TechSpot

Tidserv virus - redirecting webpages

Solved
By lizmcreations
Apr 8, 2010
  1. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Very good :)
    No redirections?

    Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    • Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
    • Click on the CleanUp! button and follow the prompts.
    • You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
    • After the reboot all the tools we used should be gone.
    • The tool will delete itself once it finishes.


    Give me fresh HJT log, please.
     
  2. lizmcreations

    lizmcreations TS Rookie Topic Starter Posts: 60

    nope, unfortunately, still having redirect issues ... :(
     
  3. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  4. lizmcreations

    lizmcreations TS Rookie Topic Starter Posts: 60

    OK, log attached ... still redirecting :(

    Liz
     

    Attached Files:

  5. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Which browser is getting redirected?

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  6. lizmcreations

    lizmcreations TS Rookie Topic Starter Posts: 60

    Firefox and Internet Explorer are both redirecting ...

    Contents of OTL.txt too large for the post .... I'm attaching it and extras.txt here.

    Liz
     

    Attached Files:

  7. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {078fed71-52f2-4a49-a0ab-6453e2ca72ba} - No CLSID value found.
      O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
      O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No CLSID value found.
      O2 - BHO: (no name) - {D63F58E9-B8BB-4DBA-B2A0-44F72C2A61BD} - No CLSID value found.
      O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}  (Reg Error: Value error.)
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      
      
      :Services
      
      :Reg
      
      :Files
      C:\Windows\System32\drivers\atapi.sys|C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys /replace
      
      :Commands
      [purity]
      [emptytemp]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  8. lizmcreations

    lizmcreations TS Rookie Topic Starter Posts: 60

    Done ... still getting redirects from search engine results :(

    logs from scans attached. otl-10pm.txt is the "run fix" scan.

    otl-quick scan.txt -- is the quick scan log.
     

    Attached Files:

  9. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Did you restart computer?
     
  10. lizmcreations

    lizmcreations TS Rookie Topic Starter Posts: 60

    Yes, I restarted ... and I'm still having the same issue. This is a very pesky/stubborn virus.

    What's my next step?

    Thanks,

    Liz
     
  11. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Download Kenco.exe to your desktop
    • Close all windows and run the program.
    • It wont take long to run.
    • Kenco will reboot the system if it finds anything.
    • Post the log it gives you ( it will be saved in the same place as Kenco.exe).
     
     
  12. lizmcreations

    lizmcreations TS Rookie Topic Starter Posts: 60

    Well, you were right, it did not take very long at all to run .. it did not reboot my system

    Here is the log:

    Kenco by jpshortstuff (31.12.09.1)
    Log created at 12:50 on 11/04/2010 (Liz)

    ========== Task Unlocker ==========

    ========== KencoScan ==========

    ========== C:\Windows\Tasks ==========
    GoogleUpdateTaskMachineCore.job -> [20:25 30/01/2010] 882 bytes
    GoogleUpdateTaskMachineUA.job -> [20:25 30/01/2010] 886 bytes

    -=E.O.F=-

    I'm assuming that since it didn't reboot it didn't find it. Next step? (I just want to say that I really appreciate your time and assistance on this).

    Thanks,

    Liz
     
  13. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ========================================================================

    Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
    Reconnect everything.
    Restart computer.

    ========================================================================

    Download RootRepeal.zip (Mirror1, Mirror2) and unzip it to your Desktop.
    • Double click RootRepeal.exe to start the program
    • Click on the Report tab at the bottom of the program window
    • Click the Scan button
    • In the Select Scan dialog, check:

      • [*]Drivers
        [*]Files
        [*]Processes
        [*]SSDT
        [*]Stealth Objects
        [*]Hidden Services
    • Click the OK button
    • In the next dialog, select all drives showing
    • Click OK to start the scan
      Note: The scan can take some time. DO NOT run any other programs while the scan is running
    • When the scan is complete, the Save Report button will become available
    • Click this and save the report to your Desktop as RootRepeal.txt
    • Go to File, then Exit to close the program
    Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

    If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.
     
  14. lizmcreations

    lizmcreations TS Rookie Topic Starter Posts: 60

    Ok, rootrepeal was run (after deleting combofix, turning off the computer, unplugging the router and modem and ehternet cable from modem to router - my laptop is the one infected and is on wireless).

    Attached is the log -- too long to paste into the post.

    Not sure if the rootrepeal was supposed to clean anything or if it was just to give you more information on the system and where the problem is ... but I'm still having problems so I'm assuming it was more for information (or at least hoping it was)...

    Let me know what to do next ...

    Thank you!

    Liz
     

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Did you?
     
  16. lizmcreations

    lizmcreations TS Rookie Topic Starter Posts: 60

    Yes. for more than one minute in fact ...
     
  17. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Using OTM....


    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    
    :Services
    
    :Reg
    
    :Files
    C:\Windows\System32\drivers\atapi.sys|C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys /replace
          
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [Reboot]
    
    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
  18. lizmcreations

    lizmcreations TS Rookie Topic Starter Posts: 60

    Ok, run ... here is the log:

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    Unable to replace file: C:\Windows\System32\drivers\atapi.sys with C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys without a reboot.
    ========== COMMANDS ==========
    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Liz
    ->Temp folder emptied: 11821579 bytes
    ->Temporary Internet Files folder emptied: 3226403 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 37280095 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 1624 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 626 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 4539429 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 307672 bytes

    Total Files Cleaned = 55.00 mb


    OTM by OldTimer - Version 3.1.10.1 log created on 04112010_164509

    Files moved on Reboot...
    File move failed. C:\Windows\temp\WebEx\Log\411\atashost.log scheduled to be moved on reboot.
    C:\Windows\temp\00000ZKP0004.CDX moved successfully.
    C:\Windows\temp\00000ZKP0005.CDX moved successfully.
    C:\Windows\temp\00000ZKP0006.CDX moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RN82W1PV\B4144082[1].htm moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RN82W1PV\GateFile[1].htm moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NQZ23MDC\GateFile[1].htm moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NQZ23MDC\konaLayer[1].swf moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NQZ23MDC\lightbox.a60211ee00b5c5042a88c521a42a415b[1].html moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IL8QT5D2\B4144082[1].htm moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IL8QT5D2\mevio_com[4].txt moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IL8QT5D2\OutdoorMain-315[1].swf moved successfully.
    File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IL8QT5D2\yellow_com[1].txt not found!
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7A53FK73\article205902[1].html moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7A53FK73\B4144082[1].htm moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7A53FK73\csshover[1].htc moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7A53FK73\getSegment[1].php moved successfully.
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7A53FK73\webhp[2].txt moved successfully.

    Registry entries deleted on Reboot...


    Still having redirect problems :(
     
  19. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Delete your Combofix file, download fresh one and give me new log, please.
     
  20. lizmcreations

    lizmcreations TS Rookie Topic Starter Posts: 60

    Ok, done ... new log attached ... still having redirect issues...

    Liz
     

    Attached Files:

  21. Broni

    Broni Malware Annihilator Posts: 47,704   +268

  22. lizmcreations

    lizmcreations TS Rookie Topic Starter Posts: 60

    ok, I can't get gmer to run all the way through. It runs as soon as I start the program and this is the output:
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-04-11 20:26:02
    Windows 6.0.6002 Service Pack 2
    Running: gmer.exe; Driver: C:\Users\Liz\AppData\Local\Temp\pwloakow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 85709AC8

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

    Then I click on the rootkit tab and I saved the log a few times as it was running (did this the 3rd time I tried to run it since it didn't finish the first two times and I've also had the blue screen of death twice this evening ... the only other time I had that was Tuesday when I first realized I had a virus. This is the most of the log that I got before the program crashed for the third time.

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-11 20:27:46
    Windows 6.0.6002 Service Pack 2
    Running: gmer.exe; Driver: C:\Users\Liz\AppData\Local\Temp\pwloakow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x908C4320]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 621 81EEED84 4 Bytes [20, 43, 8C, 90] {AND [EBX-0x74], AL; NOP }
    .rsrc C:\Windows\system32\drivers\msahci.sys entry point in ".rsrc" section [0x807CB014]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!NtProtectVirtualMemory 77444D34 5 Bytes JMP 002B000A
    .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory 77445674 5 Bytes JMP 002C000A
    .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!KiUserExceptionDispatcher 77445DC8 5 Bytes JMP 002A000A
    .text C:\Windows\Explorer.EXE[3916] ntdll.dll!NtProtectVirtualMemory 77444D34 5 Bytes JMP 0024000A
    .text C:\Windows\Explorer.EXE[3916] ntdll.dll!NtWriteVirtualMemory 77445674 5 Bytes JMP 0029000A
    .text C:\Windows\Explorer.EXE[3916] ntdll.dll!KiUserExceptionDispatcher 77445DC8 5 Bytes JMP 0023000A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73937817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7398A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7393BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7392F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [739375E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7392E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73968395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7393DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7392FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7392FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [739271CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [739BCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7395C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7392D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73926853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7392687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73932AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
     
  23. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    OK, we have to change strategy....

    Let's see, if we can look at your computer booting from an external source.

    You will need USB flash drive to move information from bad computer to a working computer.

    You need to download two programs.

    First

    ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

    Second

    • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
    • When downloaded double click and this will then open ISOBurner to burn the file to CD
    • Reboot your system (Non working computer) using the boot CD you just created.
      • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users is checked and press OK
    • OTL should now start. Change the following settings
      • Change Drivers to All
      • Change Registry to All
      • Under Custom Scan box paste this in:

        netsvcs
        %SYSTEMDRIVE%\*.exe
        /md5start
        eventlog.dll
        scecli.dll
        netlogon.dll
        cngaudit.dll
        sceclt.dll
        ntelogon.dll
        logevent.dll
        iaStor.sys
        nvstor.sys
        atapi.sys
        IdeChnDr.sys
        viasraid.sys
        AGP440.sys
        vaxscsi.sys
        nvatabus.sys
        viamraid.sys
        nvata.sys
        nvgts.sys
        iastorv.sys
        ViPrt.sys
        eNetHook.dll
        ahcix86.sys
        KR10N.sys
        nvstor32.sys
        ahcix86s.sys
        nvrd32.sys
        symmpi.sys
        adp3132.sys
        mv61xx.sys
        userinit.exe
        explorer.exe
        /md5stop
        %systemroot%\*. /mp /s
        %systemroot%\system32\*.dll /lockedfiles
        %systemroot%\Tasks\*.job /lockedfiles
        %systemroot%\system32\drivers\*.sys /lockedfiles
        %systemroot%\System32\config\*.sav
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive.
    • Please post the contents of the C:\OTL.txt file in your reply.
     
  24. lizmcreations

    lizmcreations TS Rookie Topic Starter Posts: 60

    Ok, done. Log attached.
     

    Attached Files:

    • OTL.Txt
      File size:
      118.7 KB
      Views:
      2
  25. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Now, be very careful with what you're doing. It's very delicate operation.
    Attached is zipped atapi.sys file from my computer.
    Start your computer normally and save attached file to your desktop.
    Unzip it.
    Copy the file to your root C:\ directory.

    Now, reboot your computer to OTLPE CD.
    Open Windows Explorer.
    Navigate to C:\Windows\System32\drivers folder.
    Rename your atapi.sys file to atapi.old
    Do the same to atapi.sys located in C:\Windows\ERDNT\cache folder.
    Now, copy my atapi.sys file from C:\ folder and paste it into both folders:
    C:\Windows\System32\drivers
    C:\Windows\ERDNT\cache


    Restart computer normally and check for redirection.
     

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.