Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

One more search-engine-redirecting victim

This is a discussion on One more search-engine-redirecting victim within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hey there all, My computer has caught a search engine redirect virus, and a majority of the links I attempt


 
 
Thread Tools Search this Thread
Old 01-31-2010, 06:02 PM   #1
Registered Member
 
Join Date: Jan 2010
Posts: 23
OS: Windows XP Home 5.1.2600 SP3



Hey there all,

My computer has caught a search engine redirect virus, and a majority of the links I attempt to click in Google are redirected. Some details:

When I first noticed the problem, I rebooted. Upon startup, I got this error message:

C:\Documents and Settings\<>\Start Menu\Programs\Startup\7249907A.lnk
THe NTVDM CPU has encountered an illegal instruction. CS:054a IP:03f1 OP:63 6f 72 Choose "Close" to terminate the application.


This .lnk file was in my Startup folder. I first ran MalwareBytes. When nothing changed, I did a system restore. After that, the file didn't show up in Startup anymore. However, Google searches still redirected.

Before coming here, I tried scanning with Ad-Aware, AVG Anti-Virus Free, and Spybot, but (surprise!) none of them fixed the problem.

I've attached the DDS logs as requested. However, I've attempted the GMER scan three times: the first two caused my system to hang, and the third caused a reboot while I wasn't looking. I am now attempting a fourth try, and I'll be happy to supply the log if it completes.

Operating system: WinXP Home SP3
Web Browser: Firefox 3.5.7

Can you help? Thank you in advance!



DDS (Ver_09-12-01.01) - NTFSx86
Run by Russell at 12:00:13.29 on Sun 01/31/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1055 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\EPSON Projector\EMP NS Connection V2\EMP_NSWLSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Russell\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeBridge]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [SUPBackground] c:\program files\samsung\samsung update plus\SUPBackground.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\russell\applic~1\mozilla\firefox\profiles\hmy0nf2b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-26 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-15 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-15 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-15 360584]
R1 EMP_MAP;EPSON Network Presentation Driver Service;c:\windows\system32\drivers\EMP_Map.sys [2009-9-22 6400]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-10-15 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-15 285392]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-4-1 4300]
R2 EMP_NSWLSV;EMP_NSWLSV;c:\program files\epson projector\emp ns connection v2\EMP_NSWLSV.exe [2009-9-22 98304]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]
R3 vdisp;vdisp;c:\windows\system32\drivers\EMP_Vd1.sys [2009-9-22 6656]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-4-1 238464]
S3 Ndisprot;EP_NSWD NDIS Protocol Driver;c:\windows\system32\drivers\EP_NSWD.sys [2009-9-22 19584]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-8-1 19840]

=============== Created Last 30 ================

2010-01-31 11:16:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-31 11:16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-31 11:16:13 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-31 06:14:09 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-31 06:14:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-31 05:37:52 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-31 05:01:41 0 d-----w- c:\docume~1\russell\applic~1\Malwarebytes
2010-01-31 05:01:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-31 01:09:44 0 d-----w- c:\docume~1\russell\applic~1\HDRsoft
2010-01-31 00:48:50 0 d-----w- c:\program files\PhotomatixPro3
2010-01-27 00:18:33 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-27 00:08:21 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-27 00:07:39 0 d-----w- c:\program files\Lavasoft
2010-01-19 17:13:40 0 d-----w- c:\docume~1\russell\applic~1\webex
2010-01-18 00:48:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Azureus
2010-01-18 00:48:15 0 d-----w- c:\docume~1\russell\applic~1\Azureus
2010-01-18 00:31:42 0 d-----w- c:\program files\Vuze
2010-01-16 20:57:44 0 d-----r- c:\docume~1\russell\applic~1\Brother
2010-01-14 23:16:20 463 ----a-w- c:\windows\BRWMARK.INI
2010-01-14 23:16:20 30 ----a-w- c:\windows\system32\brss01a.ini
2010-01-14 23:16:20 27 ----a-w- c:\windows\BRPP2KA.INI
2010-01-14 23:16:20 184 ----a-w- c:\windows\system32\brsvc01a.bsi
2010-01-09 08:53:17 0 d-----w- c:\program files\Epson Software
2010-01-09 08:47:05 0 d-----w- c:\program files\EPSON
2010-01-09 08:46:40 98304 ----a-w- c:\windows\system32\E_SAGSET.DLL
2010-01-09 08:46:33 79622 ----a-w- c:\windows\system32\EBPMON24.DLL
2010-01-09 08:46:33 64000 ----a-w- c:\windows\system32\ECBTEG.DLL
2010-01-09 08:46:32 69632 ----a-w- c:\windows\system32\EAL.EXE
2010-01-09 08:46:32 44544 ----a-w- c:\windows\system32\EAL32.DLL
2010-01-09 08:46:32 34304 ----a-w- c:\windows\system32\EBPCHP.DLL
2010-01-01 20:15:13 8704 ----a-w- c:\windows\system32\CNMVS7D.DLL
2010-01-01 20:15:13 140288 ----a-w- c:\windows\system32\CNMLM7D.DLL

==================== Find3M ====================

2009-11-17 17:46:15 60744 ----a-w- c:\documents and settings\russell\g2mdlhlpx.exe
2009-11-09 20:19:02 256 ----a-w- c:\documents and settings\russell\pool.bin

============= FINISH: 12:02:21.18 ===============
Attached Files
File Type: txt DDS.txt (12.6 KB, 4 views)
File Type: zip Attach.zip (4.0 KB, 3 views)

__________________
riskelpiper is offline  
Old 02-04-2010, 08:36 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,880
OS: XP, Vista, Win7



Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 02-04-2010, 03:45 PM   #3
Registered Member
 
Join Date: Jan 2010
Posts: 23
OS: Windows XP Home 5.1.2600 SP3



Hi CatByte,

Thank you for taking the time to help me.

Some full disclosure: A day after posting my original request on this forum, I began working with a self-guided cleaning procedure on forums.majorgeeks.com (hxxp://forums.majorgeeks.com/showthread.php?t=35407), planning to eventually post there. This means I've attempted another solution in the meantime. Their procedure included running ComboFix as well. I finished their instructions, and the problem remains, but you've caught me before I posted there. I'd so much rather stop that process so that you can guide me thru this.

I ran ComboFix per your instructions. I'm attaching your log file as req'd, and if you want any other log, let me know.
Attached Files
File Type: txt ComboFix Log 2010-02-04.txt (16.1 KB, 5 views)
__________________
riskelpiper is offline  
Old 02-04-2010, 06:36 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,880
OS: XP, Vista, Win7



Hi,

thanks for telling me - what tools did you run for them and what logs do you have? Please post all the logs you have:

I would really like to get a GMER scan if we can.

Uncheck the files box as well: ty this version - run it in safe mode. Make sure all other programs are closed:

Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 02-04-2010, 06:53 PM   #5
Registered Member
 
Join Date: Jan 2010
Posts: 23
OS: Windows XP Home 5.1.2600 SP3



CatBytes,

I have the following logs (and created in this order):

-- Super AntiSpyware
-- Mbam
-- ComboFix
-- Root Repeal
-- MGTools

I'll post these for you now (two at a time, it seems), then I'll try GMER.
Attached Files
File Type: txt SUPERAntiSpyware Scan Log - 02-01-2010.txt (583 Bytes, 3 views)
File Type: txt mbam-log-2010-02-01 (18-50-20).txt (867 Bytes, 2 views)
__________________
riskelpiper is offline  
Old 02-04-2010, 06:54 PM   #6
Registered Member
 
Join Date: Jan 2010
Posts: 23
OS: Windows XP Home 5.1.2600 SP3



Here are two more logs.
Attached Files
File Type: txt ComboFix Log 2010-02-01 19-31-34.txt (17.0 KB, 5 views)
File Type: txt RootRepeal Log 2010-02-01.txt (690 Bytes, 3 views)
__________________
riskelpiper is offline  
Old 02-04-2010, 06:55 PM   #7
Registered Member
 
Join Date: Jan 2010
Posts: 23
OS: Windows XP Home 5.1.2600 SP3



... and the MGTools log.
Attached Files
File Type: zip MGlogs.zip (116.2 KB, 2 views)
__________________
riskelpiper is offline  
Old 02-04-2010, 07:10 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,880
OS: XP, Vista, Win7



Thank-you for posting the logs.

Please try the GMER scan in safe mode.

What symptoms are you experiencing, do you still have outstanding issues?
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 02-04-2010, 07:30 PM   #9
Registered Member
 
Join Date: Jan 2010
Posts: 23
OS: Windows XP Home 5.1.2600 SP3



As far as symptoms, I'm still having redirecting issues with Google searches. They stopped cold after the first round of logs/self-fixes were made, then they returned yesterday evening. After about 4 or 5 redirects, I stopped using that machine as much as possible.

I attempted the safe-mode GMER scan, and it now appears frozen, and the touchpad won't function. GMER's screen does show five items on the list, including three involving atapi.sys.
__________________
riskelpiper is offline  
Old 02-04-2010, 07:37 PM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,880
OS: XP, Vista, Win7



Hi,

Please run the following program:

Extract the file and run it.

Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)

please post the content of that log TDSSKiller
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 02-04-2010, 07:40 PM   #11
Registered Member
 
Join Date: Jan 2010
Posts: 23
OS: Windows XP Home 5.1.2600 SP3



I touched the trackpad and it was working again! There was no signal to tell me the scan was complete, but I was able to save a log, attached.

With this info, still run TDSSKiller?
Attached Files
File Type: txt Gmer.txt (892 Bytes, 4 views)
__________________
riskelpiper is offline  
Old 02-04-2010, 07:41 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,880
OS: XP, Vista, Win7



Yes please
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 02-04-2010, 07:49 PM   #13
Registered Member
 
Join Date: Jan 2010
Posts: 23
OS: Windows XP Home 5.1.2600 SP3



Here's the TDSSKiller log.
Attached Files
File Type: txt TDSSKiller.2.2.2_04.02.2010_18.43.29_log.txt (34.9 KB, 3 views)
__________________
riskelpiper is offline  
Old 02-04-2010, 08:26 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,880
OS: XP, Vista, Win7



Good,

Please do the following:

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.


  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 02-05-2010, 01:07 AM   #15
Registered Member
 
Join Date: Jan 2010
Posts: 23
OS: Windows XP Home 5.1.2600 SP3



CatByte,

Here's the Kaspersky log...
Attached Files
File Type: txt Kaspersky Log 2010-02-04.txt (986 Bytes, 2 views)
__________________
riskelpiper is offline  
Old 02-05-2010, 02:01 AM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,880
OS: XP, Vista, Win7



Hi,

Please do the following:


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 18 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 18 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.


NEXT


Visit ADOBEand download the latest version of Acrobat Reader (version 9.3)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Please advise how your computer is running now and if there are any outstanding issues.
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 02-05-2010, 12:44 PM   #17
Registered Member
 
Join Date: Jan 2010
Posts: 23
OS: Windows XP Home 5.1.2600 SP3



Hey,

I've completed the Java and Reader update. Google searches seem to working great now, and I'm not seeing any outstanding issues!
__________________
riskelpiper is offline  
Old 02-06-2010, 01:07 AM   #18
Registered Member
 
Join Date: Jan 2010
Posts: 23
OS: Windows XP Home 5.1.2600 SP3



CatByte,

Are there any more steps I should take? The machine is running great ... just wanna be sure.

Either way, thank you very much -- you rock!
__________________
riskelpiper is offline  
Old 02-06-2010, 08:12 AM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,880
OS: XP, Vista, Win7



Yes,

We need to clean up our tools:

Please do the following:

You can delete the DDS and GMER folders from your desktop.



NEXT


Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.





Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


If there are any logs/tools remaining > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.
  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • For realtime spyware protection try SpywareTerminator

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 02-07-2010, 12:48 PM   #20
Registered Member
 
Join Date: Jan 2010
Posts: 23
OS: Windows XP Home 5.1.2600 SP3



CatByte,

I've cleaned up the tools, and everything seems to be running smooth as butter.

Once again, you rock! I'm very grateful for your help, you do fine work. Thank you, and best of luck.

Enjoy!

__________________
riskelpiper is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 03:52 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts