TechSpot

Infected with Bamital-w or something similar (Google redirect again... I guess)

Solved
By KJI
Aug 12, 2010
Topic Status:
Not open for further replies.
  1. Essentially, with both my main browser (Opera) and Firefox, no google links work and I'm occasionally redirected to random sites.

    I should also note that I rarely get viruses/adware and am usually one of the people to call to get rid of them, but it doesn't seem to work with this. I constantly have SD Resident running as well as avast, but I guess this one slipped through.

    I've ran quite a few other programs to try to fix the problem, but none of them find much. Here's what each found:

    avast: found nothing
    ad-aware: found nothing but suggested my mirc as low level spyware
    spybot: suggested megaupload and coupons toolbar as possible adware
    Malwarebytes' Anti-Malware: found and deleted HKEY_CURRENT_USER\Software\WinServers (Malware.Trace) and C:\Users\KJI\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) the first time, then HKEY_CURRENT_USER\Software\WinServers (Malware.Trace)and C:\Program Files\Last.fm\killer.exe (Worm.Koobface) the second time
    SUPERAntiSpyware: found nothing
    combofix: only found/fixed c:\windows\System32\wininit.exe
    hijackthis: didn't see anything particularly suspicious, removed some unneeded entries

    I should also mention that I've got a few java update notices recently and usually just press yes, but after reading that it could be due to a java exploit checked and found my version was still pretty old... just uninstalled and installed the new version recently to make sure.

    Also, currently hlp.dat is located in my c:\windows\system32 and is supposedly in use by winnit.exe

    Thanks for any help,
    KJI
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Welcome aboard [​IMG]

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. KJI

    KJI TS Rookie Topic Starter Posts: 25

    Here's the ComboFix file. Oddly enough it told me Ad-Watch Live! was running when I ran it, even though it's uninstalled...
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    That's fine :)

    I can see, you ran Combofix already on 2010-08-10
    You shouldn't run it without a supervision.

    Combofix log looks good :)

    Any current issues?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  5. KJI

    KJI TS Rookie Topic Starter Posts: 25

    Sorry about that. But in the first post I did mention that I'm used to fixing virus/malware problems by myself, and that I ran it before. I've also ran OTL before, but only the scan.


    Yep, google still isn't working right and I still occasionally get redirects on that browser.

    For some reason, there was no extras.txt, no matter how I ran OTL.txt this time. The OTL log (with a few personal files removed) is attached.
     

    Attached Files:

    • OTL.Txt
      File size:
      122.4 KB
      Views:
      5
  6. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Which browser is affected?

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  7. KJI

    KJI TS Rookie Topic Starter Posts: 25

    Opera is affected (and probably firefox still)

    MBRcheck content:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7 Professional
    Windows Information: (build 7600), 32-bit
    Base Board Manufacturer: Dell Inc.
    BIOS Manufacturer: Dell Inc.
    System Manufacturer: Dell Inc.
    System Product Name: Studio 1537
    Logical Drives Mask: 0x0000003c

