TechSpot

Google Redirect / Stack Overflow

By jlee0725
Jan 13, 2012
Post New Reply
  1. Hello! I would like to preemptively thank anyone who is willing to spend the time to help me fix my computer.

    Okay, I have a two-part virus (or one that explains both). About 95% of the time, I click on a link from a google search and am redirected to some spam or advertisement website. The only way to get to the site I am trying to get to is pressing the back button 5-6 times until it stays on the page I want.

    The second part is a pop-up I am getting. It is NOT a pop-up from my web browser, as I get it when Mozilla is not running at all. It says something along the lines of "Stack Overflow at Line: ####" or "Out of memory at line: ####". I also get various pop-ups that are unrelated to the stack overflow but they are much less frequent.

    I am currently running an MSE scan. Afterwards, I will run MBAM, GMER, and DDS and post the logs in this thread. I wanted to have the thread created beforehand so I can get some initial thoughts first. Once again, thank you to anyone is willing to help. I will post the logs very shortly.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===========================================================

    No logs no thoughts :)
     
  3. jlee0725

    jlee0725 Topic Starter

    Hey Broni! Thanks for your assistance. I also remembered one more issue with my computer! Everytime I open up Mozilla, it asks me if I want to make it my default browser, even though I already said yes before. Anyhow, here are the logs.

    {

    Malwarebytes Anti-Malware (Trial) 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.13.05

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 8.0.7601.17514
    James :: JAMESLEE [administrator]

    Protection: Disabled

    1/13/2012 10:10:41 PM
    mbam-log-2012-01-13 (22-10-41).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 182868
    Time elapsed: 5 minute(s), 32 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    }

    {

    GMER PRODUCED NO LOGS; IT SAID IT COULD NOT FIND ANY MODIFICATIONS.

    }

    {

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_30
    Run by James at 22:47:29 on 2012-01-13
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4091.2244 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Broadcom\BPowMon\BPowMon.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    C:\Users\James\Documents\Games\CS\GammaSutra.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
    C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Windows\notepad.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://acer.msn.com
    mStart Page = hxxp://acer.msn.com
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    mRun: [GammaSutra] C:\Users\James\Documents\Games\CS\GammaSutra.exe
    mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    uPolicies-explorer: HideSCAPower = 0 (0x0)
    uPolicies-explorer: HideSCAVolume = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    TCP: Interfaces\{0A09A708-EC86-4A58-93A9-F1CFCC183B78} : NameServer = 167.206.245.130,167.206.245.129
    TCP: Interfaces\{C7900BA9-421E-43D3-8BE3-CD8AE2A7341F} : DhcpNameServer = 10.130.33.129 64.134.255.2 64.134.255.10
    TCP: Interfaces\{C7900BA9-421E-43D3-8BE3-CD8AE2A7341F}\952354C433 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{C7900BA9-421E-43D3-8BE3-CD8AE2A7341F}\95A5E44533 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{C7900BA9-421E-43D3-8BE3-CD8AE2A7341F}\C696E6B6379737 : DhcpNameServer = 167.206.245.129 167.206.245.130
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun-x64: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    mRun-x64: [GammaSutra] C:\Users\James\Documents\Games\CS\GammaSutra.exe
    mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\iw6hjkbb.default\
    FF - prefs.js: browser.startup.homepage - www.yahoo.com
    FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
    FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: C:\Users\James\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avkmgr;avkmgr;C:\Windows\system32\DRIVERS\avkmgr.sys --> C:\Windows\system32\DRIVERS\avkmgr.sys [?]
    R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-16 86224]
    R2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-10-16 110032]
    R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
    R2 BPowMon;Broadcom Power monitoring service;C:\Program Files\Broadcom\BPowMon\BPowMon.exe [2010-3-24 117608]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
    R3 danewFltr;NewDeathAdder Mouse;C:\Windows\system32\drivers\danew.sys --> C:\Windows\system32\drivers\danew.sys [?]
    R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
    R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
    S2 0149861300979518mcinstcleanup;McAfee Application Installer Cleanup (0149861300979518);C:\Windows\TEMP\014986~1.EXE C:\PROGRA~2\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> C:\Windows\TEMP\014986~1.EXE C:\PROGRA~2\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 DAdderFltr;DeathAdder Mouse;C:\Windows\system32\drivers\dadder.sys --> C:\Windows\system32\drivers\dadder.sys [?]
    S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    .
    =============== Created Last 30 ================
    .
    2012-01-14 03:47:23 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D93BCBCD-9F69-41F4-88BF-B5ED78B23D62}\offreg.dll
    2012-01-14 03:47:20 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D93BCBCD-9F69-41F4-88BF-B5ED78B23D62}\mpengine.dll
    2012-01-14 03:09:52 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-01-14 02:57:06 917840 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B4F9AB50-6F82-4254-BFDE-07122CD91647}\gapaengine.dll
    2012-01-14 02:55:33 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
    2012-01-14 02:55:26 -------- d-----w- C:\Program Files\Microsoft Security Client
    2012-01-13 23:52:35 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DFE2C661-B1B3-4651-9856-6EB6FFCB3CDD}\mpengine.dll
    2012-01-11 03:58:32 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
    2012-01-11 03:58:32 1572864 ----a-w- C:\Windows\System32\quartz.dll
    2012-01-11 03:58:32 1328128 ----a-w- C:\Windows\SysWow64\quartz.dll
    2012-01-11 03:58:31 366592 ----a-w- C:\Windows\System32\qdvd.dll
    2012-01-11 03:58:27 1731920 ----a-w- C:\Windows\System32\ntdll.dll
    2012-01-11 03:58:27 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
    2012-01-11 03:58:26 77312 ----a-w- C:\Windows\System32\packager.dll
    2012-01-11 03:58:26 67072 ----a-w- C:\Windows\SysWow64\packager.dll
    2012-01-09 04:33:40 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
    2012-01-09 04:33:40 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
    2012-01-09 04:33:40 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
    2012-01-09 04:33:40 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
    2011-12-30 06:10:48 -------- d-----w- C:\Program Files (x86)\Ventrilo
    2011-12-30 06:08:40 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
    2011-12-18 04:56:46 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-12-18 02:21:59 -------- d-----w- C:\Users\James\AppData\Roaming\Malwarebytes
    2011-12-18 02:21:50 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-12-18 02:21:46 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    .
    ==================== Find3M ====================
    .
    2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
    2011-11-15 22:19:56 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-10 10:54:13 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
    2011-11-05 05:32:50 2048 ----a-w- C:\Windows\System32\tzres.dll
    2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-11-05 04:26:03 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-10-26 05:21:20 43520 ----a-w- C:\Windows\System32\csrsrv.dll
    2011-10-24 19:29:02 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
    2011-10-24 19:29:02 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
    2011-10-22 11:05:10 71680 ----a-w- C:\Windows\System32\frapsv64.dll
    2011-10-22 11:05:08 65536 ----a-w- C:\Windows\SysWow64\frapsvid.dll
    .
    ============= FINISH: 22:55:48.86 ===============

