Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Redirecting problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Redirecting problem

Unread postby Eso » April 27th, 2010, 3:46 pm

Before I do that, I rebooted and found that Combofix has messed up my computer (desktop is messed up, icons aren't working). Can I system restore to before I run it?
Eso
Regular Member
 
Posts: 16
Joined: April 20th, 2010, 11:24 am
Advertisement
Register to Remove

Re: Redirecting problem

Unread postby deltalima » April 27th, 2010, 4:26 pm

Hi Eso,

Disable AVG then download ComboFix from here to your Desktop and replace the version that you downloaded earlier.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Ensure that AVG is disabled then double click combofix.exe and follow the prompts.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirecting problem

Unread postby Eso » April 27th, 2010, 5:17 pm

I haven't gotten around to doing the second Combofix yet and I'm not sure that I should since it messed up my computer... But I did run TDSSKiller and here's the log:

17:04:45:121 0012 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
17:04:45:121 0012 ================================================================================
17:04:45:121 0012 SystemInfo:

17:04:45:121 0012 OS Version: 6.0.6000 ServicePack: 0.0
17:04:45:121 0012 Product type: Workstation
17:04:45:121 0012 ComputerName: ARASHI
17:04:45:121 0012 UserName: Eso
17:04:45:121 0012 Windows directory: C:\Windows
17:04:45:121 0012 Processor architecture: Intel x86
17:04:45:121 0012 Number of processors: 2
17:04:45:121 0012 Page size: 0x1000
17:04:45:137 0012 Boot type: Normal boot
17:04:45:137 0012 ================================================================================
17:04:45:137 0012 UnloadDriverW: NtUnloadDriver error 2
17:04:45:137 0012 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:05:04:559 0012 wfopen_ex: Trying to open file C:\Windows\system32\config\system
17:05:04:590 0012 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:05:04:590 0012 wfopen_ex: Trying to KLMD file open
17:05:04:590 0012 wfopen_ex: File opened ok (Flags 2)
17:05:04:590 0012 wfopen_ex: Trying to open file C:\Windows\system32\config\software
17:05:04:590 0012 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:05:04:590 0012 wfopen_ex: Trying to KLMD file open
17:05:04:590 0012 wfopen_ex: File opened ok (Flags 2)
17:05:04:590 0012 Initialize success
17:05:04:590 0012
17:05:04:590 0012 Scanning Services ...
17:05:05:604 0012 Raw services enum returned 439 services
17:05:05:620 0012
17:05:05:620 0012 Scanning Kernel memory ...
17:05:05:620 0012 Devices to scan: 4
17:05:05:620 0012
17:05:05:620 0012 Driver Name: USBSTOR
17:05:05:620 0012 IRP_MJ_CREATE : A3A92B40
17:05:05:620 0012 IRP_MJ_CREATE_NAMED_PIPE : 8201D1D9
17:05:05:620 0012 IRP_MJ_CLOSE : A3A92BB8
17:05:05:620 0012 IRP_MJ_READ : A3A92C30
17:05:05:620 0012 IRP_MJ_WRITE : A3A92C30
17:05:05:620 0012 IRP_MJ_QUERY_INFORMATION : 8201D1D9
17:05:05:620 0012 IRP_MJ_SET_INFORMATION : 8201D1D9
17:05:05:620 0012 IRP_MJ_QUERY_EA : 8201D1D9
17:05:05:620 0012 IRP_MJ_SET_EA : 8201D1D9
17:05:05:620 0012 IRP_MJ_FLUSH_BUFFERS : 8201D1D9