    Kernel Drivers (total 208):
    0x82A52000 \SystemRoot\system32\ntkrnlpa.exe
    0x82A1B000 \SystemRoot\system32\halmacpi.dll
    0x80BBA000 \SystemRoot\system32\kdcom.dll
    0x8AC37000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x8ACAF000 \SystemRoot\system32\PSHED.dll
    0x8ACC0000 \SystemRoot\system32\BOOTVID.dll
    0x8ACC8000 \SystemRoot\system32\CLFS.SYS
    0x8AD0A000 \SystemRoot\system32\CI.dll
    0x8AE19000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8AE8A000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x8AE98000 \SystemRoot\System32\Drivers\spgt.sys
    0x8AF8B000 \SystemRoot\System32\Drivers\WMILIB.SYS
    0x8AF94000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
    0x8ADB5000 \SystemRoot\system32\DRIVERS\ACPI.sys
    0x8AFBA000 \SystemRoot\system32\DRIVERS\msisadrv.sys
    0x8AFC2000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
    0x8AFCD000 \SystemRoot\system32\DRIVERS\pci.sys
    0x8AE00000 \SystemRoot\System32\drivers\partmgr.sys
    0x8AE11000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x8AC00000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x8AC0B000 \SystemRoot\system32\DRIVERS\volmgr.sys
    0x8B02C000 \SystemRoot\System32\drivers\volmgrx.sys
    0x8B077000 \SystemRoot\System32\drivers\mountmgr.sys
    0x8B08D000 \SystemRoot\system32\DRIVERS\atapi.sys
    0x8B096000 \SystemRoot\system32\DRIVERS\ataport.SYS
    0x8B0B9000 \SystemRoot\system32\DRIVERS\msahci.sys
    0x8B0C3000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
    0x8B0D1000 \SystemRoot\system32\DRIVERS\amdxata.sys
    0x8B0DA000 \SystemRoot\system32\drivers\fltmgr.sys
    0x8B10E000 \SystemRoot\system32\drivers\fileinfo.sys
    0x8B11F000 \SystemRoot\System32\Drivers\TPkd.sys
    0x8B203000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8B332000 \SystemRoot\System32\Drivers\msrpc.sys
    0x8B35D000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x8B370000 \SystemRoot\System32\Drivers\cng.sys
    0x8B3CD000 \SystemRoot\System32\drivers\pcw.sys
    0x8B3DB000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x8B13D000 \SystemRoot\system32\drivers\ndis.sys
    0x8B433000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8B471000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x8B496000 \SystemRoot\System32\drivers\tcpip.sys
    0x8B400000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8B5DF000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
    0x8B607000 \SystemRoot\system32\DRIVERS\volsnap.sys
    0x8B646000 \SystemRoot\System32\Drivers\spldr.sys
    0x8B64E000 \SystemRoot\System32\drivers\rdyboost.sys
    0x8B67B000 \SystemRoot\System32\Drivers\mup.sys
    0x8B68B000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x8B693000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x8B6C5000 \SystemRoot\system32\DRIVERS\disk.sys
    0x8B6D6000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    0x8B72E000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8B74D000 \SystemRoot\System32\Drivers\Null.SYS
    0x8B754000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8B75B000 \??\C:\Windows\system32\drivers\SBREdrv.sys
    0x8B771000 \SystemRoot\System32\drivers\vga.sys
    0x8B77D000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8B79E000 \SystemRoot\System32\drivers\watchdog.sys
    0x8B7AB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8B7B3000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8B7BB000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x8B7C3000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8B7CE000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8B7DC000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8B7F3000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8B5E8000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0x8F42B000 \SystemRoot\system32\drivers\afd.sys
    0x8F485000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0x8F48A000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8F4BC000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x8F4C3000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8F4E2000 \SystemRoot\system32\DRIVERS\vwififlt.sys
    0x8F4F3000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8F501000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8F514000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8F524000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    0x8F546000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0x8F54C000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8F58D000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8F597000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8F5A1000 \SystemRoot\System32\drivers\discache.sys
    0x9083D000 \SystemRoot\system32\drivers\csc.sys
    0x908A1000 \SystemRoot\System32\Drivers\dfsc.sys
    0x908B9000 \SystemRoot\system32\DRIVERS\blbdrive.sys
    0x908C7000 \SystemRoot\System32\Drivers\aswSP.SYS
    0x908EE000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x96022000 \SystemRoot\system32\DRIVERS\atikmdag.sys
    0x96537000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x9090F000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x96000000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x965EE000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x90948000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x90993000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x96A3E000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
    0x96CA5000 \SystemRoot\system32\DRIVERS\vwifibus.sys
    0x96CAF000 \SystemRoot\system32\DRIVERS\k57nd60x.sys
    0x96CEB000 \SystemRoot\system32\DRIVERS\1394ohci.sys
    0x96D17000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0x96D30000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
    0x96D81000 \SystemRoot\system32\DRIVERS\itecir.sys
    0x96DDA000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x96DF2000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x96A00000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x96A3A000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x909A2000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x909AF000 \SystemRoot\System32\Drivers\ajuqzavs.SYS
    0x909E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x90800000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x965F9000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x90809000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
    0x90816000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x8F5AD000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x90828000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8F5C5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8F5E7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8F400000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8B3E4000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x90833000 \SystemRoot\system32\DRIVERS\rdpbus.sys
    0x96A3C000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x97223000 \SystemRoot\system32\DRIVERS\ks.sys
    0x97257000 \SystemRoot\system32\DRIVERS\circlass.sys
    0x97265000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x97273000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x972B7000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x972C8000 \SystemRoot\system32\drivers\HdAudio.sys
    0x97318000 \SystemRoot\system32\drivers\portcls.sys
    0x97347000 \SystemRoot\system32\drivers\drmk.sys
    0x97360000 \SystemRoot\system32\DRIVERS\hidir.sys
    0x9736F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x97382000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x97389000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x97395000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x82213000 \SystemRoot\System32\Drivers\ATSwpWDF.sys
    0x822B3000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x822CA000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x98190000 \SystemRoot\System32\win32k.sys
    0x822D5000 \SystemRoot\System32\drivers\Dxapi.sys
    0x822DF000 \SystemRoot\system32\DRIVERS\OA001Vid.sys
    0x82323000 \SystemRoot\system32\DRIVERS\OA001Ufd.sys
    0x82347000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x82354000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x8235F000 \SystemRoot\System32\Drivers\dump_msahci.sys
    0x82369000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x983F0000 \SystemRoot\System32\TSDDD.dll
    0x98020000 \SystemRoot\System32\cdd.dll
    0x82385000 \SystemRoot\system32\drivers\luafv.sys
    0x823A0000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
    0x823B7000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0x823BA000 \SystemRoot\system32\drivers\WudfPf.sys
    0x823D4000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x973A0000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x823E4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x82200000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x9CC01000 \SystemRoot\system32\drivers\HTTP.sys
    0x9CC86000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x9CC9F000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x9CCB1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x9CCD4000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x9CD0F000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x9CD42000 \SystemRoot\system32\drivers\peauth.sys
    0x9CD2A000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x9CDD9000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x9CD34000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x9D639000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x9D688000 \SystemRoot\System32\DRIVERS\srv.sys
    0x9D6D9000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x9D76D000 \SystemRoot\system32\DRIVERS\asyncmac.sys
    0x9D776000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x77160000 \Windows\System32\ntdll.dll
    0x48040000 \Windows\System32\smss.exe
    0x773A0000 \Windows\System32\apisetschema.dll
    0x00BB0000 \Windows\System32\autochk.exe
    0x77380000 \Windows\System32\nsi.dll
    0x772F0000 \Windows\System32\oleaut32.dll
    0x772E0000 \Windows\System32\psapi.dll
    0x77090000 \Windows\System32\user32.dll
    0x76FF0000 \Windows\System32\usp10.dll
    0x76EB0000 \Windows\System32\urlmon.dll
    0x76260000 \Windows\System32\shell32.dll
    0x761D0000 \Windows\System32\clbcatq.dll
    0x76070000 \Windows\System32\ole32.dll
    0x75E70000 \Windows\System32\iertutil.dll
    0x772C0000 \Windows\System32\imm32.dll
    0x75D70000 \Windows\System32\wininet.dll
    0x75D10000 \Windows\System32\difxapi.dll
    0x772B0000 \Windows\System32\normaliz.dll
    0x75CC0000 \Windows\System32\gdi32.dll
    0x75C60000 \Windows\System32\shlwapi.dll
    0x75C20000 \Windows\System32\ws2_32.dll
    0x75B80000 \Windows\System32\advapi32.dll
    0x75B30000 \Windows\System32\Wldap32.dll
    0x75B00000 \Windows\System32\imagehlp.dll
    0x772A0000 \Windows\System32\lpk.dll
    0x75A30000 \Windows\System32\msctf.dll
    0x75980000 \Windows\System32\rpcrt4.dll
    0x758A0000 \Windows\System32\kernel32.dll
    0x757F0000 \Windows\System32\msvcrt.dll
    0x757D0000 \Windows\System32\sechost.dll
    0x75630000 \Windows\System32\setupapi.dll
    0x755B0000 \Windows\System32\comdlg32.dll
    0x75520000 \Windows\System32\comctl32.dll
    0x75400000 \Windows\System32\crypt32.dll
    0x753E0000 \Windows\System32\devobj.dll
    0x75390000 \Windows\System32\KernelBase.dll
    0x75360000 \Windows\System32\wintrust.dll
    0x75330000 \Windows\System32\cfgmgr32.dll
    0x75320000 \Windows\System32\msasn1.dll
    0x10000000 \Program Files\DAEMON Tools Lite\Engine.dll

