Solved Search engine redirect virus/malware

Status
Not open for further replies.

asyyz

Posts: 16   +0
Hello,
I've recently encountered the search redirect virus. I've try removing it with Spybot, Malware Bytes, CCleaner etc but it's still infected. I've read several post on this forum and have since disconnected my pc from the internet. I would really appriciate some help removing it. Thank you in advance.
 
If you would like us to help with malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you are finished, include the logs in your next reply for review.

Please don't run any other cleaning programs or scans while I'm helping you unless I direct you to. Don run a Registry cleaner or make any changes in the Registry.
 
I made it to Step #3 and updated Java and Adobe, but I cannot update from the Microsoft download site. I'm getting a connection error. From what i've read at Microsoft support site, this is due to the fact my computer is infected. I will wait for instructions. Thanks
 
Here are the log files (1 of 2)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4211

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/17/2010 5:58:13 PM
mbam-log-2010-06-17 (17-58-13).txt

Scan type: Quick scan
Objects scanned: 129169
Time elapsed: 5 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-17 18:28:36
Windows 5.1.2600 Service Pack 3
Running: t096uf41.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\pxtdrpog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0x9D45B6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x9D45B574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x9D45BA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x9D45B14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x9D45B64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x9D45B08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x9D45B0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0x9D45B76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0x9D45B72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0x9D45B8AE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\amdide.sys entry point in ".rsrc" section [0xBA671994]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB5384000, 0x236D77, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1072] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[1072] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]
.text C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\SearchIndexer.exe[2332] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[2700] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\wuauclt.exe[2700] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\wuauclt.exe[2700] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003B0002
IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003B0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89B4DD01

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\amdide.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
 
Log files (2 of 3)

DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 18:30:40.21 on Thu 06/17/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1288 [GMT -6:00]

AV: avast! antivirus 4.8.1368 [VPS 100615-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {00000000-0000-0000-0000-000000000000} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www-cdn.freerealms.com/gamedata/plugins/1.0.3.100/FreeRealmsInstaller.cab?v=1048
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271033883250
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\yfgjfjff.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=VI3TDF&PC=VI3TDF&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=VI3TDF&PC=VI3TDF&q=
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\sony online entertainment\npsoe.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-27 114768]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-12-27 13696]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-27 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-27 138680]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-27 1684736]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-27 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-27 352920]
S3 gUSBSTOi;gUSBSTOi; [x]

=============== Created Last 30 ================

2010-06-17 23:51:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-17 23:51:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-17 06:55:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-17 06:53:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-14 18:01:54 0 d-----w- c:\windows\system32\appmgmt
2010-06-14 03:57:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 01:52:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-06-13 23:16:10 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-06-13 22:52:49 0 d-----w- c:\docume~1\user\applic~1\RegistryTool
2010-06-13 22:52:35 0 d-----w- c:\program files\RegistryTool
2010-06-13 20:36:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-13 20:36:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-08 22:17:50 0 ----a-w- c:\windows\system32\ISHARE
2010-06-06 16:05:05 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-05-28 16:20:22 0 d-----w- c:\docume~1\user\applic~1\LimeWire
2010-05-28 14:55:16 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-28 14:55:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-05-25 08:17:16 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-05-25 08:17:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-21 14:05:15 0 d-----w- c:\program files\iPod
2010-05-21 14:05:09 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-21 13:57:16 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-04-08 19:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 19:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-03 21:46:26 104661 ----a-w- c:\windows\hpoins04.dat
2010-03-28 15:17:58 18236 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 18:31:42.25 ===============
 
Log files 3 of 3

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/27/2009 8:35:53 PM
System Uptime: 6/17/2010 6:01:22 PM (0 hours ago)

Motherboard: BIOSTAR Group | | A785GE
Processor: AMD Sempron(tm) 140 Processor | CPU 1 | 2700/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 440.413 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

2600
2600_Help
2600Trb
3DVIA player 5.0
AiO_Scan
AiOSoftware
AMD Processor Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
avast! Antivirus
Avatar - Legends of The Arena
Big Green Help
Bonjour
BufferChm
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Copy
CPUID CPU-Z 1.53
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Director
DocProc
DocumentViewer
EA Download Manager
EA Download Manager UI
Eusing Free Registry Cleaner
Fax
Free Realms
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP Diagnostic Assistant
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HP Unload DLL Patch
HPSystemDiagnostics
InstantShare
iTunes
Java Auto Updater
Java(TM) 6 Update 20
LimeWire 5.5.8
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Overland
PhotoGallery
PrintScreen
ProductContext
QFolder
QuickProjects
QuickTime
Readme
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Roll
RollerCoaster Tycoon 2
Scan
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows XP (KB923789)
Skins
SkinsHP1
System Requirements Lab
The Sims™ 3
The Sims™ 3 Ambitions
The Wonder Pets Save the Puppy!
TrayApp
Unity Web Player
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows System Scanner
Wizard101

==== Event Viewer Messages From Past Week ========

6/17/2010 12:30:46 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
6/17/2010 12:30:46 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
6/17/2010 12:30:46 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
6/17/2010 12:30:46 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
6/17/2010 12:30:46 AM, error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
6/17/2010 12:30:46 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
6/14/2010 2:22:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
6/14/2010 2:22:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
6/14/2010 12:07:34 PM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{B5387788-105F-4E98-B713-66C594C58171} because another computer on the network has the same name. The server could not start.
6/14/2010 11:58:06 AM, error: Dhcp [1002] - The IP address lease 172.168.0.102 for the Network Card with network address 0030672F34F1 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
6/14/2010 1:42:48 AM, error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 3 time(s).
6/14/2010 1:41:57 AM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
6/14/2010 1:35:59 AM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
6/14/2010 1:05:00 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
6/13/2010 8:31:29 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
6/13/2010 8:31:29 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
6/13/2010 8:30:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/13/2010 8:18:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AmdPPM aswSP BIOS Fips
6/13/2010 7:05:39 PM, error: Service Control Manager [7034] - The avast! Web Scanner service terminated unexpectedly. It has done this 1 time(s).
6/12/2010 1:15:03 AM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
6/12/2010 1:12:32 AM, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================
 
Okay, good job! Looks like a Rootkit and I will have you run a program for that. But there are some issues to deal with first:

1. Please uninstall HitmanPro. It is a bundle of programs that are all free on the internet, most being used without the authors permission. Some are only trial versions and Hitman makes you pay to remove anything.

2. You are using LimeWire. That is a file sharing program. As long as you're using it, you will get malware. I encourage you to uninstall it. IF you decide not to do that, please do not use the programs while I am helping clean the system.

3. You have 2 Registry cleaners installed: RegistryTool and Eusing Free Registry Cleaner. I recommend that you remove both of them. Most of us do not recommend using Registry cleaners. The average user doesn't have the knowledge to decide if something the cleaner finds should be removed and valid, necessary processes may be deleted. If you choose not to uninstall these programs, do not use them-or make any other registry changes while I'm helping you.

4. Questions:
Why are there No restore points in the system?
Why do you have Open Office, Microsoft Office and HP Digital Imaging on Startup? Did you know that anything that starts on boot runs in the background, using resources. Do you know that you can start any of these as needed through All Programs or a shortcut on the desktop?
========================================
Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Please leave both logs in your next reply.
 
I've followed your instructions.

Hitman Pro has been uninstalled and all file/folders removed.
Limewire has been uninstalled and all file/folders removed.
Eusing Free Registry Cleaner has been uninstalled.

RegistryTool could not be found in add/remove programs or the Start, Programs. I did find the folder in the program folder and it was deleted.

I was unaware this machine had no restore points. I will create one when it is clean.
Open Office has been uninstalled and is not needed.

Microsoft Office and HP Imaging have been turned off at start up by way of Systems Config Utility. Is there a better way to shut them off?

I ran Combofix and ESET scanner. Log files are attached.
Thanks again.
 

Attachments

  • combolog.txt
    16.7 KB · Views: 1
  • ESET log.txt
    861 bytes · Views: 1
Outstanding! I find some who don't realize unnecessary programs are starting on boot and running in the background. Also, many don't realize the dangers within the file sharing. Registry cleaners have caused many to lose vital files or folders. you were smart to remove the Catalyst Controller. I have read of many systems having a problem with Catalyst/AMD combination. Up date has to be exact to fix bug and then only on the manufacturer's site.
===================================
Custom CFScript


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
KillAll::
File::
c:\documents and settings\Alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
c:\documents and settings\user\Application Data\U3\temp\cleanup.exe
c:\documents and settings\user\Application Data\U3\temp\Launchpad Removal.exe

Folder::
c:\documents and settings\All Users\Application Data\Hitman Pro
c:\documents and settings\user\Application Data\RegistryTool
c:\documents and settings\user\Application Data\QuuSoft
c:\documents and settings\Alex\Application Data\LimeWire

DDS::
TB: {00000000-0000-0000-0000-000000000000} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

Registry::
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\user\Start Menu\Programs\Startup\
PowerReg Scheduler.exe"

Driver::
gUSBSTOi

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================

Do you know what this entry is for?
2010-05-25 08:37- c:\documents and settings\Alex\Local Settings\Application Data\nfwacebyo

Empty Java cache: Control Panel> Java> Temporary internet files> Settings> Delete> Apply> OK.
I don't allow any space for these cached files.
 
New code was run in Combo Fix. I have attached log file.

I have no idea what this is: 2010-05-25 08:37- c:\documents and settings\Alex\Local Settings\Application Data\nfwacebyo

Java cache has been emptied and saved files set to zero.

ONE BIG PROBLEM.

Windows is updating properly and restarted my p.c.
It is now saying my copy of Windows could be counterfeit.

I believe this is an error.
I've had it validated on Windows update site recently with no problems what so ever.

Any suggestions?
 

Attachments

  • Combolog2.txt
    73.3 KB · Views: 1
One other thing:

I did not remove the ATI Catalyst Controller Center. Should I uninstall this program?
 
Windows is updating properly and restarted my p.c.
It is now saying my copy of Windows could be counterfeit.

I believe this is an error.
I've had it validated on Windows update site recently with no problems what so ever.

What is "it" that is saying the OS is not valid? When is "it" saying this and how?

Were you previously using a pirated copy? Why did you have to get it validated recently?
 
After running Combo Fix my PC updated (14 updates) automaticly from Microsoft update. I am now getting a pop up balloon in the bottom righthand corner of my PC stating that my copy of Windows may be counterfeit. (See attached file)

This PC was purchased new with Windows XP preloaded. From what I've read on other blogs, this is a common problem. Windows update false positives.

In the past, when updating from Microsoft update site, Now Validating Windows message would appear before updating, so It has been Validated before.

I can deal with this after my PC is clean.
 

Attachments

  • wgaballoon.jpg
    wgaballoon.jpg
    9.2 KB · Views: 4
  • wgavalidation.jpg
    wgavalidation.jpg
    8.7 KB · Views: 3
There are numerous entries that have been moved which indicate Registry Tool quarantined items. I am not aware the a registry cleaner quarantines' anything! I suspect that one or both of the registry cleaners you were using and possibly in addition the use of Hitman Pro have changed the system enough so that the Windows Genuine Validation Tool no longer recognized the system as valid.

Let's finish the cleaning and see if it makes a difference. If it does become necessary you can go through the validation again. There is also the possibility that the message itself has been put out by malware and not Microsoft.

Please scan with Combofix again and leave the new log. I'll see what if anything is left of what I set up for removal. Sorry for the delay- had illness in the family, trying to catch up.
 
There's not much left!

Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
c:\program files\Google\Update\GoogleUpdate.exe

Folder::
Registry::

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
Driver::
gupdate
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
=====================================
Choose v 2.0.4 for download below:
Download the HijackThis Installer HERE and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

I note an entry: 2010-06-23 07:26: c:\documents and settings\All Users\Application Data\Office Genuine Advantage
Is it possible that you haven't validated Office and that this update was for Office?
 
Here are the two log files.

(I note an entry: 2010-06-23 07:26: c:\documents and settings\All Users\Application Data\Office Genuine Advantage
Is it possible that you haven't validated Office and that this update was for Office?)

No, this is a seperate validation. I get two requests for validation. The Windows XP request is the one thats the nag. I can't get any updates from Microsoft as well.

It is an old version of Office 2000 that I will be removing. I'll wait for your reply before I remove it.
 

Attachments

  • ComboFix log.txt
    17.9 KB · Views: 1
  • hijackthis.log
    5.7 KB · Views: 1
Are you still having the redirects? There is nothing in these logs to indicate a reason for the update message. Check the date of the last update in the Control Panel.
 
No redirects. PC seems to be working fine.

How do I check the date of the last update in the control panel?
 
Control Panel> Add/Remove Programs> Check 'show updates'. Dates are on the right side for each update.
 
Please see attached file. This is my update status.
 

Attachments

  • update data.doc
    107.5 KB · Views: 2
Sorry- I didn't mean for you to post it. And I don't open the .doc file extension on this board. I wanted you to see if the system is updating and find when the last update as done.
 
No problem.

Windows XP - Software Updates:
Windows Genuine Advantage Notifications installed on 12/28/09.
The last Windows update was made on 6/19/2010.

I don't see any updates between 12/28/09 to 6/19/2010.

Hope this helps.
 
Status
Not open for further replies.
Back