before attempting a removal of malware from your computer.

If you're still experiencing problems after following all the steps in that thread, then please post the following logs here for me to take a look at:

Malwarebytes' Anti-Malware log (accessible from the Logs tab in the program)
OTL.txt and Extras.txt, both located in the same place as the OTL program.
GMER log located wherever you saved it after the scan.

Once you've posted those logs for me I'll take a look and we can go from there

.

Cheers,
Dave

Edited by Transience, 23 February 2010 - 08:38 PM.

#3
JaredX

Posted 24 February 2010 - 09:54 PM

New Member

Topic Starter
Member
5 posts

Sorry for the late response, but I have tried to get the GMER log a couple times and each time the program would not respond when I went to save the log. I figured I would go ahead and post the other logs first then try the GMER scan again.

Malwarebytes' Log:
Malwarebytes' Anti-Malware 1.44
Database version: 3782
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/23/2010 9:54:21 PM
mbam-log-2010-02-23 (21-54-21).txt

Scan type: Quick Scan
Objects scanned: 110352
Time elapsed: 7 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files

OTL.Txt 127.3KB 123 downloads
Extras.Txt 29.76KB 365 downloads

#4
Transience

Posted 27 February 2010 - 09:08 AM

Unofficial Music Guru

Retired Staff
2,448 posts

Hello -

Sorry for the delay in getting back to you, I've been feeling under the weather the last couple days. For future reference, please just post your logs as plain text in your replies - it actually makes the logs easier to examine and the topic easier to follow that way, no need to attach them

.

Next please go ahead with this for me:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to Combo-Fix. This name is important and must be exactly as I have given it to you here. Once you have changed the name, save the renamed file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here for instructions. Installing the recovery console if you're running an XP machine is another critical step. Although these prelimiary steps may seem unnecessary, by following the directions in that guide closely you give ComboFix the best possible chance at a successful run and minimize the likelihood of having serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Cheers,
Dave

