TechSpot

Google Search Redirecting

By SHPIA
Jan 5, 2011
  1. Hi and thanks in advance for your help.
    Over a month ago, my computer contracted a virus. I do not recall the name, but it was win registry or something to that effect. A random icon, which I though was MSFT popped up, I clicked it, and it indicated that I had a ton of viruses and kept redirecting me to a site to buy virus removal software. While I realized that was a scam, my computer ceased working - I couldnt retrieve my hard drive files and the virus would not allow me to access any pages of sites that could assist me in remedying the problem. I fixed the issue, but since then, I've still been getting redirected from my internet searches.

    My logs are as follows:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5461

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    1/4/2011 4:29:26 PM
    mbam-log-2011-01-04 (16-29-26).txt

    Scan type: Quick scan
    Objects scanned: 129466
    Time elapsed: 3 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-04 17:45:58
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\adpu160m1 IBM-ESXS rev.B244
    Running: GMER.exe; Driver: C:\DOCUME~1\Teacher\LOCALS~1\Temp\fwnyrfod.sys


    ---- Devices - GMER 1.0.15 ----

    Device \Driver\adpu160m -> DriverStartIo \Device\Scsi\adpu160m1 89B11AEA
    Device \Driver\adpu160m -> DriverStartIo \Device\Scsi\adpu160m2 89B11AEA

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

    Device \Device\Scsi\adpu160m1Port2Path0Target1Lun0 -> \??\SCSI#Disk&Ven_IBM-ESXS&Prod_ST336605LW____!#&Rev_B244#6&35e1ef69&0&010#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Teacher at 10:42:58.73 on Wed 01/05/2011
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1249 [GMT -8:00]

    AV: SpyFighter *Disabled/Outdated* {0B683EC7-F86C-4DB2-BEDE-775B3EBEB00C}
    AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: SpyFighter *Disabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe
    C:\Program Files\DRoster\Firebird\bin\fbguard.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\Program Files\VMware\VMware Player\vmware-authd.exe
    C:\Program Files\DRoster\Firebird\bin\fbserver.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\VMware\VMware Player\hqtray.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe
    C:\Program Files\D-Link\DWA-125 revA\WZCSLDR2.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Syncplicity\Syncplicity.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\Java\jre6\bin\jucheck.exe
    C:\Documents and Settings\Teacher\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://google.com/
    uURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link toolbar\dlinktb.dll
    mURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link toolbar\dlinktb.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: D-Link Toolbar Loader: {f01858c7-2a68-4d93-9e22-502eae3917c2} - c:\program files\d-link toolbar\dlinktb.dll
    TB: D-Link Toolbar: {61874dfa-9adf-44e5-8e61-f3913707e7d7} - c:\program files\d-link toolbar\dlinktb.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [Syncplicity] c:\program files\syncplicity\Syncplicity.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14)

    Gecko/2009082707 Firefox/3.0.14" -"http://www.classzone.com/books/earth_science/terc/content/investigations/es1101/es1101page01.cfm?chapter_no=investigation"
    mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
    mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [D-Link D-Link DWA-125] c:\program files\d-link\dwa-125 reva\AirGCFG.exe
    mRun: [WZCSLDR2] c:\program files\d-link\dwa-125 reva\WZCSLDR2.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\docume~1\teacher\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\docume~1\teacher\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: c:\program files\vmware\vmware player\vsocklib.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213733960156
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    LSA: Authentication Packages = msv1_0 nwprovau
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\teacher\applic~1\mozilla\firefox\profiles\bn4eyent.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-dlink-chromesbox-en-us
    FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50-ff-dlink-ab-en-us&query=
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: D-Link Toolbar: {926a10d2-4ce7-4331-b96f-ca4e22590fac} - %profile%\extensions\{926a10d2-4ce7-4331-b96f-ca4e22590fac}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

    foundation\DotNetAssistantExtension

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate,

    false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-1 11608]
    R2 ANPD;ANPD Service;c:\windows\system32\ANPD.SYS [2010-6-22 29411]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-1 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-1 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-1 61960]
    R2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\d-link\dwa-125 reva\ANIWConnService.exe [2010-7-6 40960]
    R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\droster\firebird\bin\fbguard.exe -s --> c:\program

    files\droster\firebird\bin\fbguard.exe -s [?]
    R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-9-18 54960]
    R3 el985nd5;3Com Gigabit Ethernet Server NIC (SX/TX);c:\windows\system32\drivers\el985n51.sys [2008-6-17 455199]
    R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\droster\firebird\bin\fbserver.exe -s --> c:\program

    files\droster\firebird\bin\fbserver.exe -s [?]
    S2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\d-link\dwa-125 reva\ANIWZCSdS.exe [2010-7-6 126976]
    S3 ODWGU(Ativa);Ativa Wireless G USB Network Adapter(Ativa);c:\windows\system32\drivers\ODWGU.sys [2008-6-17 408064]
    S3 rt2870;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Drt2870.sys [2010-6-22 779136]

