Solved Infected with Bamital-w or something similar (Google redirect again... I guess)

Status
Not open for further replies.

KJI

Posts: 25   +0
Essentially, with both my main browser (Opera) and Firefox, no google links work and I'm occasionally redirected to random sites.

I should also note that I rarely get viruses/adware and am usually one of the people to call to get rid of them, but it doesn't seem to work with this. I constantly have SD Resident running as well as avast, but I guess this one slipped through.

I've ran quite a few other programs to try to fix the problem, but none of them find much. Here's what each found:

avast: found nothing
ad-aware: found nothing but suggested my mirc as low level spyware
spybot: suggested megaupload and coupons toolbar as possible adware
Malwarebytes' Anti-Malware: found and deleted HKEY_CURRENT_USER\Software\WinServers (Malware.Trace) and C:\Users\KJI\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) the first time, then HKEY_CURRENT_USER\Software\WinServers (Malware.Trace)and C:\Program Files\Last.fm\killer.exe (Worm.Koobface) the second time
SUPERAntiSpyware: found nothing
combofix: only found/fixed c:\windows\System32\wininit.exe
hijackthis: didn't see anything particularly suspicious, removed some unneeded entries

I should also mention that I've got a few java update notices recently and usually just press yes, but after reading that it could be due to a java exploit checked and found my version was still pretty old... just uninstalled and installed the new version recently to make sure.

Also, currently hlp.dat is located in my c:\windows\system32 and is supposedly in use by winnit.exe

Thanks for any help,
KJI
 

Attachments

  • mbam-log-2010-08-11 (04-23-18).txt
    944 bytes · Views: 3
  • Attach.txt
    15.6 KB · Views: 1
  • gmer.log
    10.7 KB · Views: 5
  • DDS.txt
    18 KB · Views: 3
Welcome aboard
yahooo.gif


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Here's the ComboFix file. Oddly enough it told me Ad-Watch Live! was running when I ran it, even though it's uninstalled...
 

Attachments

  • ComboFix.txt
    21.1 KB · Views: 7
That's fine :)

I can see, you ran Combofix already on 2010-08-10
You shouldn't run it without a supervision.

Combofix log looks good :)

Any current issues?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
I can see, you ran Combofix already on 2010-08-10
You shouldn't run it without a supervision.

Sorry about that. But in the first post I did mention that I'm used to fixing virus/malware problems by myself, and that I ran it before. I've also ran OTL before, but only the scan.


Any current issues?

Yep, google still isn't working right and I still occasionally get redirects on that browser.

For some reason, there was no extras.txt, no matter how I ran OTL.txt this time. The OTL log (with a few personal files removed) is attached.
 

Attachments

  • OTL.Txt
    122.4 KB · Views: 5
Which browser is affected?

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.
 
Opera is affected (and probably firefox still)

MBRcheck content:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Professional
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Studio 1537
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 208):
0x82A52000 \SystemRoot\system32\ntkrnlpa.exe
0x82A1B000 \SystemRoot\system32\halmacpi.dll
0x80BBA000 \SystemRoot\system32\kdcom.dll
0x8AC37000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8ACAF000 \SystemRoot\system32\PSHED.dll
0x8ACC0000 \SystemRoot\system32\BOOTVID.dll
0x8ACC8000 \SystemRoot\system32\CLFS.SYS
0x8AD0A000 \SystemRoot\system32\CI.dll
0x8AE19000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8AE8A000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8AE98000 \SystemRoot\System32\Drivers\spgt.sys
0x8AF8B000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x8AF94000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x8ADB5000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x8AFBA000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x8AFC2000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x8AFCD000 \SystemRoot\system32\DRIVERS\pci.sys
0x8AE00000 \SystemRoot\System32\drivers\partmgr.sys
0x8AE11000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8AC00000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8AC0B000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x8B02C000 \SystemRoot\System32\drivers\volmgrx.sys
0x8B077000 \SystemRoot\System32\drivers\mountmgr.sys
0x8B08D000 \SystemRoot\system32\DRIVERS\atapi.sys
0x8B096000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x8B0B9000 \SystemRoot\system32\DRIVERS\msahci.sys
0x8B0C3000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x8B0D1000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x8B0DA000 \SystemRoot\system32\drivers\fltmgr.sys
0x8B10E000 \SystemRoot\system32\drivers\fileinfo.sys
0x8B11F000 \SystemRoot\System32\Drivers\TPkd.sys
0x8B203000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8B332000 \SystemRoot\System32\Drivers\msrpc.sys
0x8B35D000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8B370000 \SystemRoot\System32\Drivers\cng.sys
0x8B3CD000 \SystemRoot\System32\drivers\pcw.sys
0x8B3DB000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8B13D000 \SystemRoot\system32\drivers\ndis.sys
0x8B433000 \SystemRoot\system32\drivers\NETIO.SYS
0x8B471000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8B496000 \SystemRoot\System32\drivers\tcpip.sys
0x8B400000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8B5DF000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x8B607000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8B646000 \SystemRoot\System32\Drivers\spldr.sys
0x8B64E000 \SystemRoot\System32\drivers\rdyboost.sys
0x8B67B000 \SystemRoot\System32\Drivers\mup.sys
0x8B68B000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8B693000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8B6C5000 \SystemRoot\system32\DRIVERS\disk.sys
0x8B6D6000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8B72E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8B74D000 \SystemRoot\System32\Drivers\Null.SYS
0x8B754000 \SystemRoot\System32\Drivers\Beep.SYS
0x8B75B000 \??\C:\Windows\system32\drivers\SBREdrv.sys
0x8B771000 \SystemRoot\System32\drivers\vga.sys
0x8B77D000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8B79E000 \SystemRoot\System32\drivers\watchdog.sys
0x8B7AB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8B7B3000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8B7BB000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8B7C3000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8B7CE000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8B7DC000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8B7F3000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8B5E8000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x8F42B000 \SystemRoot\system32\drivers\afd.sys
0x8F485000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x8F48A000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8F4BC000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8F4C3000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8F4E2000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x8F4F3000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8F501000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8F514000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8F524000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0x8F546000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0x8F54C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8F58D000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8F597000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8F5A1000 \SystemRoot\System32\drivers\discache.sys
0x9083D000 \SystemRoot\system32\drivers\csc.sys
0x908A1000 \SystemRoot\System32\Drivers\dfsc.sys
0x908B9000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x908C7000 \SystemRoot\System32\Drivers\aswSP.SYS
0x908EE000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x96022000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x96537000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x9090F000 \SystemRoot\System32\drivers\dxgmms1.sys
0x96000000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x965EE000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x90948000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x90993000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x96A3E000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
0x96CA5000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x96CAF000 \SystemRoot\system32\DRIVERS\k57nd60x.sys
0x96CEB000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x96D17000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x96D30000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x96D81000 \SystemRoot\system32\DRIVERS\itecir.sys
0x96DDA000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x96DF2000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x96A00000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x96A3A000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x909A2000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x909AF000 \SystemRoot\System32\Drivers\ajuqzavs.SYS
0x909E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x90800000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x965F9000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x90809000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x90816000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x8F5AD000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x90828000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8F5C5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8F5E7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8F400000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8B3E4000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x90833000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x96A3C000 \SystemRoot\system32\DRIVERS\swenum.sys
0x97223000 \SystemRoot\system32\DRIVERS\ks.sys
0x97257000 \SystemRoot\system32\DRIVERS\circlass.sys
0x97265000 \SystemRoot\system32\DRIVERS\umbus.sys
0x97273000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x972B7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x972C8000 \SystemRoot\system32\drivers\HdAudio.sys
0x97318000 \SystemRoot\system32\drivers\portcls.sys
0x97347000 \SystemRoot\system32\drivers\drmk.sys
0x97360000 \SystemRoot\system32\DRIVERS\hidir.sys
0x9736F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x97382000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x97389000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x97395000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x82213000 \SystemRoot\System32\Drivers\ATSwpWDF.sys
0x822B3000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x822CA000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x98190000 \SystemRoot\System32\win32k.sys
0x822D5000 \SystemRoot\System32\drivers\Dxapi.sys
0x822DF000 \SystemRoot\system32\DRIVERS\OA001Vid.sys
0x82323000 \SystemRoot\system32\DRIVERS\OA001Ufd.sys
0x82347000 \SystemRoot\System32\Drivers\crashdmp.sys
0x82354000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8235F000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x82369000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x983F0000 \SystemRoot\System32\TSDDD.dll
0x98020000 \SystemRoot\System32\cdd.dll
0x82385000 \SystemRoot\system32\drivers\luafv.sys
0x823A0000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x823B7000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x823BA000 \SystemRoot\system32\drivers\WudfPf.sys
0x823D4000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x973A0000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x823E4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x82200000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9CC01000 \SystemRoot\system32\drivers\HTTP.sys
0x9CC86000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9CC9F000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9CCB1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9CCD4000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9CD0F000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9CD42000 \SystemRoot\system32\drivers\peauth.sys
0x9CD2A000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9CDD9000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9CD34000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9D639000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9D688000 \SystemRoot\System32\DRIVERS\srv.sys
0x9D6D9000 \SystemRoot\System32\Drivers\fastfat.SYS
0x9D76D000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x9D776000 \SystemRoot\system32\DRIVERS\monitor.sys
0x77160000 \Windows\System32\ntdll.dll
0x48040000 \Windows\System32\smss.exe
0x773A0000 \Windows\System32\apisetschema.dll
0x00BB0000 \Windows\System32\autochk.exe
0x77380000 \Windows\System32\nsi.dll
0x772F0000 \Windows\System32\oleaut32.dll
0x772E0000 \Windows\System32\psapi.dll
0x77090000 \Windows\System32\user32.dll
0x76FF0000 \Windows\System32\usp10.dll
0x76EB0000 \Windows\System32\urlmon.dll
0x76260000 \Windows\System32\shell32.dll
0x761D0000 \Windows\System32\clbcatq.dll
0x76070000 \Windows\System32\ole32.dll
0x75E70000 \Windows\System32\iertutil.dll
0x772C0000 \Windows\System32\imm32.dll
0x75D70000 \Windows\System32\wininet.dll
0x75D10000 \Windows\System32\difxapi.dll
0x772B0000 \Windows\System32\normaliz.dll
0x75CC0000 \Windows\System32\gdi32.dll
0x75C60000 \Windows\System32\shlwapi.dll
0x75C20000 \Windows\System32\ws2_32.dll
0x75B80000 \Windows\System32\advapi32.dll
0x75B30000 \Windows\System32\Wldap32.dll
0x75B00000 \Windows\System32\imagehlp.dll
0x772A0000 \Windows\System32\lpk.dll
0x75A30000 \Windows\System32\msctf.dll
0x75980000 \Windows\System32\rpcrt4.dll
0x758A0000 \Windows\System32\kernel32.dll
0x757F0000 \Windows\System32\msvcrt.dll
0x757D0000 \Windows\System32\sechost.dll
0x75630000 \Windows\System32\setupapi.dll
0x755B0000 \Windows\System32\comdlg32.dll
0x75520000 \Windows\System32\comctl32.dll
0x75400000 \Windows\System32\crypt32.dll
0x753E0000 \Windows\System32\devobj.dll
0x75390000 \Windows\System32\KernelBase.dll
0x75360000 \Windows\System32\wintrust.dll
0x75330000 \Windows\System32\cfgmgr32.dll
0x75320000 \Windows\System32\msasn1.dll
0x10000000 \Program Files\DAEMON Tools Lite\Engine.dll