#5
JaredX

Posted 27 February 2010 - 05:38 PM

New Member

Topic Starter
Member
5 posts

It is no problem and here is the combofix log

ComboFix 10-02-27.04 - Administrator 02/27/2010 15:22:17.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1685 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-23 23:30 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-23 23:30 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-23 23:30 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-23 23:30 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-23 23:30 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-23 23:30 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-23 23:30 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-23 23:30 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-23 23:30 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-23 23:30 . 2010-02-23 23:30 -------- d-----w- c:\program files\Alwil Software
2010-02-23 23:30 . 2010-02-23 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-23 23:12 . 2010-02-23 23:12 -------- d-----w- C:\!KillBox
2010-02-23 23:08 . 2010-02-23 23:08 -------- d-----w- c:\program files\TrendMicro
2010-02-23 21:23 . 2010-02-26 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-23 21:23 . 2010-02-23 21:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-23 21:07 . 2009-08-13 15:16 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2010-02-23 04:52 . 2010-02-23 04:52 -------- d-----w- c:\windows\system32\xircom
2010-02-23 04:52 . 2010-02-23 04:52 -------- d-----w- c:\windows\system32\wbem\snmp
2010-02-23 04:52 . 2010-02-23 04:52 -------- d-----w- c:\program files\microsoft frontpage
2010-02-23 04:34 . 2010-02-23 04:34 -------- d-----w- c:\windows\system32\scripting
2010-02-23 04:34 . 2010-02-23 04:34 -------- d-----w- c:\windows\system32\en
2010-02-23 04:34 . 2010-02-23 04:34 -------- d-----w- c:\windows\system32\bits
2010-02-23 04:34 . 2010-02-23 04:34 -------- d-----w- c:\windows\l2schemas
2010-02-23 04:32 . 2010-02-23 04:32 -------- d-----w- c:\windows\ServicePackFiles
2010-02-23 04:09 . 2010-02-23 04:09 -------- d-----w- c:\windows\system32\XPSViewer
2010-02-23 04:09 . 2010-02-23 04:09 -------- d-----w- c:\program files\MSBuild
2010-02-23 04:09 . 2010-02-23 04:09 -------- d-----w- c:\program files\Reference Assemblies
2010-02-23 04:08 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-02-23 04:07 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-02-23 04:07 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-02-23 04:07 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-02-23 04:07 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-02-23 04:07 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-02-23 04:07 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-02-23 04:07 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-02-23 04:07 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-02-23 04:07 . 2010-02-23 04:08 -------- d-----w- C:\00f75dd1c68282ddef
2010-02-23 04:02 . 2010-02-23 04:02 -------- d-----w- c:\program files\MSXML 6.0
2010-02-22 03:30 . 2010-02-22 03:30 -------- d-----w- c:\program files\NCsoft
2010-02-22 03:21 . 2005-05-26 23:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-02-22 03:21 . 2010-02-22 03:21 -------- d-----w- c:\windows\Logs
2010-02-21 06:21 . 2009-05-18 22:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-21 06:21 . 2008-04-17 21:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-02-21 05:55 . 2010-02-25 07:05 -------- d-----w- C:\Downloads
2010-02-21 05:55 . 2010-02-25 07:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitComet
2010-02-21 05:54 . 2010-02-21 05:54 1036288 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9w5m5dpe.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
2010-02-21 05:54 . 2010-02-21 05:55 -------- d-----w- c:\program files\BitComet
2010-02-21 05:38 . 2010-02-21 05:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-02-19 21:34 . 2010-02-19 21:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-19 21:34 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 21:34 . 2010-02-19 21:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 21:34 . 2010-02-19 21:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-19 21:34 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 21:30 . 2010-02-19 21:30 -------- d-----w- c:\program files\CCleaner
2010-02-19 21:15 . 2010-02-19 21:15 -------- d-----w- c:\program files\MSXML 4.0
2010-02-19 07:13 . 2007-08-11 04:46 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-02-19 06:21 . 2010-02-19 06:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-19 05:54 . 2010-02-19 05:54 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-02-19 05:43 . 2010-02-19 05:43 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-19 04:11 . 2008-04-14 00:11 377984 ------w- c:\windows\system32\ati2dvaa.dll
2010-02-19 04:05 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-02-19 04:05 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-02-19 04:05 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-02-19 04:05 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-02-19 04:05 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-19 04:05 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-02-19 04:03 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-19 04:03 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-02-19 04:03 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-02-19 04:03 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-02-19 04:02 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-02-19 04:02 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-02-19 04:02 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-02-18 21:14 . 2010-02-19 03:21 -------- d-----w- c:\windows\LastGood(2)
2010-02-18 06:52 . 2010-02-18 06:52 -------- d-----w- c:\windows\system32\LogFiles
