Search engine redirect virus/malware

Solved
By asyyz
Jun 16, 2010
Topic Status:
Not open for further replies.
  1. Hello,
    I've recently encountered the search redirect virus. I've try removing it with Spybot, Malware Bytes, CCleaner etc but it's still infected. I've read several post on this forum and have since disconnected my pc from the internet. I would really appriciate some help removing it. Thank you in advance.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If you would like us to help with malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you are finished, include the logs in your next reply for review.

    Please don't run any other cleaning programs or scans while I'm helping you unless I direct you to. Don run a Registry cleaner or make any changes in the Registry.
  3. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    I made it to Step #3 and updated Java and Adobe, but I cannot update from the Microsoft download site. I'm getting a connection error. From what i've read at Microsoft support site, this is due to the fact my computer is infected. I will wait for instructions. Thanks
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please go on with the rest of the programs.
  5. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    Here are the log files (1 of 2)

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4211

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/17/2010 5:58:13 PM
    mbam-log-2010-06-17 (17-58-13).txt

    Scan type: Quick scan
    Objects scanned: 129169
    Time elapsed: 5 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-06-17 18:28:36
    Windows 5.1.2600 Service Pack 3
    Running: t096uf41.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\pxtdrpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0x9D45B6B8]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x9D45B574]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x9D45BA52]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x9D45B14C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x9D45B64E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x9D45B08C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x9D45B0F0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0x9D45B76E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0x9D45B72E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0x9D45B8AE]

    ---- Kernel code sections - GMER 1.0.15 ----

    .rsrc C:\WINDOWS\system32\drivers\amdide.sys entry point in ".rsrc" section [0xBA671994]
    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB5384000, 0x236D77, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
    .text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
    .text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
    .text C:\WINDOWS\System32\svchost.exe[1072] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A
    .text C:\WINDOWS\System32\svchost.exe[1072] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]
    .text C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
    .text C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
    .text C:\WINDOWS\system32\SearchIndexer.exe[2332] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
    .text C:\WINDOWS\system32\wuauclt.exe[2700] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
    .text C:\WINDOWS\system32\wuauclt.exe[2700] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
    .text C:\WINDOWS\system32\wuauclt.exe[2700] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003B0002
    IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003B0000

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 89B4DD01

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\amdide.sys suspicious modification
    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
  6. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    Log files (2 of 3)

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by user at 18:30:40.21 on Thu 06/17/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1288 [GMT -6:00]

    AV: avast! antivirus 4.8.1368 [VPS 100615-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\user\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = <local>
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {00000000-0000-0000-0000-000000000000} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\documents and settings\user\start menu\programs\startup\PowerReg Scheduler.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    Trusted Zone: microsoft.com\update
    Trusted Zone: microsoft.com\windowsupdate
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www-cdn.freerealms.com/gamedata/plugins/1.0.3.100/FreeRealmsInstaller.cab?v=1048
    DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271033883250
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\yfgjfjff.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=VI3TDF&PC=VI3TDF&q=
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=VI3TDF&PC=VI3TDF&q=
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\sony online entertainment\npsoe.dll
    FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-27 114768]
    R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-12-27 13696]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-27 20560]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-27 138680]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-27 1684736]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-27 254040]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-27 352920]
    S3 gUSBSTOi;gUSBSTOi; [x]

    =============== Created Last 30 ================

    2010-06-17 23:51:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-17 23:51:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-17 06:55:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-06-17 06:53:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-14 18:01:54 0 d-----w- c:\windows\system32\appmgmt
    2010-06-14 03:57:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-14 01:52:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-06-13 23:16:10 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
    2010-06-13 22:52:49 0 d-----w- c:\docume~1\user\applic~1\RegistryTool
    2010-06-13 22:52:35 0 d-----w- c:\program files\RegistryTool
    2010-06-13 20:36:35 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-06-13 20:36:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-06-08 22:17:50 0 ----a-w- c:\windows\system32\ISHARE
    2010-06-06 16:05:05 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
    2010-05-28 16:20:22 0 d-----w- c:\docume~1\user\applic~1\LimeWire
    2010-05-28 14:55:16 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-05-28 14:55:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-05-25 08:17:16 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
    2010-05-25 08:17:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-05-21 14:05:15 0 d-----w- c:\program files\iPod
    2010-05-21 14:05:09 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-05-21 13:57:16 0 d-----w- c:\program files\Bonjour

    ==================== Find3M ====================

    2010-04-08 19:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-04-08 19:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-04-03 21:46:26 104661 ----a-w- c:\windows\hpoins04.dat
    2010-03-28 15:17:58 18236 ---ha-w- c:\windows\system32\mlfcache.dat

    ============= FINISH: 18:31:42.25 ===============
  7. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    Log files 3 of 3

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/27/2009 8:35:53 PM
    System Uptime: 6/17/2010 6:01:22 PM (0 hours ago)