    =============== Created Last 30 ================

    2010-12-15 09:21:13 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 08:41:40 45568 -c----w- c:\windows\system32\dllcache\wab.exe

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:34:11 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-06 00:34:11 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-06 00:34:11 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-11-03 12:25:53 389120 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: IBM-ESXS rev.B244 -> Harddisk0\DR0 -> \Device\Scsi\adpu160m1

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89B2BEC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88e4a872; SUB DWORD [EBP-0x4], 0x88e4a12e; PUSH EDI; CALL

    0xffffffffffffdf33; }
    1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x89BAE030]
    3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x89A95770]
    [0x89BA81D8] -> IRP_MJ_CREATE -> 0x89B2BEC5
    error: Read The system cannot find the file specified.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5;

    REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Scsi\adpu160m1Port2Path0Target1Lun0 ->

    \??\SCSI#Disk&Ven_IBM-ESXS&Prod_ST336605LW____!#&Rev_B244#6&35e1ef69&0&010#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 10:47:00.01 ===============

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/17/2008 11:23:07 AM
    System Uptime: 1/5/2011 3:17:26 AM (7 hours ago)

    Motherboard: IBM | | MS-6508
    Processor: Intel(R) Xeon(TM) CPU 2.00GHz | CPU1 |

    1982/100mhz
    Processor: Intel(R) Xeon(TM) CPU 2.00GHz | CPU2 |

    1982/100mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 29 GiB total, 13.715 GiB free.
    D: is CDROM (CDFS)
    F: is CDROM (CDFS)
    G: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP482: 10/20/2010 8:25:38 AM - System Checkpoint
    RP483: 10/21/2010 1:05:55 PM - System Checkpoint
    RP484: 10/22/2010 1:26:46 PM - System Checkpoint
    RP485: 10/25/2010 8:50:45 AM - System Checkpoint
    RP486: 10/26/2010 9:59:36 AM - System Checkpoint
    RP487: 10/27/2010 10:38:39 AM - System Checkpoint
    RP488: 10/28/2010 12:59:19 PM - System Checkpoint
    RP489: 10/29/2010 1:38:39 PM - System Checkpoint
    RP490: 10/30/2010 2:38:39 PM - System Checkpoint
    RP491: 10/31/2010 3:38:39 PM - System Checkpoint
    RP492: 11/1/2010 3:38:55 PM - System Checkpoint
    RP493: 11/2/2010 3:39:09 PM - System Checkpoint
    RP494: 11/3/2010 5:08:04 PM - System Checkpoint
    RP495: 11/4/2010 5:47:38 PM - System Checkpoint
    RP496: 11/5/2010 6:38:56 PM - System Checkpoint
    RP497: 11/6/2010 6:38:56 PM - System Checkpoint
    RP498: 11/7/2010 7:38:56 PM - System Checkpoint
    RP499: 11/8/2010 7:39:08 PM - System Checkpoint
    RP500: 11/9/2010 8:39:09 PM - System Checkpoint
    RP501: 11/10/2010 3:00:18 AM - Software Distribution Service 3.0
    RP502: 11/11/2010 3:39:09 AM - System Checkpoint
    RP503: 11/12/2010 3:52:50 AM - System Checkpoint
    RP504: 11/15/2010 12:43:16 PM - Software Distribution Service 3.0
    RP505: 11/16/2010 2:29:30 PM - System Checkpoint
    RP506: 11/17/2010 3:48:51 PM - System Checkpoint
    RP507: 11/18/2010 5:13:30 PM - System Checkpoint
    RP508: 11/29/2010 9:06:39 AM - System Checkpoint
    RP509: 12/1/2010 8:56:40 AM - System Checkpoint
    RP510: 12/2/2010 3:16:23 PM - System Checkpoint
    RP511: 12/3/2010 10:07:03 AM - Restore Operation
    RP512: 12/7/2010 10:53:11 AM - System Checkpoint
    RP513: 12/8/2010 12:14:19 PM - System Checkpoint
    RP514: 12/9/2010 1:59:13 PM - System Checkpoint
    RP515: 12/13/2010 9:19:27 AM - System Checkpoint
    RP516: 12/14/2010 11:41:39 AM - System Checkpoint
    RP517: 12/15/2010 3:00:23 AM - Software Distribution Service 3.0
    RP518: 12/16/2010 12:21:31 PM - System Checkpoint
    RP519: 12/17/2010 12:52:28 PM - System Checkpoint
    RP520: 1/4/2011 1:11:25 PM - System Checkpoint
    RP521: 1/5/2011 3:00:25 AM - Software Distribution Service 3.0

    ==== Installed Programs ======================

    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1.1
    Adobe Shockwave Player
    Avira AntiVir Personal - Free Antivirus
    Brother HL-2140
    D-Link DWA-125
    D-Link Toolbar
    Download Updater (AOL LLC)
    DRoster
    getPlus(R) for Adobe
    GNU Octave 3.0.3
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Java(TM) 6 Update 13
    Java(TM) 6 Update 7
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.5.16)
    MSXML 6.0 Parser (KB925673)
    OpenOffice.org 3.0
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB2416400)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Spybot - Search & Destroy
    Syncplicity
    TBS WMP Plug-in
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VMware Player
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Presentation Foundation
    Windows XP Service Pack 3
    XML Paper Specification Shared Components Pack 1.0

    ==== Event Viewer Messages From Past Week ========

    1/5/2011 9:35:15 AM, error: Service Control Manager [7009] - Timeout

    (30000 milliseconds) waiting for the HTTP SSL service to connect.
    1/5/2011 9:35:15 AM, error: Service Control Manager [7000] - The HTTP

    SSL service failed to start due to the following error: The service did

    not respond to the start or control request in a timely fashion.
    1/5/2011 3:20:42 AM, error: atapi [9] - The device,

    \Device\Ide\IdePort1, did not respond within the timeout period.
    1/4/2011 8:09:23 AM, error: adpu160m [9] - The device,

    \Device\Scsi\adpu160m1, did not respond within the timeout period.
    1/4/2011 3:15:24 PM, error: Service Control Manager [7034] - The VMware

    Authorization Service service terminated unexpectedly. It has done this

    1 time(s).
    1/4/2011 3:15:24 PM, error: Service Control Manager [7034] - The

    Firebird Server - DefaultInstance service terminated unexpectedly. It

    has done this 1 time(s).
    1/4/2011 3:15:23 PM, error: Service Control Manager [7034] - The VMware

    NAT Service service terminated unexpectedly. It has done this 1 time(s).
    1/4/2011 3:15:23 PM, error: Service Control Manager [7034] - The VMware

    DHCP Service service terminated unexpectedly. It has done this 1

    time(s).
    1/4/2011 3:15:23 PM, error: Service Control Manager [7034] - The Java

    Quick Starter service terminated unexpectedly. It has done this 1

    time(s).
    1/4/2011 3:15:23 PM, error: Service Control Manager [7034] - The

    Firebird Guardian - DefaultInstance service terminated unexpectedly. It

    has done this 1 time(s).
    1/4/2011 3:15:23 PM, error: Service Control Manager [7034] - The

    D_Link_DWA-125_WPS Service service terminated unexpectedly. It has done

    this 1 time(s).

    ==== End Of File ===========================


    Again, thanks in advance for your help,
    Shpia
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help you work on the rootkit infection and any other malware found. We start with the Rootkit:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result. Please paste log into next reply.
    • A reboot is required after disinfection.
    ===========================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Additionally: I notice you have a program called SpyFighter. It is showing as outdated. Please uninstall this rogue program. I will help you find more suitable security programs.

    You should also uninstall these outdated Java programs in Add/Remove Programs in the Control Panel:
    Java(TM) 6 Update 13
    Java(TM) 6 Update 7

    They are a vulnerability on the system
    Please update to the current version v6u23 here Java Updates

    Please note: before pasting a log in Notepad, click on Format and uncheck Word Wrap. This allow entries to read fully across instead of breaking up in pieces such as you see in the Event Viewer.
     
  4. SHPIA

    SHPIA TS Rookie Topic Starter Posts: 18

    Thanks for your help, Bobbye,

    I'm having problems saving and running combofix. The first link that you provided doesn't work (for me). It goes to a "404 error -page not found." I was able to open the second link, but when I tried to save and run it, my computer said that some of the files are corrupted and that I needed to run combofix from another site.

    Please advise.

    Oh, also, I cannot locate the Spyfighter program that you mentioned being an outdated rogue program on my computer. I looked under add/remove programs, desktop files, and under the start menu and I don't see anything. Do you have any suggestions on where I might find the program?

    Thank you!
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry about the Combofix link- I did check and it is no longer good. This should work for you:
    http://www.bleepingcomputer.com/download/anti-virus/combofix

    I will update my instructions. Let me know if you still get the 'corrupt' message and I'll give you a program to run before Combofix. I think Forospy gives a Spanish version and that might be causing that problem.

    As for SpyFighter, it is possible that it was removed and only shows in the log header. If the proves to be the case, I can remove it with the script I'll write after you run Combofix.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...