also @ TechSpot: Apple claims Samsung violates Siri patents with Google Now

Websites redirected, can't run Windows Update, can't install Malwarebytes

Discussion in 'Virus and Malware Removal' started by weety, Oct 3, 2012.

Post New Reply
Page 1 of 5

  1. weety Newcomer, in training Posts: 60

    I cannot access E-mail via websites (such as hotmail.com, gmail.com, work E-mail). A number of other websites also seem to be blocked (e.g. store.malwarebytes.org). I get the message "This webpage is not available" [Google Chrome].

    I managed to download the malwarebytes installer from cnet.com, but the installation fails with some not very useful error message. (I can't check it now because I tried to open Internet Explorer and now the system is hanging). Without Malwarebytes, I can't proceed with the recommended 5 steps for malware removal.

    When I try to run Windows Update [Windows XP], I first get a message that the default search provider has been tinkered with. Then, when I try to "allow" the update in Internet Explorer, an error pops up and the update cannot proceed.

    Please help!
    weety, Oct 3, 2012
    #1

  2. weety Newcomer, in training Posts: 60

    Symantec Endpoint (and no other antivirus) is installed, but doesn't seem to respond to any type of clicking.
    weety, Oct 3, 2012
    #2

  3. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    ComboFix

    Please download ComboFix[IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
    Jay Pfoutz, Oct 3, 2012
    #3

  4. weety Newcomer, in training Posts: 60

    Thanks for taking time to help me.

    I am unable to disable Symantec Endpoint Protection, but will proceed anyway.

    I know I'm not supposed to mess around with these things, but I tried running ComboFix previously (renamed as svchost.exe) and it took a little over 10 hours to complete. However, I know I'm supposed to do precisely what I'm told, so I'll run it again now and post the new log tomorrow.
    weety, Oct 3, 2012
    #4

  5. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. Go ahead. I look forward to it. :)
    Jay Pfoutz, Oct 3, 2012
    #5