    Motherboard: BIOSTAR Group | | A785GE
    Processor: AMD Sempron(tm) 140 Processor | CPU 1 | 2700/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 466 GiB total, 440.413 GiB free.
    D: is CDROM ()
    E: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    2600
    2600_Help
    2600Trb
    3DVIA player 5.0
    AiO_Scan
    AiOSoftware
    AMD Processor Driver
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    avast! Antivirus
    Avatar - Legends of The Arena
    Big Green Help
    Bonjour
    BufferChm
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Localization All
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CCleaner
    Copy
    CPUID CPU-Z 1.53
    CreativeProjects
    CreativeProjectsTemplates
    CueTour
    Destinations
    Director
    DocProc
    DocumentViewer
    EA Download Manager
    EA Download Manager UI
    Eusing Free Registry Cleaner
    Fax
    Free Realms
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    HP Diagnostic Assistant
    HP Image Zone 4.2
    HP PSC & OfficeJet 4.2
    HP Software Update
    HP Unload DLL Patch
    HPSystemDiagnostics
    InstantShare
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 20
    LimeWire 5.5.8
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office 2000 Premium
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft WSE 3.0 Runtime
    Mozilla Firefox (3.6.3)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Overland
    PhotoGallery
    PrintScreen
    ProductContext
    QFolder
    QuickProjects
    QuickTime
    Readme
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    Roll
    RollerCoaster Tycoon 2
    Scan
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows XP (KB923789)
    Skins
    SkinsHP1
    System Requirements Lab
    The Sims™ 3
    The Sims™ 3 Ambitions
    The Wonder Pets Save the Puppy!
    TrayApp
    Unity Web Player
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Live ID Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Search 4.0
    Windows System Scanner
    Wizard101

    ==== Event Viewer Messages From Past Week ========

    6/17/2010 12:30:46 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    6/17/2010 12:30:46 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    6/17/2010 12:30:46 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    6/17/2010 12:30:46 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    6/17/2010 12:30:46 AM, error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    6/17/2010 12:30:46 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    6/14/2010 2:22:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    6/14/2010 2:22:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    6/14/2010 12:07:34 PM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{B5387788-105F-4E98-B713-66C594C58171} because another computer on the network has the same name. The server could not start.
    6/14/2010 11:58:06 AM, error: Dhcp [1002] - The IP address lease 172.168.0.102 for the Network Card with network address 0030672F34F1 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    6/14/2010 1:42:48 AM, error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 3 time(s).
    6/14/2010 1:41:57 AM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    6/14/2010 1:35:59 AM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    6/14/2010 1:05:00 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
    6/13/2010 8:31:29 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    6/13/2010 8:31:29 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    6/13/2010 8:30:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    6/13/2010 8:18:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AmdPPM aswSP BIOS Fips
    6/13/2010 7:05:39 PM, error: Service Control Manager [7034] - The avast! Web Scanner service terminated unexpectedly. It has done this 1 time(s).
    6/12/2010 1:15:03 AM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
    6/12/2010 1:12:32 AM, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s).

    ==== End Of File ===========================
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, good job! Looks like a Rootkit and I will have you run a program for that. But there are some issues to deal with first:

    1. Please uninstall HitmanPro. It is a bundle of programs that are all free on the internet, most being used without the authors permission. Some are only trial versions and Hitman makes you pay to remove anything.

    2. You are using LimeWire. That is a file sharing program. As long as you're using it, you will get malware. I encourage you to uninstall it. IF you decide not to do that, please do not use the programs while I am helping clean the system.

    3. You have 2 Registry cleaners installed: RegistryTool and Eusing Free Registry Cleaner. I recommend that you remove both of them. Most of us do not recommend using Registry cleaners. The average user doesn't have the knowledge to decide if something the cleaner finds should be removed and valid, necessary processes may be deleted. If you choose not to uninstall these programs, do not use them-or make any other registry changes while I'm helping you.

    4. Questions:
    Why are there No restore points in the system?
    Why do you have Open Office, Microsoft Office and HP Digital Imaging on Startup? Did you know that anything that starts on boot runs in the background, using resources. Do you know that you can start any of these as needed through All Programs or a shortcut on the desktop?
    ========================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please leave both logs in your next reply.
  9. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    I've followed your instructions.

    Hitman Pro has been uninstalled and all file/folders removed.
    Limewire has been uninstalled and all file/folders removed.
    Eusing Free Registry Cleaner has been uninstalled.

    RegistryTool could not be found in add/remove programs or the Start, Programs. I did find the folder in the program folder and it was deleted.

    I was unaware this machine had no restore points. I will create one when it is clean.
    Open Office has been uninstalled and is not needed.

    Microsoft Office and HP Imaging have been turned off at start up by way of Systems Config Utility. Is there a better way to shut them off?

    I ran Combofix and ESET scanner. Log files are attached.
    Thanks again.