2010-02-18 00:29 . 2010-02-18 00:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-02-17 22:35 . 2010-02-19 03:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-02-17 22:34 . 2010-02-21 06:21 -------- d-----w- c:\program files\iPod
2010-02-17 22:34 . 2010-02-21 06:21 -------- d-----w- c:\program files\iTunes
2010-02-17 22:34 . 2010-02-17 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-17 22:34 . 2010-02-17 22:34 -------- d-----w- c:\program files\Bonjour
2010-02-17 22:33 . 2010-02-17 22:34 -------- d-----w- c:\program files\QuickTime
2010-02-17 22:33 . 2010-02-17 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-17 22:33 . 2010-02-17 22:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2010-02-17 22:33 . 2010-02-17 22:33 -------- d-----w- c:\program files\Apple Software Update
2010-02-17 22:33 . 2010-02-21 06:21 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-17 22:32 . 2010-02-17 22:32 -------- d-----w- c:\program files\Common Files\Apple
2010-02-17 22:32 . 2010-02-17 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-17 22:32 . 2010-02-17 22:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-02-17 22:15 . 2010-02-17 22:24 -------- d---a-w- C:\Music
2010-02-17 07:14 . 2010-02-27 23:20 -------- d-----w- c:\program files\PeerBlock
2010-02-17 07:12 . 2010-02-17 07:12 0 ----a-w- c:\windows\nsreg.dat
2010-02-17 07:12 . 2010-02-17 07:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-17 07:09 . 2010-02-25 06:14 36968 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-17 07:09 . 2010-02-17 07:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2010-02-17 07:09 . 2010-02-17 07:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ATI
2010-02-17 07:09 . 2010-02-17 07:09 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2010-02-17 07:09 . 2010-02-20 03:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2010-02-17 07:07 . 2007-06-29 02:16 95488 ----a-r- c:\windows\system32\drivers\Rtnicxp.sys
2010-02-17 07:07 . 2010-02-17 07:07 -------- d-----w- c:\windows\OPTIONS
2010-02-17 07:07 . 2010-02-17 07:07 -------- d-----w- c:\program files\Trendnet
2010-02-17 07:06 . 2010-02-17 07:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2010-02-17 07:05 . 2010-02-17 07:05 -------- d-----w- c:\program files\Common Files\ATI Technologies
2010-02-17 07:02 . 2010-02-17 07:02 -------- d-----w- c:\windows\system32\URTTemp
2010-02-17 07:02 . 2006-03-17 23:37 520192 ------w- c:\windows\system32\ati2sgag.exe
2010-02-17 07:02 . 2006-03-22 03:42 307200 ----a-r- c:\windows\system32\atiiiexx.dll
2010-02-17 07:02 . 2006-02-13 20:29 121995 ----a-r- c:\windows\system32\atiicdxx.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 00:24 . 2004-08-03 22:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-24 05:44 . 2010-02-24 05:44 -------- d-----w- c:\program files\ERUNT
2010-02-24 00:40 . 2010-02-24 00:40 -------- d-----w- c:\program files\Trend Micro
2010-02-23 04:37 . 2010-02-17 06:47 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-22 03:30 . 2010-02-17 06:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-17 07:04 . 2010-02-17 06:59 -------- d-----w- c:\program files\ATI Technologies
2010-02-17 06:58 . 2010-02-17 06:56 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-17 06:56 . 2010-02-17 06:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\VCOM
2010-02-17 06:56 . 2010-02-17 06:56 -------- d-----w- c:\program files\VCOM
2010-02-17 06:56 . 2010-02-17 06:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-17 06:56 . 2010-02-17 06:56 -------- d-----w- c:\program files\CyberLink
2010-02-17 06:56 . 2010-02-17 06:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-17 06:55 . 2010-02-17 06:55 8854 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DA5E6A2D-DEAA-4152-A43A-FDBDE29AA724}\Uninstall_DAMN_NFO_V_DA5E6A2DDEAA4152A43AFDBDE29AA724.exe
2010-02-17 06:55 . 2010-02-17 06:55 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DA5E6A2D-DEAA-4152-A43A-FDBDE29AA724}\DAMN_NFO_Viewer.exe_DA5E6A2DDEAA4152A43AFDBDE29AA724.exe
2010-02-17 06:55 . 2010-02-17 06:55 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DA5E6A2D-DEAA-4152-A43A-FDBDE29AA724}\ARPPRODUCTICON.exe
2010-02-17 06:55 . 2010-02-17 06:55 -------- d-----w- c:\program files\[bleep] NFO Viewer 2.10.0031 RC3
2010-02-17 06:55 . 2010-02-17 06:55 -------- d-----w- c:\program files\FlashGet
2010-02-17 06:55 . 2010-02-17 06:55 -------- d-----w- c:\program files\Google
2010-02-17 06:54 . 2010-02-17 06:54 -------- d-----w- c:\program files\Common Files\L&H
2010-02-17 06:54 . 2010-02-17 06:54 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-17 06:53 . 2010-02-17 06:53 -------- d-----w- c:\program files\Microsoft Works
2010-02-17 06:53 . 2010-02-17 06:53 -------- d-----w- c:\program files\TuneUp Utilities 2006
2010-02-17 06:53 . 2010-02-17 06:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUp Software
2010-02-17 06:53 . 2010-02-17 06:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2010-02-17 06:52 . 2010-02-17 06:52 29926 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{4781569D-5404-1F26-4B2B-6DF444445167}\ARPPRODUCTICON.exe
2010-02-17 06:51 . 2010-02-17 06:51 -------- d-----w- c:\program files\Common Files\Ahead
2010-02-17 06:51 . 2010-02-17 06:51 -------- d-----w- c:\program files\Nero
2010-02-17 06:44 . 2010-02-17 06:44 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-23 03:51 . 2010-01-23 03:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2009-12-31 16:50 . 2005-09-02 19:39 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2005-07-03 02:09 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2004-08-04 00:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 18:43 . 2010-02-17 06:43 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 00:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2005-01-19 04:51 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