    Processes (total 55):
    0 System Idle Process
    4 System
    284 C:\Windows\System32\smss.exe
    380 csrss.exe
    452 C:\Windows\System32\wininit.exe
    464 csrss.exe
    512 C:\Windows\System32\services.exe
    528 C:\Windows\System32\lsass.exe
    536 C:\Windows\System32\lsm.exe
    644 C:\Windows\System32\svchost.exe
    720 C:\Windows\System32\winlogon.exe
    752 C:\Program Files\Fingerprint Sensor\AtService.exe
    784 C:\Windows\System32\svchost.exe
    848 C:\Windows\System32\atiesrxx.exe
    944 C:\Windows\System32\svchost.exe
    996 C:\Windows\System32\svchost.exe
    1056 C:\Windows\System32\svchost.exe
    1204 C:\Windows\System32\svchost.exe
    1328 C:\Windows\System32\atieclxx.exe
    1480 C:\Windows\System32\svchost.exe
    1560 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    1812 C:\Windows\System32\spoolsv.exe
    1844 C:\Program Files\DigitalPersona\Bin\DpHostW.exe
    1908 C:\Windows\System32\svchost.exe
    2024 C:\Program Files\Bonjour\mDNSResponder.exe
    320 C:\Windows\System32\svchost.exe
    468 C:\Windows\System32\svchost.exe
    1360 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    2564 C:\Windows\System32\svchost.exe
    3120 C:\Windows\System32\taskhost.exe
    3216 C:\Windows\System32\dwm.exe
    3240 C:\Windows\explorer.exe
    3472 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    3500 C:\Program Files\Winamp\winampa.exe
    3520 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    3528 C:\Program Files\DigitalPersona\Bin\DpAgent.exe
    3600 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    3648 C:\Users\KJI\AppData\Roaming\Google\Google Talk\googletalk.exe
    3708 C:\Users\KJI\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
    3724 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    4016 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    1736 C:\Windows\System32\SearchIndexer.exe
    2176 C:\Program Files\Windows Media Player\wmpnetwk.exe
    3720 C:\Windows\System32\svchost.exe
    3096 C:\Windows\System32\audiodg.exe
    2352 C:\Program Files\Winamp\winamp.exe
    2228 C:\Program Files\Last.fm\LastFM.exe
    2560 C:\Users\KJI\AppData\Local\Google\Chrome\Application\chrome.exe
    1228 C:\Users\KJI\AppData\Local\Google\Chrome\Application\chrome.exe
    3036 C:\Users\KJI\AppData\Local\Google\Chrome\Application\chrome.exe
    2524 C:\Windows\System32\SearchProtocolHost.exe
    360 C:\Windows\System32\SearchFilterHost.exe
    376 C:\Users\KJI\Desktop\MBRCheck.exe
    4076 C:\Windows\System32\conhost.exe
    3888 C:\Windows\System32\dllhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`86e00000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`06e00000 (NTFS)