17:05:05:620 0012 IRP_MJ_QUERY_VOLUME_INFORMATION : 8201D1D9
17:05:05:620 0012 IRP_MJ_SET_VOLUME_INFORMATION : 8201D1D9
17:05:05:620 0012 IRP_MJ_DIRECTORY_CONTROL : 8201D1D9
17:05:05:620 0012 IRP_MJ_FILE_SYSTEM_CONTROL : 8201D1D9
17:05:05:620 0012 IRP_MJ_DEVICE_CONTROL : A3A92828
17:05:05:620 0012 IRP_MJ_INTERNAL_DEVICE_CONTROL : A3A874AA
17:05:05:620 0012 IRP_MJ_SHUTDOWN : 8201D1D9
17:05:05:620 0012 IRP_MJ_LOCK_CONTROL : 8201D1D9
17:05:05:620 0012 IRP_MJ_CLEANUP : 8201D1D9
17:05:05:620 0012 IRP_MJ_CREATE_MAILSLOT : 8201D1D9
17:05:05:620 0012 IRP_MJ_QUERY_SECURITY : 8201D1D9
17:05:05:620 0012 IRP_MJ_SET_SECURITY : 8201D1D9
17:05:05:620 0012 IRP_MJ_POWER : A3A90F9A
17:05:05:620 0012 IRP_MJ_SYSTEM_CONTROL : A3A8E7A2
17:05:05:620 0012 IRP_MJ_DEVICE_CHANGE : 8201D1D9
17:05:05:620 0012 IRP_MJ_QUERY_QUOTA : 8201D1D9
17:05:05:620 0012 IRP_MJ_SET_QUOTA : 8201D1D9
17:05:05:635 0012 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
17:05:05:635 0012
17:05:05:635 0012 Driver Name: ti21sony
17:05:05:635 0012 IRP_MJ_CREATE : 894B80DC
17:05:05:635 0012 IRP_MJ_CREATE_NAMED_PIPE : 89489528
17:05:05:635 0012 IRP_MJ_CLOSE : 894B8120
17:05:05:635 0012 IRP_MJ_READ : 894B8248
17:05:05:635 0012 IRP_MJ_WRITE : 894B834A
17:05:05:635 0012 IRP_MJ_QUERY_INFORMATION : 89489528
17:05:05:635 0012 IRP_MJ_SET_INFORMATION : 89489528
17:05:05:635 0012 IRP_MJ_QUERY_EA : 89489528
17:05:05:635 0012 IRP_MJ_SET_EA : 89489528
17:05:05:635 0012 IRP_MJ_FLUSH_BUFFERS : 894B81B8
17:05:05:635 0012 IRP_MJ_QUERY_VOLUME_INFORMATION : 89489528
17:05:05:635 0012 IRP_MJ_SET_VOLUME_INFORMATION : 89489528
17:05:05:635 0012 IRP_MJ_DIRECTORY_CONTROL : 89489528
17:05:05:635 0012 IRP_MJ_FILE_SYSTEM_CONTROL : 89489528
17:05:05:635 0012 IRP_MJ_DEVICE_CONTROL : 894B8164
17:05:05:635 0012 IRP_MJ_INTERNAL_DEVICE_CONTROL : 894B818E
17:05:05:635 0012 IRP_MJ_SHUTDOWN : 894B8294
17:05:05:635 0012 IRP_MJ_LOCK_CONTROL : 89489528
17:05:05:635 0012 IRP_MJ_CLEANUP : 894B806C
17:05:05:635 0012 IRP_MJ_CREATE_MAILSLOT : 89489528
17:05:05:635 0012 IRP_MJ_QUERY_SECURITY : 89489528
17:05:05:635 0012 IRP_MJ_SET_SECURITY : 89489528
17:05:05:635 0012 IRP_MJ_POWER : 894B821E
17:05:05:635 0012 IRP_MJ_SYSTEM_CONTROL : 894B82E0
17:05:05:635 0012 IRP_MJ_DEVICE_CHANGE : 89489528
17:05:05:635 0012 IRP_MJ_QUERY_QUOTA : 89489528
17:05:05:635 0012 IRP_MJ_SET_QUOTA : 89489528
17:05:05:666 0012 C:\Windows\system32\drivers\ti21sony.sys - Verdict: 1
17:05:05:666 0012
17:05:05:666 0012 Driver Name: ti21sony
17:05:05:666 0012 IRP_MJ_CREATE : 894B80DC
17:05:05:666 0012 IRP_MJ_CREATE_NAMED_PIPE : 89489528
17:05:05:666 0012 IRP_MJ_CLOSE : 894B8120
17:05:05:666 0012 IRP_MJ_READ : 894B8248
17:05:05:666 0012 IRP_MJ_WRITE : 894B834A
17:05:05:666 0012 IRP_MJ_QUERY_INFORMATION : 89489528
17:05:05:666 0012 IRP_MJ_SET_INFORMATION : 89489528
17:05:05:666 0012 IRP_MJ_QUERY_EA : 89489528
17:05:05:666 0012 IRP_MJ_SET_EA : 89489528
17:05:05:666 0012 IRP_MJ_FLUSH_BUFFERS : 894B81B8
17:05:05:666 0012 IRP_MJ_QUERY_VOLUME_INFORMATION : 89489528
17:05:05:666 0012 IRP_MJ_SET_VOLUME_INFORMATION : 89489528
17:05:05:666 0012 IRP_MJ_DIRECTORY_CONTROL : 89489528
17:05:05:666 0012 IRP_MJ_FILE_SYSTEM_CONTROL : 89489528
17:05:05:666 0012 IRP_MJ_DEVICE_CONTROL : 894B8164