    }

    {

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume2
    Install Date: 3/24/2011 11:11:37 AM
    System Uptime: 1/13/2012 6:46:22 PM (4 hours ago)
    .
    Motherboard: Acer | | JE51_DN
    Processor: AMD Phenom(tm) II N970 Quad-Core Processor | Socket S1G4 | 2200/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 452 GiB total, 290.241 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP196: 12/20/2011 11:15:50 PM - Windows Update
    RP197: 12/27/2011 2:06:13 PM - Windows Update
    RP198: 12/30/2011 1:09:01 AM - Installed Ventrilo Client for Windows x64
    RP199: 12/30/2011 1:10:01 AM - Installed Ventrilo Client
    RP200: 12/30/2011 6:08:48 PM - Windows Update
    RP201: 1/3/2012 5:08:24 PM - Windows Update
    RP202: 1/10/2012 10:58:05 PM - Windows Update
    RP203: 1/11/2012 1:40:54 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    µTorrent
    3D Pinball
    Acer Registration
    Adobe AIR
    Adobe Reader X (10.1.0)
    AIM 7
    Apple Application Support
    Apple Software Update
    Atheros Client Installation Program
    Audacity 1.3.13 (Unicode)
    AutoHotkey 1.0.48.05
    Avira Free Antivirus
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Counter-Strike
    Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Dota 2
    Download Updater (AOL LLC)
    Facebook Video Calling 1.0.0.8953
    FastStone Image Viewer 3.5
    Fraps (remove only)
    Identity Card
    ImgBurn
    Java(TM) 6 Update 30
    K-Lite Codec Pack 7.1.0 (Full)
    LAME v3.98.3 for Audacity
    Malwarebytes Anti-Malware version 1.60.0.1800
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Mozilla Firefox 9.0.1 (x86 en-US)
    ooVoo
    Pando Media Booster
    PowerISO
    QuickTime
    Rainmeter
    Razer DeathAdder(TM) Mouse
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Skype™ 5.3
    Spotify
    Steam
    Ubisoft Game Launcher
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2553092)
    Ventrilo Client
    VLC media player 1.1.10
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/13/2012 6:49:23 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X64 service to connect.
    1/13/2012 6:49:23 PM, Error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
    1/13/2012 6:49:23 PM, Error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
    .
    ==== End Of File ===========================

    }
     
  4. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    You're running two AV programs, Avira and MSE.
    One of them has to go.
    Your choice.

    When done....

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =============================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  5. jlee0725

    jlee0725 Topic Starter

    I turned off Avira realtime protection. I downloaded the aswMBR and double-clicked it but nothing happened. I tried three times.
     
  6. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Go ahead with next step.
     
  7. jlee0725

    jlee0725 Topic Starter

    wrong log............
     
  8. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    No. I meant Bootkit Remover.
    Please pay attention :)
     
  9. jlee0725

    jlee0725 Topic Starter

    Oops, I forgot I have to press Enter as opposed to control+C in CMD!

    {

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Ultimate Edition Service Pack 1 (build 7601), 64
    -bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000003`86500000

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...

    }
     
  10. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Please download and run ListParts by Farbar (for 32-bit system)

    Please download and run ListParts64 by Farbar (for 64-bit system)

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
     
  11. jlee0725

    jlee0725 Topic Starter

    {

    ListParts by Farbar
    Ran by James on 13-01-2012 at 23:29:07
    Windows 7 (X64)
    Running From: C:\Users\James\Desktop
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 47%
    Total physical RAM: 4090.9 MB
    Available physical RAM: 2160.66 MB
    Total Pagefile: 8179.99 MB
    Available Pagefile: 5771.2 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: (James) (Fixed) (Total:451.66 GB) (Free:290.22 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Recovery 14 GB 1024 KB
    Partition 2 Primary 100 MB 14 GB
    Partition 3 Primary 451 GB 14 GB
    Partition 4 Primary 1040 KB 465 GB

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 PQSERVICE NTFS Partition 14 GB Healthy Hidden

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 SYSTEM RESE NTFS Partition 100 MB Healthy System (partition with boot components)

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C James NTFS Partition 451 GB Healthy Boot

    Disk: 0
    Partition 4
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes

    There is no volume associated with this partition.



    ****** End Of Log ******

    }
     
  12. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    We're dealing here with the newest TDL rootkit.

    WARNING!
    Proceed with extreme caution!
    Deleting wrong partition will result with your computer being unusable.
    If you have any doubts, ask.


    ===========================================================================================

    Download gparted-live-0.10.0-3.iso (115.1 MB)

    Burn it to a CD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

    Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    Boot off of the newly created Gparted CD.

    You should be here:
    [​IMG]
    Press Enter.

    By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER:
    [​IMG]

    Choose your language and press ENTER. English is default [33]:
    [​IMG]

    Once again, at this prompt, press ENTER:
    [​IMG]

    You will now be taken to the main GUI screen below:
    [​IMG]
    According to your logs, the partition that you want to delete is the small partition of 1040 KB.
    Click on it to highlight it.
    Click the trash can icon to delete and then click Apply.

    You should now be here confirming your actions:
    [​IMG]

    Now you should be here:
    [​IMG]

    Is "boot" next to your OS drive?
    [​IMG]

    If "boot" is NOT next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags.

    In the menu that pops up, place a checkmark in boot like the picture below:
    [​IMG]

    Now double-click the [​IMG] button.

    You should receive a small pop up like this:
    [​IMG]

    Choose reboot and then press OK.

    Post new Bootkit Remover log.
     
  13. jlee0725

    jlee0725 Topic Starter

  14. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Download gparted-live-0.11.0-7.iso (119.8 MB)
     
  15. jlee0725

    jlee0725 Topic Starter

    I have downloaded and burned the .iso. I will try running it and post results/updates/questions from my iPhone, if any. Otherwise, I will post the log upon completion (let's hope for it). Thanks again.
     
  16. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Take your time. No rush. Be careful there.
     
  17. jlee0725

    jlee0725 Topic Starter

    Hey, Broni. I deleted the partition through gParted. It was 1.2 MB and had the hazard sign as in your picture. There was no "Boot" under flags so I did as you said. When I rebooted, it said something along the lines of "could not locate BOOTMGR press control+alt+delt to restart" and it was an endless loop. When I manually restarted my computer and went into gParted again and turned off "Boot" under flags, I got a different error message when booting. It was something along the lines of "could not locate bootdevice, exiting" or something. I don't remember exactly but I can try it again and provide the exact details if you need. Please help me resolve this issue. Thank you!

    EDIT: Posting from another computer. Cannot boot my own computer and cannot post from iPhone.

    If it helps, I HAD 4 partitions before I deleted one. My own computer (James) is the THIRD one. The first one has "diag" under flags. The second one has no flag.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Please Boot to the System Recovery Options
    If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
    It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...
    NOTE. If none of the above apply you can create System Repair Disc (link in "Option two") and boot from it.

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt

    Choose Command Prompt
    You should see X:\SOURCES>...

    Execute the following commands in bold.
    Press Enter after every one of them.

    bootrec /fixmbr (<--- there is a "space" after "bootrec")

    bootrec /fixboot (<--- there is a "space" after "bootrec")

    exit

    Restart computer.
     
  19. jlee0725

    jlee0725 Topic Starter

    I tried the F8 method, repeatedly. However, I keep coming to this error BEFORE Windows starts and BEFORE the advanced boot options screen:

    {

    Broadcom UNDI PXE-2.1 v14.0.8
    Copyright (c) 2000-2009 Broadcom Corporation
    Copyright (c) 1997-2000 Intel Corporation
    All rights reserved.

    CLIENT MAC ADDR: 1C 75 08 B3 0C 03 GUID: 71C5AB54 17E0 11E0 8786 1C7508B30C03
    PXE-E53: No boot filename received.

    PXE-M0F: Exiting Broadcom PXE Rom.
    No bootable device -- insert boot disk and press any key.

    }

    Pressing a key simply repeats this process infinitely. The gParted CD is NOT in my drive. I get this when my first-boot is set to CD and when it is set to harddrive (OS).

    edit: I do not have a repair CD or Windows 7 CD.
     
  20. jlee0725

    jlee0725 Topic Starter

    Oh wow I'm an *****. I didn't see that you can make a system repair CD. I will get on that, sorry.
     
  21. jlee0725

    jlee0725 Topic Starter

    I did so and got to the command prompt. Upon doing "bootrec /fixmbr", CMD says that the operation was completed successfully. However, when I did "bootrec /fixboot", CMD says "Element not found." What do I do?
     
  22. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Good :)..........
     
  23. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Actually forget those commands.
    I can see where the issue is.
    Create that CD, boot from it and follow my previous instructions how to get to command prompt.
    Stop there and let me know when ready.
     
  24. jlee0725

    jlee0725 Topic Starter

    I'm in command prompt. I already typed the commands though and entered them.
     
  25. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    That won't bother anything.
    Hold on....
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...