Processes (total 55):
0 System Idle Process
4 System
284 C:\Windows\System32\smss.exe
380 csrss.exe
452 C:\Windows\System32\wininit.exe
464 csrss.exe
512 C:\Windows\System32\services.exe
528 C:\Windows\System32\lsass.exe
536 C:\Windows\System32\lsm.exe
644 C:\Windows\System32\svchost.exe
720 C:\Windows\System32\winlogon.exe
752 C:\Program Files\Fingerprint Sensor\AtService.exe
784 C:\Windows\System32\svchost.exe
848 C:\Windows\System32\atiesrxx.exe
944 C:\Windows\System32\svchost.exe
996 C:\Windows\System32\svchost.exe
1056 C:\Windows\System32\svchost.exe
1204 C:\Windows\System32\svchost.exe
1328 C:\Windows\System32\atieclxx.exe
1480 C:\Windows\System32\svchost.exe
1560 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1812 C:\Windows\System32\spoolsv.exe
1844 C:\Program Files\DigitalPersona\Bin\DpHostW.exe
1908 C:\Windows\System32\svchost.exe
2024 C:\Program Files\Bonjour\mDNSResponder.exe
320 C:\Windows\System32\svchost.exe
468 C:\Windows\System32\svchost.exe
1360 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
2564 C:\Windows\System32\svchost.exe
3120 C:\Windows\System32\taskhost.exe
3216 C:\Windows\System32\dwm.exe
3240 C:\Windows\explorer.exe
3472 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
3500 C:\Program Files\Winamp\winampa.exe
3520 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3528 C:\Program Files\DigitalPersona\Bin\DpAgent.exe
3600 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3648 C:\Users\KJI\AppData\Roaming\Google\Google Talk\googletalk.exe
3708 C:\Users\KJI\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
3724 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
4016 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
1736 C:\Windows\System32\SearchIndexer.exe
2176 C:\Program Files\Windows Media Player\wmpnetwk.exe
3720 C:\Windows\System32\svchost.exe
3096 C:\Windows\System32\audiodg.exe
2352 C:\Program Files\Winamp\winamp.exe
2228 C:\Program Files\Last.fm\LastFM.exe
2560 C:\Users\KJI\AppData\Local\Google\Chrome\Application\chrome.exe
1228 C:\Users\KJI\AppData\Local\Google\Chrome\Application\chrome.exe
3036 C:\Users\KJI\AppData\Local\Google\Chrome\Application\chrome.exe
2524 C:\Windows\System32\SearchProtocolHost.exe
360 C:\Windows\System32\SearchFilterHost.exe
376 C:\Users\KJI\Desktop\MBRCheck.exe
4076 C:\Windows\System32\conhost.exe
3888 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`86e00000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`06e00000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543225L9A300, Rev: FBEOC40C

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!
 