    Attached Files:

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Outstanding! I find some who don't realize unnecessary programs are starting on boot and running in the background. Also, many don't realize the dangers within the file sharing. Registry cleaners have caused many to lose vital files or folders. you were smart to remove the Catalyst Controller. I have read of many systems having a problem with Catalyst/AMD combination. Up date has to be exact to fix bug and then only on the manufacturer's site.
    ===================================
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\documents and settings\Alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    c:\documents and settings\user\Application Data\U3\temp\cleanup.exe
    c:\documents and settings\user\Application Data\U3\temp\Launchpad Removal.exe
    
    Folder::
    c:\documents and settings\All Users\Application Data\Hitman Pro
    c:\documents and settings\user\Application Data\RegistryTool
    c:\documents and settings\user\Application Data\QuuSoft
    c:\documents and settings\Alex\Application Data\LimeWire
    
    DDS::
    TB: {00000000-0000-0000-0000-000000000000} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    
    Registry::
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "c:\documents and settings\user\Start Menu\Programs\Startup\
    PowerReg Scheduler.exe"
    
    Driver::
    gUSBSTOi
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================

    Do you know what this entry is for?
    2010-05-25 08:37- c:\documents and settings\Alex\Local Settings\Application Data\nfwacebyo

    Empty Java cache: Control Panel> Java> Temporary internet files> Settings> Delete> Apply> OK.
    I don't allow any space for these cached files.
  11. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    New code was run in Combo Fix. I have attached log file.

    I have no idea what this is: 2010-05-25 08:37- c:\documents and settings\Alex\Local Settings\Application Data\nfwacebyo

    Java cache has been emptied and saved files set to zero.

    ONE BIG PROBLEM.

    Windows is updating properly and restarted my p.c.
    It is now saying my copy of Windows could be counterfeit.

    I believe this is an error.
    I've had it validated on Windows update site recently with no problems what so ever.

    Any suggestions?

    Attached Files:

     
  12. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    One other thing:

    I did not remove the ATI Catalyst Controller Center. Should I uninstall this program?
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    What is "it" that is saying the OS is not valid? When is "it" saying this and how?

    Were you previously using a pirated copy? Why did you have to get it validated recently?
  14. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    After running Combo Fix my PC updated (14 updates) automaticly from Microsoft update. I am now getting a pop up balloon in the bottom righthand corner of my PC stating that my copy of Windows may be counterfeit. (See attached file)

    This PC was purchased new with Windows XP preloaded. From what I've read on other blogs, this is a common problem. Windows update false positives.

    In the past, when updating from Microsoft update site, Now Validating Windows message would appear before updating, so It has been Validated before.

    I can deal with this after my PC is clean.

    Attached Files:

  15. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    Did you happen to look at my last log file? Can you tell me if my PC is clean?
    Thanks
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There are numerous entries that have been moved which indicate Registry Tool quarantined items. I am not aware the a registry cleaner quarantines' anything! I suspect that one or both of the registry cleaners you were using and possibly in addition the use of Hitman Pro have changed the system enough so that the Windows Genuine Validation Tool no longer recognized the system as valid.

    Let's finish the cleaning and see if it makes a difference. If it does become necessary you can go through the validation again. There is also the possibility that the message itself has been put out by malware and not Microsoft.

    Please scan with Combofix again and leave the new log. I'll see what if anything is left of what I set up for removal. Sorry for the delay- had illness in the family, trying to catch up.
  17. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    O.K. here is the new Combo Fix log. Thanks again.

    Attached Files:

  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There's not much left!

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    c:\program files\Google\Update\GoogleUpdate.exe
    
    Folder::
    Registry::
    
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    Driver::
    gupdate
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    =====================================
    Choose v 2.0.4 for download below:
    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    I note an entry: 2010-06-23 07:26: c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    Is it possible that you haven't validated Office and that this update was for Office?
  19. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    Here are the two log files.

    (I note an entry: 2010-06-23 07:26: c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    Is it possible that you haven't validated Office and that this update was for Office?)

    No, this is a seperate validation. I get two requests for validation. The Windows XP request is the one thats the nag. I can't get any updates from Microsoft as well.

    It is an old version of Office 2000 that I will be removing. I'll wait for your reply before I remove it.

    Attached Files:

  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Are you still having the redirects? There is nothing in these logs to indicate a reason for the update message. Check the date of the last update in the Control Panel.
  21. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    No redirects. PC seems to be working fine.

    How do I check the date of the last update in the control panel?
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Control Panel> Add/Remove Programs> Check 'show updates'. Dates are on the right side for each update.
  23. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    Please see attached file. This is my update status.

    Attached Files:

  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry- I didn't mean for you to post it. And I don't open the .doc file extension on this board. I wanted you to see if the system is updating and find when the last update as done.
  25. asyyz

    asyyz Newcomer, in training Topic Starter Posts: 16

    No problem.

    Windows XP - Software Updates:
    Windows Genuine Advantage Notifications installed on 12/28/09.
    The last Windows update was made on 6/19/2010.

    I don't see any updates between 12/28/09 to 6/19/2010.

    Hope this helps.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.