    PhysicalDrive0 Model Number: HitachiHTS543225L9A300, Rev: FBEOC40C

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


    Done!
     
  8. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    MBRCheck log looks fine :)

    Can you double check, if Firefox and IE are also affected?


    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
      O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
      O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - Reg Error: Value error. File not found
      O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - Reg Error: Value error. File not found
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  9. KJI

    KJI TS Rookie Topic Starter Posts: 25

    Logs are attached from the fix and scan.

    In Internet Explorer the two google links I clicked on directed me to pages.us.com and buyerstv.com. In Firefox, just none of the links from google would load.

    Two things I'm wondering about:

    1. MBRcheck lists ajuqzavs.SYS as a kernel driver, but google has no info on it.
    2. hlp.dat is still located at c:\windows\system32 ...google only seems to suggest that it's virus payload related, but none of the scans have mentioned it.
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Good eye, however ajuqzavs.SYS doesn't seem to be active (not shown in any other logs)

    Upload the file to http://www.virustotal.com/ for security check.
     
  11. KJI

    KJI TS Rookie Topic Starter Posts: 25

     
  12. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    What do you mean, it's gone?
    Did you delete it?

    I assume, you're still getting redirected?

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  13. KJI

    KJI TS Rookie Topic Starter Posts: 25

    No, when I tried to upload it from the path it was supposed to be at, it just wasn't there anymore.

    Yes, I am still being redirected.

    checkup logs: Although it says I have the newest version of Java, I only made sure to uninstall the old version and install new version after I started having these problems. Before that, I was getting new update notifications, but I guess it hadn't actually been updating for a while.

    checkup log:


    Results of screen317's Security Check version 0.99.5
    Windows 7 (UAC is enabled)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    avast! Free Antivirus
    ESET Online Scanner v3
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    CCleaner
    Java(TM) 6 Update 21
    Adobe Flash Player 10.1.82.76
    Adobe Reader 9.3.3
    Japanese Fonts Support For Adobe Reader 9
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Alwil Software Avast5 AvastSvc.exe
    Alwil Software Avast5 AvastUI.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

    ``````````End of Log````````````


    Kaspersky report:

    KASPERSKY ONLINE SCANNER 7.0: scan report
    Saturday, August 14, 2010
    Operating system: Microsoft Professional (build 7600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Saturday, August 14, 2010 03:16:25
    Records in database: 4132424
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\

    Scan statistics:
    Objects scanned: 135035
    Threats found: 5
    Infected objects found: 6
    Suspicious objects found: 0
    Scan duration: 04:24:06


    File name / Threat / Threats count
    winampa.exe\winampa.exe/winampa.exe\winampa.exe Infected: Worm.Win32.Qvod.anx 1
    C:\sysreset\backups\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
    C:\sysreset\extra\old-mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
    C:\sysreset\mirc.exe.BAK Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
    C:\sysreset\mirc.exe.newer Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
    C:\sysreset\mirc.exe.old Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1

    Selected area has been scanned.
     
  14. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    I can't see from Kaspersky's log, where this file is located:
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      winampa.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  15. KJI

    KJI TS Rookie Topic Starter Posts: 25

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 12:42 on 14/08/2010 by KJI (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "winampa.exe"
    C:\Program Files\Winamp\winampa.exe --a--- 74752 bytes [16:32 12/07/2010] [16:32 12/07/2010] 895A62970833575772FA21B0C54C158D

    -=End Of File=-
     
  16. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Please, upload winampa.exe to http://www.virustotal.com/ for security check.
    Post scan results.
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
     
  17. KJI

    KJI TS Rookie Topic Starter Posts: 25

  18. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Your router may be infected.
    We need to hard reset it.
    Turn the computer off.

    On your router, you'll find a pinhole marked "Reset".
    Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
    Restart computer and check for redirections
     
  19. KJI

    KJI TS Rookie Topic Starter Posts: 25

    Just finished resetting router. Unfortunately, google is still redirecting.
     
  20. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Interesting....

    1. Clear your Java Cache

    • Go Start>Control Panel (Classic View)>Java
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - leave BOTH checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

    2. Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"


    3. Turn computer off. Reset router one more time.
    Restart.
    Let me know.
     
  21. KJI

    KJI TS Rookie Topic Starter Posts: 25

    Unfortunately, my browsers seem to still be having the problem. IE is redirecting while the other two are just not loading google links.
     
  22. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\EagleNT.sys -- (EagleNT)
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  23. KJI

    KJI TS Rookie Topic Starter Posts: 25

    I should probably mention I installed/ran Sophos to see if it found anything (it didn't), but only remembered today that you might've said not to install/run anything else... sorry about that.

    From fix:

    All processes killed
    ========== OTL ==========
    Service EagleNT stopped successfully!
    Service EagleNT deleted successfully!
    File C:\Windows\System32\drivers\EagleNT.sys not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: KJI
    ->Temp folder emptied: 15800482 bytes
    ->Temporary Internet Files folder emptied: 2479857 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 17954541 bytes
    ->Google Chrome cache emptied: 144575452 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Opera cache emptied: 2974663 bytes
    ->Flash cache emptied: 3134 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 4797168 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 258099447 bytes

    Total Files Cleaned = 426.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: KJI
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.9.1 log created on 08162010_170628

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...

    Scan log attached due to size.
     

    Attached Files:

    • OTL.Txt
      File size:
      105.1 KB
      Views:
      2
  24. Broni

    Broni Malware Annihilator Posts: 46,868   +254

    You can't run two AV programs.
    Either Sophos, or Avast has to be uninstalled.

    Still redirecting?
     
  25. KJI

    KJI TS Rookie Topic Starter Posts: 25

    Yeah, I meant to only scan with it then uninstall. I'll uninstall now. I should also mention that it detected hlp.dat as a malicious file, but could not remove it.

    Yes, it seems to be still redirecting. Trying on Internet explorer, I was redirected to nortonoutlet and yahoo finance while clicking on links to other sites.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.