17:05:05:666 0012 IRP_MJ_INTERNAL_DEVICE_CONTROL : 894B818E
17:05:05:666 0012 IRP_MJ_SHUTDOWN : 894B8294
17:05:05:666 0012 IRP_MJ_LOCK_CONTROL : 89489528
17:05:05:666 0012 IRP_MJ_CLEANUP : 894B806C
17:05:05:666 0012 IRP_MJ_CREATE_MAILSLOT : 89489528
17:05:05:666 0012 IRP_MJ_QUERY_SECURITY : 89489528
17:05:05:666 0012 IRP_MJ_SET_SECURITY : 89489528
17:05:05:666 0012 IRP_MJ_POWER : 894B821E
17:05:05:666 0012 IRP_MJ_SYSTEM_CONTROL : 894B82E0
17:05:05:666 0012 IRP_MJ_DEVICE_CHANGE : 89489528
17:05:05:666 0012 IRP_MJ_QUERY_QUOTA : 89489528
17:05:05:666 0012 IRP_MJ_SET_QUOTA : 89489528
17:05:05:666 0012 C:\Windows\system32\drivers\ti21sony.sys - Verdict: 1
17:05:05:666 0012
17:05:05:666 0012 Driver Name: atapi
17:05:05:666 0012 IRP_MJ_CREATE : 8077899C
17:05:05:666 0012 IRP_MJ_CREATE_NAMED_PIPE : 8077899C
17:05:05:666 0012 IRP_MJ_CLOSE : 8077899C
17:05:05:682 0012 IRP_MJ_READ : 8077899C
17:05:05:682 0012 IRP_MJ_WRITE : 8077899C
17:05:05:682 0012 IRP_MJ_QUERY_INFORMATION : 8077899C
17:05:05:682 0012 IRP_MJ_SET_INFORMATION : 8077899C
17:05:05:682 0012 IRP_MJ_QUERY_EA : 8077899C
17:05:05:682 0012 IRP_MJ_SET_EA : 8077899C
17:05:05:682 0012 IRP_MJ_FLUSH_BUFFERS : 8077899C
17:05:05:682 0012 IRP_MJ_QUERY_VOLUME_INFORMATION : 8077899C
17:05:05:682 0012 IRP_MJ_SET_VOLUME_INFORMATION : 8077899C
17:05:05:682 0012 IRP_MJ_DIRECTORY_CONTROL : 8077899C
17:05:05:682 0012 IRP_MJ_FILE_SYSTEM_CONTROL : 8077899C
17:05:05:682 0012 IRP_MJ_DEVICE_CONTROL : 8077899C
17:05:05:682 0012 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8077899C
17:05:05:682 0012 IRP_MJ_SHUTDOWN : 8077899C
17:05:05:682 0012 IRP_MJ_LOCK_CONTROL : 8077899C
17:05:05:682 0012 IRP_MJ_CLEANUP : 8077899C
17:05:05:682 0012 IRP_MJ_CREATE_MAILSLOT : 8077899C
17:05:05:682 0012 IRP_MJ_QUERY_SECURITY : 8077899C
17:05:05:682 0012 IRP_MJ_SET_SECURITY : 8077899C
17:05:05:682 0012 IRP_MJ_POWER : 8077899C
17:05:05:682 0012 IRP_MJ_SYSTEM_CONTROL : 8077899C
17:05:05:682 0012 IRP_MJ_DEVICE_CHANGE : 8077899C
17:05:05:682 0012 IRP_MJ_QUERY_QUOTA : 8077899C
17:05:05:682 0012 IRP_MJ_SET_QUOTA : 8077899C
17:05:05:682 0012 Driver "atapi" infected by TDSS rootkit!
17:05:05:682 0012 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
17:05:05:682 0012 File "C:\Windows\system32\drivers\atapi.sys" infected by TDSS rootkit ... 17:05:05:682 0012 Processing driver file: C:\Windows\system32\drivers\atapi.sys
17:05:07:351 0012 vfvi6
17:05:07:460 0012 dsvbh1
17:05:09:488 0012 fdfb1
17:05:09:488 0012 Backup copy found, using it..
17:05:09:488 0012 will be cured on next reboot
17:05:09:488 0012 Reboot required for cure complete..
17:05:09:504 0012 Cure on reboot scheduled successfully
17:05:09:504 0012
17:05:09:504 0012 Completed
17:05:09:504 0012
17:05:09:504 0012 Results:
17:05:09:504 0012 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
17:05:09:504 0012 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:05:09:504 0012 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:05:09:504 0012
17:05:09:504 0012 fclose_ex: Trying to close file C:\Windows\system32\config\system
17:05:09:504 0012 fclose_ex: Trying to close file C:\Windows\system32\config\software
17:05:09:504 0012 UnloadDriverW: NtUnloadDriver error 1
17:05:09:504 0012 KLMD(ARK) unloaded successfully