  6. weety Newcomer, in training Posts: 60

    ComboFix 12-10-03.03 - hmc05 03/10/2012 19:02:50.7.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3017.2408 [GMT 1:00]
    Running from: c:\documents and settings\hmc05\Desktop\ComboFix.exe
    AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-09-04 to 2012-10-04 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-25 19:50 . 2012-09-25 19:50--------d-----w-c:\program files\pdfforge Toolbar
    2012-09-25 19:50 . 2012-09-25 19:50--------d-----w-c:\program files\Common Files\Spigot
    2012-09-25 19:50 . 2012-09-25 19:50--------d-----w-c:\program files\Application Updater
    2012-09-25 08:06 . 2012-09-25 08:06--------d-----w-c:\documents and settings\All Users\Application Data\MFAData
    2012-09-25 08:06 . 2012-09-25 08:06--------d-----w-c:\documents and settings\hmc05\Local Settings\Application Data\MFAData
    2012-09-25 08:06 . 2012-09-25 08:06--------d-----w-c:\documents and settings\hmc05\Local Settings\Application Data\Avg2013
    2012-09-25 08:06 . 2012-09-25 08:06--------d-----w-c:\documents and settings\All Users\Application Data\Common Files
    2012-09-24 11:12 . 2012-09-24 11:12--------d-----w-c:\winnt\ms
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-24 11:18 . 2012-04-27 14:50696520----a-w-c:\winnt\system32\FlashPlayerApp.exe
    2012-09-24 11:18 . 2011-06-09 07:3073416----a-w-c:\winnt\system32\FlashPlayerCPLApp.cpl
    2012-08-28 15:14 . 1980-01-01 00:00916992----a-w-c:\winnt\system32\wininet.dll
    2012-08-28 15:14 . 1980-01-01 00:0043520----a-w-c:\winnt\system32\licmgr10.dll
    2012-08-28 15:14 . 1980-01-01 00:001469440------w-c:\winnt\system32\inetcpl.cpl
    2012-08-28 12:07 . 1980-01-01 00:00385024----a-w-c:\winnt\system32\html.iec
    2012-07-06 13:58 . 1980-01-01 00:0078336----a-w-c:\winnt\system32\browser.dll
    2005-10-12 15:04 . 2005-10-12 15:04131072----a-w-c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
    2012-04-21 01:18 . 2012-05-16 17:0997208----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\winnt\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "PHIME2002ASync"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "IgfxTray"="c:\winnt\system32\igfxtray.exe" [2008-10-16 150040]
    "HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2008-10-16 178712]
    "Persistence"="c:\winnt\system32\igfxpers.exe" [2008-10-16 150040]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-08 1044480]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-17 180224]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-11-18 115560]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2012-10-02 0]
    .
    c:\documents and settings\hmc05\Start Menu\Programs\Startup\
    Dropbox.lnk - \\icfs16.cc.ic.ac.uk\hmc05\IExplorer\AppData\Dropbox\bin\Dropbox.exe [N/A]
    ICTprintservice.lnk - \\ICADS11\netlogon\clusters\common\ICTprintservice.cmd [2007-12-19 6839]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Auto-sleep.lnk - c:\winnt\Installer\{F1F8CE7F-1D24-416F-BFA1-F7DD39D8A000}\mainicon.ico [2011-11-9 15086]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLogonScripts"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "ForceStartMenuLogOff"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)
    "ForceRunOnStartMenu"= 1 (0x1)
    "RestrictWelcomeCenter"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-243037206-41955558-561332275-166766\Scripts\Logoff\0\0]
    "Script"=userlog_logoff_3.04.bat
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-243037206-41955558-561332275-166766\Scripts\Logon\0\0]
    "Script"=%logonserver%\netlogon\user4-GPO.bat
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AllAlertsDisabled"=dword:00000001
    "TermService"=dword:00000001
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    .
    R0 SFAUDIO;Sonic Focus DSP Driver;c:\winnt\system32\drivers\sfaudio.sys [01/01/1980 01:00 24064]
    R0 sptd;sptd;c:\winnt\system32\drivers\sptd.sys [18/12/2009 00:14 691696]
    R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [19/09/2012 16:21 795072]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\winnt\system32\drivers\e1k5132.sys [01/01/1980 01:00 144480]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [25/09/2012 09:28 106656]
    R3 IFXTPM;IFXTPM;c:\winnt\system32\drivers\ifxtpm.sys [01/01/1980 01:00 36352]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\winnt\system32\Macromed\Flash\FlashPlayerUpdateService.exe [27/04/2012 15:50 250568]
    S3 COH_Mon;COH_Mon;c:\winnt\system32\drivers\COH_Mon.sys [03/07/2009 11:52 23888]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-10-03 c:\winnt\Tasks\Adobe Flash Player Updater.job
    - c:\winnt\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-27 11:18]
    .
    2012-10-03 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-243037206-41955558-561332275-166766Core.job
    - c:\documents and settings\hmc05\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-10-02 10:43]
    .
    2012-10-03 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-243037206-41955558-561332275-166766UA.job
    - c:\documents and settings\hmc05\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-10-02 10:43]
    .
    2012-10-03 c:\winnt\Tasks\MATLAB R2012a Startup Accelerator.job
    - c:\program files\MATLAB\R2012a\bin\win32\MATLABStartupAccelerator.exe [2012-03-22 03:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: ic.ac.uk
    Trusted Zone: icfs16.cc.ic.ac.uk
    TCP: DhcpNameServer = 155.198.142.7 155.198.142.8
    DPF: {64A6114F-2976-4634-BE36-134BF84D369C} - hxxps://www3.imperial.ac.uk/eWebEditPro/ewebeditpro4.cab
    DPF: {A40B0AD4-B50E-4E58-8A1D-8544233807AD} - ftp://ftp.ni.com/pub/devzone/tut/cnx_lv8_runtime.exe
    DPF: {CAFECAFE-0013-0001-0023-ABCDEFABCDEF}
    FF - ProfilePath -
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-10-04 06:08
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-243037206-41955558-561332275-166766\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    @SACL=
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2012-10-04 06:10:11
    ComboFix-quarantined-files.txt 2012-10-04 05:10
    ComboFix2.txt 2012-10-03 03:36
    ComboFix3.txt 2012-10-01 20:31
    ComboFix4.txt 2012-09-25 19:43
    ComboFix5.txt 2012-10-03 17:47
    .
    Pre-Run: 201,029,742,592 bytes free
    Post-Run: 201,042,485,248 bytes free
    .
    - - End Of File - - C3C90714FC9999060524D403F0CC1A8E
    weety, Oct 4, 2012
    #6
     

  7. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [IMG]

    ------------------------

    Click the Start Scan button.

    [IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

    avast! aswMBR

    Please download aswMBR from here
    • Save aswMBR.exe to your Desktop
    • Double click aswMBR.exe to run it
    • Click the Scan button to start the scan as illustrated below
    [IMG]
    Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives
    • Once the scan finishes click Save log to save the log to your Desktop
      [IMG]
    • Copy and paste the contents of aswMBR.txt back here for review
    • Please also find MBR.dat on your Desktop, and rename it to MBR.txt. Upload that as well. Do not copy and paste MBR.dat/txt, it needs to be uploaded.
    Jay Pfoutz, Oct 4, 2012
    #7

  8. weety Newcomer, in training Posts: 60

    TDSSKiller found 254 "suspicious objects". All skipped.

    Log is far too long to post. (Please find attached).

    Attached Files:

    weety, Oct 4, 2012
    #8

  9. Jay Pfoutz Malware Helper Posts: 4,286   +49

    No biggie for those. Will wait for aswMBR log.
    Jay Pfoutz, Oct 4, 2012
    #9

  10. weety Newcomer, in training Posts: 60

    The instructions don't specify if I should do a "QuickScan" or select a specific disk drive. I went for C:\, as it sounded more thorough. Please let me know if a QuickScan is sufficient.
    weety, Oct 4, 2012
    #10

  11. Jay Pfoutz Malware Helper Posts: 4,286   +49

    It should be, try that.
    Jay Pfoutz, Oct 4, 2012
    #11

  12. weety Newcomer, in training Posts: 60

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-10-05 12:51:02
    -----------------------------
    12:51:02.472 OS Version: Windows 5.1.2600 Service Pack 3
    12:51:02.472 Number of processors: 2 586 0x170A
    12:51:02.472 ComputerName: EE-HMC05 UserName: hmc05
    12:51:03.577 Initialize success
    12:51:53.369 AVAST engine defs: 12100501
    12:53:05.397 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-16
    12:53:05.413 Disk 0 Vendor: WDC_WD2500AAJS-60M0A0 02.03E02 Size: 238475MB BusType: 3
    12:53:05.444 Disk 0 MBR read successfully
    12:53:05.444 Disk 0 MBR scan
    12:53:05.569 Disk 0 Windows XP default MBR code
    12:53:05.584 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
    12:53:05.600 Disk 0 scanning sectors +488376000
    12:53:05.662 Disk 0 scanning C:\WINNT\system32\drivers
    12:53:15.290 Service scanning
    12:53:30.924 Service sptd C:\WINNT\System32\Drivers\sptd.sys **LOCKED** 32
    12:53:35.215 Modules scanning
    12:53:37.384 Module: C:\WINNT\System32\Drivers\atapi.sys **SUSPICIOUS**
    12:53:37.727 Module: C:\WINNT\System32\Drivers\iaStor.sys **SUSPICIOUS**
    12:53:40.910 Module: C:\WINNT\system32\ntdll.dll **SUSPICIOUS**
    12:53:40.910 Disk 0 trace - called modules:
    12:53:40.926 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spua.sys >>UNKNOWN [0x8a49f938]<<
    12:53:40.926 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a441ab8]
    12:53:40.942 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000075[0x8a4f5250]
    12:53:40.942 5 ACPI.sys[b9e74620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-16[0x8a402d98]
    12:53:41.566 AVAST engine scan C:\WINNT
    12:54:00.368 AVAST engine scan C:\WINNT\system32
    12:58:09.750 AVAST engine scan C:\WINNT\system32\drivers
    12:58:31.770 AVAST engine scan C:\Documents and Settings\hmc05
    13:02:53.640 AVAST engine scan C:\Documents and Settings\All Users
    13:07:37.690 Scan finished successfully
    13:27:14.251 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\hmc05\Desktop\MBR.dat"
    13:27:14.251 The log file has been saved successfully to "C:\Documents and Settings\hmc05\Desktop\aswMBRnew.txt"