MBRCheck log looks fine :)

Can you double check, if Firefox and IE are also affected?


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
    O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
    O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - Reg Error: Value error. File not found
    O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - Reg Error: Value error. File not found
    O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
Logs are attached from the fix and scan.

MBRCheck log looks fine :)

Can you double check, if Firefox and IE are also affected?

In Internet Explorer the two google links I clicked on directed me to pages.us.com and buyerstv.com. In Firefox, just none of the links from google would load.

Two things I'm wondering about:

1. MBRcheck lists ajuqzavs.SYS as a kernel driver, but google has no info on it.
2. hlp.dat is still located at c:\windows\system32 ...google only seems to suggest that it's virus payload related, but none of the scans have mentioned it.
 

Attachments

  • 08132010_201737.log
    6.4 KB · Views: 0
  • OTL.Txt
    109.8 KB · Views: 2
What do you mean, it's gone?
Did you delete it?

I assume, you're still getting redirected?

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Go to Kaspersky website and perform an online antivirus scan.

  • Disable your active antivirus program.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
 
What do you mean, it's gone?
Did you delete it?
No, when I tried to upload it from the path it was supposed to be at, it just wasn't there anymore.

I assume, you're still getting redirected?
Yes, I am still being redirected.

checkup logs: Although it says I have the newest version of Java, I only made sure to uninstall the old version and install new version after I started having these problems. Before that, I was getting new update notifications, but I guess it hadn't actually been updating for a while.

checkup log:


Results of screen317's Security Check version 0.99.5
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
ESET Online Scanner v3
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 21
Adobe Flash Player 10.1.82.76
Adobe Reader 9.3.3
Japanese Fonts Support For Adobe Reader 9
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
````````````````````````````````
DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````


Kaspersky report:

KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, August 14, 2010
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, August 14, 2010 03:16:25
Records in database: 4132424
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 135035
Threats found: 5
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 04:24:06


File name / Threat / Threats count
winampa.exe\winampa.exe/winampa.exe\winampa.exe Infected: Worm.Win32.Qvod.anx 1
C:\sysreset\backups\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\sysreset\extra\old-mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\sysreset\mirc.exe.BAK Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\sysreset\mirc.exe.newer Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\sysreset\mirc.exe.old Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1

Selected area has been scanned.
 
I can't see from Kaspersky's log, where this file is located:
File name / Threat / Threats count
winampa.exe\winampa.exe/winampa.exe\winampa.exe Infected: Worm.Win32.Qvod.anx 1

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    Code:
    :filefind
    winampa.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:42 on 14/08/2010 by KJI (Administrator - Elevation successful)

========== filefind ==========

Searching for "winampa.exe"
C:\Program Files\Winamp\winampa.exe --a--- 74752 bytes [16:32 12/07/2010] [16:32 12/07/2010] 895A62970833575772FA21B0C54C158D

-=End Of File=-
 
Your router may be infected.
We need to hard reset it.
Turn the computer off.

On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
Restart computer and check for redirections
 
Interesting....

1. Clear your Java Cache

  • Go Start>Control Panel (Classic View)>Java
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - leave BOTH checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window.
    • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

2. Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


3. Turn computer off. Reset router one more time.
Restart.
Let me know.
 
Unfortunately, my browsers seem to still be having the problem. IE is redirecting while the other two are just not loading google links.
 
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\EagleNT.sys -- (EagleNT)
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
I should probably mention I installed/ran Sophos to see if it found anything (it didn't), but only remembered today that you might've said not to install/run anything else... sorry about that.

From fix:

All processes killed
========== OTL ==========
Service EagleNT stopped successfully!
Service EagleNT deleted successfully!
File C:\Windows\System32\drivers\EagleNT.sys not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: KJI
->Temp folder emptied: 15800482 bytes
->Temporary Internet Files folder emptied: 2479857 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 17954541 bytes
->Google Chrome cache emptied: 144575452 bytes
->Apple Safari cache emptied: 0 bytes
->Opera cache emptied: 2974663 bytes
->Flash cache emptied: 3134 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4797168 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 258099447 bytes

Total Files Cleaned = 426.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: KJI
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08162010_170628

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Scan log attached due to size.
 

Attachments

  • OTL.Txt
    105.1 KB · Views: 2
You can't run two AV programs.
Either Sophos, or Avast has to be uninstalled.

Still redirecting?
 
Yeah, I meant to only scan with it then uninstall. I'll uninstall now. I should also mention that it detected hlp.dat as a malicious file, but could not remove it.

Yes, it seems to be still redirecting. Trying on Internet explorer, I was redirected to nortonoutlet and yahoo finance while clicking on links to other sites.
 
Status
Not open for further replies.
Back