It looks like it removed it, what should I do now?
Eso
Regular Member
 
Posts: 16
Joined: April 20th, 2010, 11:24 am

Re: Redirecting problem

Unread postby deltalima » April 27th, 2010, 5:22 pm

Hi Eso,

It looks like it removed it, what should I do now?


Please reboot and then run TDSSKiller again and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirecting problem

Unread postby Eso » April 27th, 2010, 5:30 pm

17:26:46:460 5980 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
17:26:46:460 5980 ================================================================================
17:26:46:460 5980 SystemInfo:

17:26:46:460 5980 OS Version: 6.0.6000 ServicePack: 0.0
17:26:46:460 5980 Product type: Workstation
17:26:46:460 5980 ComputerName: ARASHI
17:26:46:460 5980 UserName: Eso
17:26:46:460 5980 Windows directory: C:\Windows
17:26:46:460 5980 Processor architecture: Intel x86
17:26:46:460 5980 Number of processors: 2
17:26:46:460 5980 Page size: 0x1000
17:26:46:460 5980 Boot type: Normal boot
17:26:46:460 5980 ================================================================================
17:26:46:460 5980 UnloadDriverW: NtUnloadDriver error 2
17:26:46:460 5980 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:26:58:207 5980 wfopen_ex: Trying to open file C:\Windows\system32\config\system
17:26:58:222 5980 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:26:58:222 5980 wfopen_ex: Trying to KLMD file open
17:26:58:222 5980 wfopen_ex: File opened ok (Flags 2)
17:26:58:222 5980 wfopen_ex: Trying to open file C:\Windows\system32\config\software
17:26:58:222 5980 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:26:58:222 5980 wfopen_ex: Trying to KLMD file open
17:26:58:222 5980 wfopen_ex: File opened ok (Flags 2)
17:26:58:222 5980 Initialize success
17:26:58:222 5980
17:26:58:222 5980 Scanning Services ...
17:26:59:408 5980 Raw services enum returned 439 services
17:26:59:423 5980
17:26:59:423 5980 Scanning Kernel memory ...
17:26:59:423 5980 Devices to scan: 3
17:26:59:423 5980
17:26:59:423 5980 Driver Name: ti21sony
17:26:59:423 5980 IRP_MJ_CREATE : 8967B0DC
17:26:59:423 5980 IRP_MJ_CREATE_NAMED_PIPE : 8964C528
17:26:59:423 5980 IRP_MJ_CLOSE : 8967B120
17:26:59:423 5980 IRP_MJ_READ : 8967B248
17:26:59:423 5980 IRP_MJ_WRITE : 8967B34A
17:26:59:423 5980 IRP_MJ_QUERY_INFORMATION : 8964C528
17:26:59:423 5980 IRP_MJ_SET_INFORMATION : 8964C528
17:26:59:423 5980 IRP_MJ_QUERY_EA : 8964C528
17:26:59:423 5980 IRP_MJ_SET_EA : 8964C528
17:26:59:423 5980 IRP_MJ_FLUSH_BUFFERS : 8967B1B8
17:26:59:423 5980 IRP_MJ_QUERY_VOLUME_INFORMATION : 8964C528
17:26:59:423 5980 IRP_MJ_SET_VOLUME_INFORMATION : 8964C528
17:26:59:423 5980 IRP_MJ_DIRECTORY_CONTROL : 8964C528
17:26:59:423 5980 IRP_MJ_FILE_SYSTEM_CONTROL : 8964C528
17:26:59:423 5980 IRP_MJ_DEVICE_CONTROL : 8967B164
17:26:59:423 5980 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8967B18E
17:26:59:423 5980 IRP_MJ_SHUTDOWN : 8967B294
17:26:59:423 5980 IRP_MJ_LOCK_CONTROL : 8964C528
17:26:59:423 5980 IRP_MJ_CLEANUP : 8967B06C
17:26:59:423 5980 IRP_MJ_CREATE_MAILSLOT : 8964C528
17:26:59:423 5980 IRP_MJ_QUERY_SECURITY : 8964C528
17:26:59:423 5980 IRP_MJ_SET_SECURITY : 8964C528
17:26:59:423 5980 IRP_MJ_POWER : 8967B21E
17:26:59:423 5980 IRP_MJ_SYSTEM_CONTROL : 8967B2E0
17:26:59:423 5980 IRP_MJ_DEVICE_CHANGE : 8964C528
17:26:59:423 5980 IRP_MJ_QUERY_QUOTA : 8964C528
17:26:59:423 5980 IRP_MJ_SET_QUOTA : 8964C528
17:26:59:455 5980 C:\Windows\system32\drivers\ti21sony.sys - Verdict: 1