------- Sigcheck -------

[-] 2010-02-27 . 1494C60EE680E8E79A2D3E25D5FE50FF . 96512 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys
[7] 2010-02-21 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 94208]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-02-09 1700976]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Reboot.exe [2004-9-30 334336]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21945:TCP"= 21945:TCP:BitComet 21945 TCP
"21945:UDP"= 21945:UDP:BitComet 21945 UDP

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/23/2010 3:30 PM 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/23/2010 3:30 PM 19024]
.
Contents of the 'Scheduled Tasks' folder

2010-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Download All by FlashGet - c:\progra~1\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\progra~1\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9w5m5dpe.default\
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9w5m5dpe.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 15:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A316A9A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba7117b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba61ebd4
PacketIndicateHandler -> NDIS.sys @ 0xba60ca0d
SendHandler -> NDIS.sys @ 0xba620b40
user & kernel MBR OK
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-02-27 15:31:15
ComboFix-quarantined-files.txt 2010-02-27 23:31

Pre-Run: 99,246,284,800 bytes free
Post-Run: 99,234,885,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8907967D8257BEB894CE37C54745CE5F

#6
Transience

Posted 28 February 2010 - 08:29 AM

Unofficial Music Guru

Retired Staff
2,448 posts

Hello -

Please download TDSSKiller and save it to your Desktop.

Make sure all other windows are closed so that the program can run interrupted.
Extract the file and run it.
Once completed it will create a log in your C:\ drive. Please post that log in your next reply.

Cheers,
Dave

#7
JaredX

Posted 28 February 2010 - 05:06 PM

New Member

Topic Starter
Member
5 posts

15:00:48:953 2140 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
15:00:48:953 2140 ================================================================================
15:00:48:953 2140 SystemInfo:

15:00:48:953 2140 OS Version: 5.1.2600 ServicePack: 3.0
15:00:48:953 2140 Product type: Workstation
15:00:48:953 2140 ComputerName: JARED
15:00:48:953 2140 UserName: Administrator
15:00:48:953 2140 Windows directory: C:\WINDOWS
15:00:48:953 2140 Processor architecture: Intel x86
15:00:48:953 2140 Number of processors: 2
15:00:48:953 2140 Page size: 0x1000
15:00:48:968 2140 Boot type: Normal boot
15:00:48:968 2140 ================================================================================
15:00:48:968 2140 UnloadDriverW: NtUnloadDriver error 2
15:00:48:968 2140 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:00:48:968 2140 Initialize success
15:00:48:968 2140
15:00:48:968 2140 Scanning Services ...
15:00:48:968 2140 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:00:48:968 2140 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:00:48:968 2140 wfopen_ex: Trying to KLMD file open
15:00:48:968 2140 wfopen_ex: File opened ok (Flags 2)
15:00:48:968 2140 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:00:48:968 2140 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:00:48:968 2140 wfopen_ex: Trying to KLMD file open
15:00:48:968 2140 wfopen_ex: File opened ok (Flags 2)
15:00:49:421 2140 GetAdvancedServicesInfo: Raw services enum returned 316 services
15:00:49:437 2140 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:00:49:437 2140 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:00:49:437 2140
15:00:49:437 2140 Scanning Kernel memory ...
15:00:49:437 2140 Devices to scan: 2
15:00:49:437 2140
15:00:49:437 2140 Driver Name: Disk
15:00:49:437 2140 IRP_MJ_CREATE : BA8EEBB0
15:00:49:437 2140 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:00:49:437 2140 IRP_MJ_CLOSE : BA8EEBB0
15:00:49:437 2140 IRP_MJ_READ : BA8E8D1F
15:00:49:437 2140 IRP_MJ_WRITE : BA8E8D1F
15:00:49:437 2140 IRP_MJ_QUERY_INFORMATION : 804F4562
15:00:49:437 2140 IRP_MJ_SET_INFORMATION : 804F4562
15:00:49:437 2140 IRP_MJ_QUERY_EA : 804F4562
15:00:49:437 2140 IRP_MJ_SET_EA : 804F4562
15:00:49:437 2140 IRP_MJ_FLUSH_BUFFERS : BA8E92E2
15:00:49:437 2140 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:00:49:437 2140 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:00:49:437 2140 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:00:49:437 2140 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:00:49:437 2140 IRP_MJ_DEVICE_CONTROL : BA8E93BB
15:00:49:437 2140 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA8ECF28
15:00:49:437 2140 IRP_MJ_SHUTDOWN : BA8E92E2
15:00:49:437 2140 IRP_MJ_LOCK_CONTROL : 804F4562
15:00:49:437 2140 IRP_MJ_CLEANUP : 804F4562
15:00:49:437 2140 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:00:49:437 2140 IRP_MJ_QUERY_SECURITY : 804F4562
15:00:49:437 2140 IRP_MJ_SET_SECURITY : 804F4562
15:00:49:437 2140 IRP_MJ_POWER : BA8EAC82
15:00:49:437 2140 IRP_MJ_SYSTEM_CONTROL : BA8EF99E
15:00:49:437 2140 IRP_MJ_DEVICE_CHANGE : 804F4562
15:00:49:437 2140 IRP_MJ_QUERY_QUOTA : 804F4562
15:00:49:437 2140 IRP_MJ_SET_QUOTA : 804F4562
15:00:49:468 2140 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:00:49:468 2140 sion
15:00:49:468 2140 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:00:49:468 2140
15:00:49:468 2140 Driver Name: atapi
15:00:49:468 2140 IRP_MJ_CREATE : 8A318A9A
15:00:49:468 2140 IRP_MJ_CREATE_NAMED_PIPE : 8A318A9A
15:00:49:468 2140 IRP_MJ_CLOSE : 8A318A9A
15:00:49:468 2140 IRP_MJ_READ : 8A318A9A
15:00:49:468 2140 IRP_MJ_WRITE : 8A318A9A
15:00:49:468 2140 IRP_MJ_QUERY_INFORMATION : 8A318A9A
15:00:49:468 2140 IRP_MJ_SET_INFORMATION : 8A318A9A
15:00:49:468 2140 IRP_MJ_QUERY_EA : 8A318A9A
15:00:49:468 2140 IRP_MJ_SET_EA : 8A318A9A
15:00:49:468 2140 IRP_MJ_FLUSH_BUFFERS : 8A318A9A
15:00:49:468 2140 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A318A9A
15:00:49:468 2140 IRP_MJ_SET_VOLUME_INFORMATION : 8A318A9A
15:00:49:468 2140 IRP_MJ_DIRECTORY_CONTROL : 8A318A9A
15:00:49:468 2140 IRP_MJ_FILE_SYSTEM_CONTROL : 8A318A9A
15:00:49:468 2140 IRP_MJ_DEVICE_CONTROL : 8A318A9A
15:00:49:468 2140 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A318A9A
15:00:49:468 2140 IRP_MJ_SHUTDOWN : 8A318A9A
15:00:49:468 2140 IRP_MJ_LOCK_CONTROL : 8A318A9A
15:00:49:468 2140 IRP_MJ_CLEANUP : 8A318A9A
15:00:49:468 2140 IRP_MJ_CREATE_MAILSLOT : 8A318A9A
15:00:49:468 2140 IRP_MJ_QUERY_SECURITY : 8A318A9A
15:00:49:468 2140 IRP_MJ_SET_SECURITY : 8A318A9A
15:00:49:468 2140 IRP_MJ_POWER : 8A318A9A
15:00:49:468 2140 IRP_MJ_SYSTEM_CONTROL : 8A318A9A
15:00:49:468 2140 IRP_MJ_DEVICE_CHANGE : 8A318A9A
15:00:49:468 2140 IRP_MJ_QUERY_QUOTA : 8A318A9A
15:00:49:468 2140 IRP_MJ_SET_QUOTA : 8A318A9A
15:00:49:484 2140 ihd: 0, 0, 607, 138, 3, 120, 1
15:00:49:484 2140 Driver "atapi" Irp handler infected by TDSS rootkit ... 15:00:49:484 2140 cured
15:00:49:484 2140 Driver "atapi" StartIo handler infected by TDSS rootkit ... 15:00:49:484 2140 cured
15:00:49:484 2140 siohd: 1
15:00:49:484 2140 Driver "atapi" StartIo handler infected by TDSS rootkit ... 15:00:49:484 2140 cured
15:00:49:484 2140 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
15:00:49:484 2140 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 15:00:49:484 2140 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
15:00:49:484 2140 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
15:00:49:687 2140 vfvi6
15:00:49:843 2140 !dsvbh1
15:00:51:171 2140 dsvbh2
15:00:51:171 2140 fdfb2
15:00:51:171 2140 Backup copy found, using it..
15:00:51:296 2140 will be cured on next reboot
15:00:51:296 2140 Reboot required for cure complete..
15:00:51:312 2140 Cure on reboot scheduled successfully
15:00:51:312 2140
15:00:51:312 2140 Completed
15:00:51:312 2140
15:00:51:312 2140 Results:
15:00:51:312 2140 Memory objects infected / cured / cured on reboot: 3 / 3 / 0
15:00:51:312 2140 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:00:51:312 2140 File objects infected / cured / cured on reboot: 1 / 0 / 1
15:00:51:312 2140
15:00:51:312 2140 UnloadDriverW: NtUnloadDriver error 1
15:00:51:312 2140 KLMD_Unload: UnloadDriverW(klmd21) error 1
15:00:51:312 2140 KLMD(ARK) unloaded successfully

#8
Transience

Posted 01 March 2010 - 03:32 PM

Unofficial Music Guru

Retired Staff
2,448 posts

Hello -

Looks like TDSSKiller did its job

. Still getting any redirects? Let's run a couple scans to see if there's anything else still hiding.

First we'll clean out your unnecessary temp files to speed up the scans:

1. TFC

Please download TFC to your desktop.
Save any work, then close all open windows.
Double-click TFC to run it, and allow the process to complete, which should not take more than a couple minutes.
You may or may not be prompted to reboot, if you are click "Yes" and allow the computer to reboot.
Close TFC when it has completed.

2. Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from here.

Doubleclick (Vista users please right-click Run as Administrator) on mbam-setup.exe to install the program.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware at the end of setup, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Full Scan, then click Scan.
The scan is different from the quick scan and will take a fairly long time to finish (you can leave it to run and go do something else), please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab.
Copy & Paste the entire report in your next reply.

3. Kaspersky Online Scan

Kaspersky online scanner uses Java technology to perform the scan. Because your Java may be out of date, we need to be sure it is updated first so that the scan will run without issues.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts. A log will appear (JavaRa.log), DO NOT post this log, I have no need for it.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Scan

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and ensure that the scan runs smoothly, please follow these preliminary steps:

Close any other open programs.
Temporarily turn off any antimalware programs you are using (antivirus, firewall, real-time protection antispyware etc.) Click here for steps to disable the most common of these programs if you're having difficulty.

3. Click Run at the Security prompt.

The program will then install itself and update the database, please be patient as this process can take a while.

Once the update is complete, click on Settings.
Make sure the following boxes are selected. If they are not, please select them and click on the Save button:
- Spyware, adware, dialers, and other riskware
- Archives
- E-mail databases
Click on My Computer under the green Scan bar to the left to start the scan.
This is a deep scan, and it will likely take several hours depending on the size of your hard drive. Please be patient.
At the end of the scan there will not be an option to clean/disinfect. All we need to see is the report.
Do not be alarmed by what you see in the report. Many of the files it finds have likely already been quarantined.
Click View report... at the bottom.
Click the Save report... button.
Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop.

So post back with the logs from MBAM and Kaspersky when you have them and give me an update on how the PC is running, and we should have you on your way

.

- Dave

#9
JaredX

Posted 02 March 2010 - 12:21 AM

New Member

Topic Starter
Member
5 posts

Well at the moment it seems like the redirecting problem is gone, but here are the logs.

Malwarebytes' Anti-Malware 1.44
Database version: 3811
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/1/2010 8:24:45 PM
mbam-log-2010-03-01 (20-24-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 160153
Time elapsed: 19 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, March 1, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, March 02, 2010 02:20:53
Records in database: 3681481
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 49040
Threats found: 4
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 01:17:52

File name / Threat / Threats count
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.e 1
C:\Music\Three Doors Down - When I'm gone.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\WINDOWS\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1
C:\WINDOWS\system32\psshutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.240 1

Selected area has been scanned.

Edited by JaredX, 02 March 2010 - 12:22 AM.

#10
Transience

Posted 02 March 2010 - 02:18 PM

Unofficial Music Guru

Retired Staff
2,448 posts

Hello

Logs look fine, couple quick files to grab and then you're all set.

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Services

:Reg

:Files
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Reboot.exe
C:\Music\Three Doors Down - When I'm gone.mp3
C:\WINDOWS\cmdow.exe
C:\WINDOWS\system32\psshutdown.exe

:Commands
[emptytemp]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

After that you're clean! Congratulations

We have a couple last things to take care of and then you're good to go.

Uninstall ComboFix from your computer:

Click on Start > Run
Type Combofix /u in the run box and click Ok. Note the space between the x and the /u, it needs to be there.

Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.

Please download OTC to your desktop.

Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Here are some tips to reduce the potential for malware infection in the future; I strongly that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, and if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're still clean. Once a week works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

If you don't have a firewall, some great free options you can test out are: Online Armor, Outpost, and Sunbelt. I'd highly recommend that you install one of those. If you do decide to use a 3rd party firewall program, please be sure to disable the Windows firewall as per these instructions so they don't conflict:

Please click on Start -> Control Panel
Double click Windows Firewall
Click Change Settings
Choose Off to disable Windows Firewall.

Finally, for a great tutorial on how to get the best protection out of your firewall, take a look at this guide.

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives: Firefox, Opera, and Google Chrome. All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones: Green to go, Yellow for caution, and Red to stop. Available for Firefox and Internet Explorer.

NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing. Available for Firefox only.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at this article.

Exercise common sense

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to look before you leap. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you're getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in the vast majority of cases, and the benefits simply aren't worth the risk to your computer.

Keep up on Windows updates

Along with keeping all of the security programs that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and help to keep you safe. Typically the windows update icon will appear in your taskbar when new updates are available, whenever you see it you should open the menu up and install the updates that are available. Although it may be an annoyance, that little bit of extra time it takes to stay updated is very well worth it instead of getting infected from an exploit and having to clean your PC again.

Slow computer?

If your computer begins to slow down again in the future for no particular reason, your first step should not be to come back to the malware forum. As your computer ages and is used, its parts wear, files and programs accumulate, and its performance speed can decrease. To restore your computer's performance to its best possible level, follow the steps in this guide written by tech expert Artellos.

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,
Dave

Edited by Transience, 02 March 2010 - 02:19 PM.

#11
Transience

Posted 06 March 2010 - 09:30 PM

Unofficial Music Guru

Retired Staff
2,448 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.