    Attached Files:

    • MBR.txt
      File size:
      512 bytes
      Views:
      1
    weety, Oct 5, 2012
    #12

  13. weety Newcomer, in training Posts: 60

    (That is the log from a QuickScan... the full scan ran overnight and when I came back, I had dozens of error messages popping up about delayed write fails. I tried to save the log, but everything just crashed and I had to reboot).
    weety, Oct 5, 2012
    #13

  14. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Excellent work!

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
    Jay Pfoutz, Oct 5, 2012
    #14

  15. weety Newcomer, in training Posts: 60

    Thanks for your ongoing help. Looks like the scan will take a while... but I've got a good feeling about this one! 14 threats found so far ("a variant of Win32/Toolbar.Widgi application").

    Log file to follow (probably tomorrow) ..........
    weety, Oct 5, 2012
    #15

  16. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. Will wait for it.
    Jay Pfoutz, Oct 6, 2012
    #16

  17. weety Newcomer, in training Posts: 60

    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dlla variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.10a variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.11a variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.12a variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.13a variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.14a variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.15a variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.16a variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.17a variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.5a variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.6a variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.7a variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.8a variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.9a variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Program Files\pdfforge Toolbar\IE\6.3\pdFForgetoolbarie.dll.vira variant of Win32/Toolbar.Widgi applicationcleaned by deleting - quarantined
    weety, Oct 7, 2012
    #17

  18. weety Newcomer, in training Posts: 60

    (Same symptoms seem to remain with computer after the removal of these threats).
    weety, Oct 7, 2012
    #18

  19. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

    Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Copy the code below in the quotebox, and then under the Custom Scans/Fixes box paste it in:

    • Click the Run Scan button. The scan will not take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time.

    Note: in the event that OTL fails to run, please use alternate download links to try again:

    http://oldtimer.geekstogo.com/OTL.com
    http://oldtimer.geekstogo.com/OTL.scr
    Jay Pfoutz, Oct 7, 2012
    #19

  20. weety Newcomer, in training Posts: 60

    # AdwCleaner v2.004 - Logfile created 10/07/2012 at 20:43:43
    # Updated 06/10/2012 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : hmc05 - EE-HMC05
    # Boot Mode : Normal
    # Running from : C:\Documents and Settings\hmc05\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****

    Stopped & Deleted : Application Updater

    ***** [Files / Folders] *****

    Folder Deleted : C:\Program Files\Application Updater
    Folder Deleted : C:\Program Files\Common Files\spigot
    Folder Deleted : C:\Program Files\pdfforge Toolbar

    ***** [Registry] *****

    Key Deleted : HKCU\Software\AppDataLow\Software\pdfforge
    Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    Key Deleted : HKCU\Software\pdfforge
    Key Deleted : HKCU\Software\Search Settings
    Key Deleted : HKLM\Software\Application Updater
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{A0B139A7-E8D5-49E8-A7BF-12421E652208}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C2F6A415-2A69-48F1-8F91-B9381B33FF1A}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2F6A415-2A69-48F1-8F91-B9381B33FF1A}
    Key Deleted : HKLM\Software\pdfforge
    Key Deleted : HKLM\Software\Search Settings
    Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SearchSettings]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.6001.18702

    [OK] Registry is clean.

    -\\ Mozilla Firefox v12.0 (en-GB)

    -\\ Google Chrome v22.0.1229.79

    File : C:\Documents and Settings\hmc05\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[S1].txt - [1948 octets] - [07/10/2012 20:43:43]

    ########## EOF - H:\AdwCleaner[S1].txt - [2008 octets] ##########
    weety, Oct 7, 2012
    #20
Page 1 of 5

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.