17:26:59:455 5980
17:26:59:455 5980 Driver Name: ti21sony
17:26:59:455 5980 IRP_MJ_CREATE : 8967B0DC
17:26:59:455 5980 IRP_MJ_CREATE_NAMED_PIPE : 8964C528
17:26:59:455 5980 IRP_MJ_CLOSE : 8967B120
17:26:59:455 5980 IRP_MJ_READ : 8967B248
17:26:59:455 5980 IRP_MJ_WRITE : 8967B34A
17:26:59:455 5980 IRP_MJ_QUERY_INFORMATION : 8964C528
17:26:59:455 5980 IRP_MJ_SET_INFORMATION : 8964C528
17:26:59:455 5980 IRP_MJ_QUERY_EA : 8964C528
17:26:59:455 5980 IRP_MJ_SET_EA : 8964C528
17:26:59:455 5980 IRP_MJ_FLUSH_BUFFERS : 8967B1B8
17:26:59:455 5980 IRP_MJ_QUERY_VOLUME_INFORMATION : 8964C528
17:26:59:455 5980 IRP_MJ_SET_VOLUME_INFORMATION : 8964C528
17:26:59:455 5980 IRP_MJ_DIRECTORY_CONTROL : 8964C528
17:26:59:455 5980 IRP_MJ_FILE_SYSTEM_CONTROL : 8964C528
17:26:59:455 5980 IRP_MJ_DEVICE_CONTROL : 8967B164
17:26:59:455 5980 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8967B18E
17:26:59:455 5980 IRP_MJ_SHUTDOWN : 8967B294
17:26:59:455 5980 IRP_MJ_LOCK_CONTROL : 8964C528
17:26:59:455 5980 IRP_MJ_CLEANUP : 8967B06C
17:26:59:455 5980 IRP_MJ_CREATE_MAILSLOT : 8964C528
17:26:59:455 5980 IRP_MJ_QUERY_SECURITY : 8964C528
17:26:59:455 5980 IRP_MJ_SET_SECURITY : 8964C528
17:26:59:455 5980 IRP_MJ_POWER : 8967B21E
17:26:59:455 5980 IRP_MJ_SYSTEM_CONTROL : 8967B2E0
17:26:59:455 5980 IRP_MJ_DEVICE_CHANGE : 8964C528
17:26:59:455 5980 IRP_MJ_QUERY_QUOTA : 8964C528
17:26:59:455 5980 IRP_MJ_SET_QUOTA : 8964C528
17:26:59:470 5980 C:\Windows\system32\drivers\ti21sony.sys - Verdict: 1
17:26:59:470 5980
17:26:59:470 5980 Driver Name: atapi
17:26:59:470 5980 IRP_MJ_CREATE : 807670C2
17:26:59:470 5980 IRP_MJ_CREATE_NAMED_PIPE : 8201D1D9
17:26:59:470 5980 IRP_MJ_CLOSE : 807670C2
17:26:59:470 5980 IRP_MJ_READ : 8201D1D9
17:26:59:470 5980 IRP_MJ_WRITE : 8201D1D9
17:26:59:470 5980 IRP_MJ_QUERY_INFORMATION : 8201D1D9
17:26:59:470 5980 IRP_MJ_SET_INFORMATION : 8201D1D9
17:26:59:470 5980 IRP_MJ_QUERY_EA : 8201D1D9
17:26:59:470 5980 IRP_MJ_SET_EA : 8201D1D9
17:26:59:470 5980 IRP_MJ_FLUSH_BUFFERS : 8201D1D9
17:26:59:470 5980 IRP_MJ_QUERY_VOLUME_INFORMATION : 8201D1D9
17:26:59:470 5980 IRP_MJ_SET_VOLUME_INFORMATION : 8201D1D9
17:26:59:470 5980 IRP_MJ_DIRECTORY_CONTROL : 8201D1D9
17:26:59:470 5980 IRP_MJ_FILE_SYSTEM_CONTROL : 8201D1D9
17:26:59:470 5980 IRP_MJ_DEVICE_CONTROL : 807559F4
17:26:59:470 5980 IRP_MJ_INTERNAL_DEVICE_CONTROL : 807559C6
17:26:59:470 5980 IRP_MJ_SHUTDOWN : 8201D1D9
17:26:59:470 5980 IRP_MJ_LOCK_CONTROL : 8201D1D9
17:26:59:470 5980 IRP_MJ_CLEANUP : 8201D1D9
17:26:59:470 5980 IRP_MJ_CREATE_MAILSLOT : 8201D1D9
17:26:59:470 5980 IRP_MJ_QUERY_SECURITY : 8201D1D9
17:26:59:470 5980 IRP_MJ_SET_SECURITY : 8201D1D9
17:26:59:470 5980 IRP_MJ_POWER : 80755A22
17:26:59:470 5980 IRP_MJ_SYSTEM_CONTROL : 80762B36
17:26:59:470 5980 IRP_MJ_DEVICE_CHANGE : 8201D1D9
17:26:59:470 5980 IRP_MJ_QUERY_QUOTA : 8201D1D9
17:26:59:470 5980 IRP_MJ_SET_QUOTA : 8201D1D9
17:26:59:470 5980 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
17:26:59:470 5980
17:26:59:470 5980 Completed
17:26:59:470 5980
17:26:59:470 5980 Results:
17:26:59:470 5980 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
17:26:59:486 5980 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:26:59:486 5980 File objects infected / cured / cured on reboot: 0 / 0 / 0
17:26:59:486 5980
17:26:59:486 5980 fclose_ex: Trying to close file C:\Windows\system32\config\system
17:26:59:486 5980 fclose_ex: Trying to close file C:\Windows\system32\config\software
17:26:59:486 5980 KLMD(ARK) unloaded successfully
Eso
Regular Member
 
Posts: 16
Joined: April 20th, 2010, 11:24 am

Re: Redirecting problem

Unread postby deltalima » April 27th, 2010, 5:47 pm

Hi Eso,

Please open Notepad and copy/paste the contents in the quote box below, into Notepad.

@echo off
@mbr -t
@start mbr.log


Save this as look.bat Choose to "Save type as - All Files"

Right click on look.bat & run as administrator. Please post the log it produces.

Please also let me know if the desktop is back to normal now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirecting problem

Unread postby Eso » April 27th, 2010, 6:04 pm

I'm getting this: 'mbr.log'. Make sure you typed the name correctly, and then try again. And in the command window: 'mbr' is not recognized as an internal or external command, operable program or batch file.

My desktop is normal now.
Eso
Regular Member
 
Posts: 16
Joined: April 20th, 2010, 11:24 am

Re: Redirecting problem

Unread postby deltalima » April 28th, 2010, 3:57 am

Hi Eso,

GMER Rootkit Scanner
  • Right click ltu3dohf.exe and selecti Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..


DDS
Please download DDS ... by sUBs.
Save it to your desktop. Alternate download link:here.
  1. Right click the tool and select Run as Administrator.
  2. A black Screen will open... read the contents but do nothing.
  3. When DDS finishes... Notepad will open with 2 reports... DDS.txt and Attach.txt
    Ignore the comments about zipping / attaching any of the report files. The 2 report files are not saved anywhere,
    if you close Notepad, before copying /pasting them... you will need to run DDS again.
  4. Copy/paste both DDS.txt and Attach.txt reports in your next reply along with the log from GMER
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirecting problem

Unread postby Eso » April 28th, 2010, 12:05 pm

GMER keeps running across an error and closing. I tried running it in both normal and safe mode, but it will not work for either.

Just to let you know, I jumped the gun and tried a search in google and it wasn't redirected :>


DDS (Ver_10-03-17.01) - NTFSx86
Run by Eso at 11:48:47.45 on Wed 04/28/2010
Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_15
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmred ... ho_central
uDefault_Page_URL = hxxp://www.sony.com/vaiopeople
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {A057A204-BACC-4D26-8398-26FADCF27386} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [AIM (R)] c:\program files\aim95\aim.exe -cnetwait.odl
uRun: [Google Update] "c:\users\eso\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [VAIOSecurity] "c:\program files\sony\vaio security center\VSC.exe" 1
mRun: [QuickBooks Simple Start] c:\program files\intuit\simplestartentice\entice.exe
mRun: [VAIOSurvey] c:\program files\sony\vaio survey\Vista VAIO Survey.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\eso\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\eso\appdata\roaming\mozilla\firefox\profiles\iddaliei.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.japantimes.co.jp/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\eso\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\eso\appdata\roaming\mozilla\firefox\profiles\iddaliei.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-04-28 15:30:01 118397889 ----a-w- c:\windows\MEMORY.DMP
2010-04-28 14:06:44 524288 --sha-w- c:\users\eso\ntuser.dat{c4764310-527a-11df-a41f-001a80447d34}.TMContainer00000000000000000002.regtrans-ms
2010-04-28 14:06:43 65536 --sha-w- c:\users\eso\ntuser.dat{c4764310-527a-11df-a41f-001a80447d34}.TM.blf
2010-04-28 14:06:43 524288 --sha-w- c:\users\eso\ntuser.dat{c4764310-527a-11df-a41f-001a80447d34}.TMContainer00000000000000000001.regtrans-ms
2010-04-27 20:36:22 65536 --sha-w- c:\users\eso\ntuser.dat{e4cedf1c-5233-11df-9853-001a80447d34}.TM.blf
2010-04-27 20:36:22 524288 --sha-w- c:\users\eso\ntuser.dat{e4cedf1c-5233-11df-9853-001a80447d34}.TMContainer00000000000000000002.regtrans-ms
2010-04-27 20:36:22 524288 --sha-w- c:\users\eso\ntuser.dat{e4cedf1c-5233-11df-9853-001a80447d34}.TMContainer00000000000000000001.regtrans-ms
2010-04-26 21:30:50 0 d-----w- C:\MGADiagToolOutput
2010-04-21 15:01:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-21 15:01:37 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 15:01:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 05:20:38 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-20 05:44:14 0 d-----w- c:\programdata\Sun
2010-04-20 05:44:00 0 d-----w- c:\program files\Sun
2010-04-20 05:04:52 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-20 05:04:35 0 d-----w- c:\users\eso\appdata\roaming\SUPERAntiSpyware.com
2010-04-20 05:04:35 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-20 05:01:19 0 d-----w- c:\program files\TrendMicro
2010-04-19 22:17:10 0 d-----w- c:\users\eso\appdata\roaming\Autodesk
2010-04-19 22:17:07 0 d-----w- c:\programdata\Alias
2010-04-15 07:09:12 0 d-----w- C:\96388d1247a9dc11741021a0ac0644
2010-04-15 04:27:48 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 04:27:47 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 04:27:45 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 04:25:27 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 04:25:26 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 04:24:51 434176 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 04:23:32 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-15 04:23:32 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-15 04:23:20 815104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-15 04:23:19 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-15 04:23:19 179712 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-15 04:23:08 22016 ----a-w- c:\windows\system32\netiougc.exe
2010-04-15 04:23:07 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2010-04-15 04:23:06 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
2010-04-14 01:58:59 97792 ----a-w- c:\windows\system32\cabview.dll
2010-04-14 01:58:44 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-03-30 19:12:03 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-30 19:12:00 389120 ----a-w- c:\windows\system32\html.iec
2010-03-29 21:03:43 0 d-----w- c:\users\eso\appdata\roaming\RenPy

==================== Find3M ====================

2010-04-27 21:07:57 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-21 05:37:05 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-14 12:08:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-14 12:07:19 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-09 16:50:34 56320 ----a-w- c:\windows\system32\iesetup.dll
2010-03-09 16:50:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 16:48:34 72704 ----a-w- c:\windows\system32\admparse.dll
2010-03-09 14:17:48 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-09 12:43:52 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:54:40 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:51:43 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-19 15:00:32 201444 ----a-w- c:\windows\fonts\Saint-Andrews Queen.ttf
2010-02-03 17:16:58 103720 ----a-w- c:\users\eso\GoToAssistDownloadHelper.exe
2009-10-19 23:52:08 86016 ----a-w- c:\windows\inf\infpub.dat
2009-10-19 23:52:08 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-11 20:38:26 86016 ----a-w- c:\windows\inf\infstor.dat
2008-12-10 08:18:28 174 --sha-w- c:\program files\desktop.ini
2008-06-10 23:16:26 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-08-17 22:01:33 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-08-17 22:01:33 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-08-17 22:01:33 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 11:51:41.76 ===============

Attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


545 Studios Skinstaller (remove only)
AC3Filter (remove only)
ACDSee 4.0 PowerPack Suite
Activation Assistant for the 2007 Microsoft Office suites
Adobe After Effects 7.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe ExtendScript Toolkit 1.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Help Center 2.0
Adobe Reader 8.2.2
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
AIMutation (remove only)
Alps Pointing-device for VAIO
AOL(R) Instant Messenger(TM)
Apple Software Update
Audacity 1.3.5 (Unicode)
AVG Free 9.0
Click to DVD 2.0.05 Menu Data
Click to DVD 2.6.00
Combined Community Codec Pack 2007-07-22
Corel Painter IX
DC-Bass Source 1.1.1
Direct Show Ogg Vorbis Filter (remove only)
DirectShow .SHN FIlter
DNA
foobar2000 v1.0.1
Fraps (remove only)
GearDrvs
Google Chrome
Grouper Screen Saver 1.0
GTK+ Runtime 2.10.13 rev a (remove only)
HDAUDIO SoftV92 Data Fax Modem with SmartCP
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImTOO MOV Converter
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (VAIO_VEDB)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
OGA Notifier 2.0.0048.0
OpenMG Limited Patch 4.7-07-13-24-01
OpenMG Secure Module 4.7.00
PaintTool SAI Ver.1
PD Artist
Pen Tablet
Pidgin
Prism Video Converter
QuickBooks Product Listing Service
QuickTime
RadLight APE DirectShow filter (remove only)
RadLight MPC DirectShow Filter (remove only)
RadLight Ogg Media DirectShow filter (remove only)
RadLight OptimFROG DirectShow Filter (remove only)
RadLight PVA DirectShow filter (remove only)
RadLight TTA DirectShow filter (remove only)
RealPlayer
Realtek High Definition Audio Driver
Roxio Easy Media Creator Home
Security Update for CAPICOM (KB931906)
Setting Utility Series
Simple Start Entice
Skype™ 3.6
SnagIt 5
SonicStage 4.3
Sony Utilities DLL
Sony Video Shared Library
SoundTap Streaming Audio Recorder
StepMania 4 alpha 4 (remove only)
SUPERAntiSpyware Free Edition
SupportSoft Assisted Service
Switch Sound File Converter
System Requirements Lab
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VAIO Azure Float Wallpaper
VAIO Central
VAIO Entertainment Platform
VAIO Event Service
VAIO Floral Dusk Wallpaper
VAIO Help And Support
VAIO Media
VAIO Media 6.0
VAIO Media AC3 Decoder 1.0
VAIO Media Content Collection 6.0
VAIO Media Integrated Server 6.0
VAIO Media Redistribution 6.0
VAIO Media Registration Tool
VAIO Media Registration Tool 6.0
VAIO OOBE
VAIO Photo 2007
VAIO Power Management
VAIO Security Center
VAIO Service Utility
VAIO Survey
VAIO Teal Whisper Wallpaper
VAIO Update 3
VAIO Video & Photo Utilities
Veoh Web Player
Viewpoint Media Player (Remove Only)
VLC media player 1.0.0
Winamp
Winamp Detector Plug-in
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinDVD for VAIO
WinRAR archiver
Wireless Switch Setting Utility
YOU DON'T KNOW JACK!

==== End Of File ===========================
Eso
Regular Member
 
Posts: 16
Joined: April 20th, 2010, 11:24 am

Re: Redirecting problem

Unread postby deltalima » April 28th, 2010, 2:34 pm

Hi Eso,

Just to let you know, I jumped the gun and tried a search in google and it wasn't redirected


That sounds good, we just need to make sure the infection has been totally removed.

MBR

Download the file MBR.exe and save it as c:\mbr.exe in the root of the C: drive.


Please open Notepad and copy/paste the contents in the quote box below, into Notepad.

C:\mbr.exe -t
start c:\mbr.log


Save this as look.bat Choose to "Save type as - All Files"

Right click on look.bat & run as administrator. Please post the log it produces.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirecting problem

Unread postby Eso » April 28th, 2010, 10:31 pm

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
kernel: MBR read successfully
user & kernel MBR OK
Eso
Regular Member
 
Posts: 16
Joined: April 20th, 2010, 11:24 am

Re: Redirecting problem

Unread postby deltalima » April 29th, 2010, 3:45 am

Hi Eso,

user & kernel MBR OK


That's good.

Important
Please enable System Restore before proceeding.

Please re-open HijackThis and select Scan. Check the boxes next to all the entries listed below (if present):

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)


Now close all other open windows and then click on Fix Checked. Close HijackThis.

You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.3 are vulnerable.
  • Go HERE, UNCHECK any Free Add-Ons, and click Download to install the latest version of Adobe Acrobat Reader.
  • After it completes the Installation, close the Download Manager.

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 20.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "JDK 6 Update 20 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version

Now please run a quick scan with Malwarebytes and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirecting problem

Unread postby Eso » April 29th, 2010, 10:36 am

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4016

Windows 6.0.6000
Internet Explorer 7.0.6000.17037

4/29/2010 10:29:23 AM
mbam-log-2010-04-29 (10-29-23).txt

Scan type: Quick scan
Objects scanned: 108332
Time elapsed: 9 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Eso
Regular Member
 
Posts: 16
Joined: April 20th, 2010, 11:24 am

Re: Redirecting problem

Unread postby deltalima » April 29th, 2010, 3:32 pm

Hi Eso,

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure

Remove GMER

Delete the GMER icon from your desktop, it will be named ltu3dohf.exe

Delete the TDSSKiller icon, folder and zip file from your desktop.

Uninstall ComboFix

  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK

Clean up with OTL

  • Double-click OTL.exe to start the program. This will remove all the tools we used to clean your pc.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.


Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Important you urgently need to update Windows Vista to Service Pack 2 and Internet Explorer to version 8

Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.[/list]Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Redirecting problem

Unread postby Eso » April 29th, 2010, 11:45 pm

Thank you so much for helping me deltalima! Here's to the hope of never having to deal with this again :cheers:
Eso
Regular Member
 
Posts: 16
Joined: April 20th, 2010, 11:24 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware