Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HELP Gomeo type sites redirecting ISSUES

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby gander » April 2nd, 2011, 11:39 am

Ok here is my log :
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-02 16:38:27
-----------------------------
16:38:27.510 OS Version: Windows 6.0.6002 Service Pack 2
16:38:27.510 Number of processors: 2 586 0xF06
16:38:27.511 ComputerName: THOMAS-PC UserName: Thomas
16:38:40.162 Initialize success
16:38:42.926 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000032
16:38:42.928 Disk 0 Vendor: SAMSUNG_ 1AJ1 Size: 476940MB BusType: 3
16:38:42.929 Device \Device\0000005d -> \??\SCSI#Disk&Ven_SAMSUNG&Prod_HD502HJ#4&358dcf36&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
16:38:42.931 Disk 0 MBR read error
16:38:42.933 Disk 0 MBR scan
16:38:42.935 MBR BIOS signature not found 0
16:38:42.938 Disk 0 scanning sectors +976771072
16:38:42.940 Disk 0 scanning C:\Windows\system32\drivers
16:38:47.597 Service scanning
16:38:48.850 Disk 0 trace - called modules:
16:38:48.865 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x852d7ecc]<<
16:38:48.868 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c44120]
16:38:48.871 3 CLASSPNP.SYS[82faa8b3] -> nt!IofCallDriver -> [0x848713a8]
16:38:48.874 5 acpi.sys[8069e6bc] -> nt!IofCallDriver -> [0x85237650]
16:38:48.878 [0x86c01b28] -> IRP_MJ_CREATE -> 0x852d7ecc
16:38:48.882 Scan finished successfully
gander
Regular Member
 
Posts: 39
Joined: March 27th, 2011, 8:44 am
Advertisement
Register to Remove

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby Dakeyras » April 2nd, 2011, 2:49 pm

Hi. :)

Something does not appear to be quite right with the MBR(master boot record) on you machine. I may ask yourself to attach a copy of it for myself to analyse further if the need. In the meantime I would like another look at it via a different application as follows...

Scan with MBRCheck:

Please download MBRCheck.exe and save to your desktop.

Alternative Download is here.

  • Right-click on MBRCheck.exe and select Run as Administrator.
  • A window similar to this should open on your desktop:-

Image

  • If you are prompted with options, enter N at the prompt and press Enter .
  • Press Enter again.
  • A log will open on your Desktop ...... MBRCheck_mm.dd.yy_hh.mm.ss.txt (where mm.dd.yy_hh.mm.ss are the date and time the scan was run).
  • Please post the contents of the log in your next reply.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby gander » April 3rd, 2011, 7:03 am

Here you go :

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-03 12:01:38
-----------------------------
12:01:38.519 OS Version: Windows 6.0.6002 Service Pack 2
12:01:38.519 Number of processors: 2 586 0xF06
12:01:38.520 ComputerName: THOMAS-PC UserName: Thomas
12:01:40.237 Initialize success
12:01:50.227 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000032
12:01:50.229 Disk 0 Vendor: SAMSUNG_ 1AJ1 Size: 476940MB BusType: 3
12:01:50.230 Device \Device\0000005d -> \??\SCSI#Disk&Ven_SAMSUNG&Prod_HD502HJ#4&358dcf36&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
12:01:50.232 Disk 0 MBR read error
12:01:50.234 Disk 0 MBR scan
12:01:50.236 MBR BIOS signature not found 0
12:01:50.238 Disk 0 scanning sectors +976771072
12:01:50.241 Disk 0 scanning C:\Windows\system32\drivers
12:01:54.444 Service scanning
12:01:55.420 Disk 0 trace - called modules:
12:01:55.431 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x852d7ecc]<<
12:01:55.434 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c417d8]
12:01:55.437 3 CLASSPNP.SYS[82fa98b3] -> nt!IofCallDriver -> [0x8522d4f0]
12:01:55.440 5 acpi.sys[806946bc] -> nt!IofCallDriver -> [0x8522d030]
12:01:55.444 [0x851dba88] -> IRP_MJ_CREATE -> 0x852d7ecc
12:01:55.448 Scan finished successfully
gander
Regular Member
 
Posts: 39
Joined: March 27th, 2011, 8:44 am

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby Dakeyras » April 3rd, 2011, 7:17 am

Hi. :)

You scanned again with aswMBR, please follow my instructions in this prior post, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby gander » April 3rd, 2011, 1:43 pm

Sorry :( I was looking on the previous page not this one but here is the one you asked for :

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: ASUSTeK Computer INC.
BIOS Manufacturer: Phoenix Technologies, LTD
System Manufacturer: System manufacturer
System Product Name: System Product Name
Logical Drives Mask: 0x000001fd

Kernel Drivers (total 158):
0x82036000 \SystemRoot\system32\ntkrnlpa.exe
0x82003000 \SystemRoot\system32\hal.dll
0x80407000 \SystemRoot\system32\kdcom.dll
0x8040E000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8047E000 \SystemRoot\system32\PSHED.dll
0x8048F000 \SystemRoot\system32\BOOTVID.dll
0x80497000 \SystemRoot\system32\CLFS.SYS
0x804D8000 \SystemRoot\system32\CI.dll
0x80608000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80684000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80691000 \SystemRoot\system32\drivers\acpi.sys
0x806D7000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806E0000 \SystemRoot\system32\drivers\msisadrv.sys
0x806E8000 \SystemRoot\system32\drivers\pci.sys
0x8070F000 \SystemRoot\System32\drivers\partmgr.sys
0x8071E000 \SystemRoot\system32\drivers\volmgr.sys
0x8072D000 \SystemRoot\System32\drivers\volmgrx.sys
0x80777000 \SystemRoot\system32\drivers\pciide.sys
0x8077E000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x8078C000 \SystemRoot\System32\drivers\mountmgr.sys
0x8079C000 \SystemRoot\system32\drivers\atapi.sys
0x807A4000 \SystemRoot\system32\drivers\ataport.SYS
0x807C2000 \SystemRoot\system32\drivers\nvstor.sys
0x805B8000 \SystemRoot\system32\drivers\storport.sys
0x82602000 \SystemRoot\system32\DRIVERS\nvstor32.sys
0x82639000 \SystemRoot\system32\drivers\fltmgr.sys
0x8266B000 \SystemRoot\system32\drivers\fileinfo.sys
0x8267B000 \SystemRoot\System32\Drivers\ksecdd.sys
0x826EC000 \SystemRoot\system32\drivers\ndis.sys
0x807CF000 \SystemRoot\system32\drivers\msrpc.sys
0x82C09000 \SystemRoot\system32\drivers\NETIO.SYS
0x82C44000 \SystemRoot\System32\drivers\tcpip.sys
0x82D31000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x82E02000 \SystemRoot\System32\Drivers\Ntfs.sys
0x82F12000 \SystemRoot\system32\drivers\volsnap.sys
0x82F4B000 \SystemRoot\System32\Drivers\spldr.sys
0x82F53000 \SystemRoot\System32\Drivers\mup.sys
0x82F62000 \SystemRoot\System32\drivers\ecache.sys
0x82F89000 \SystemRoot\system32\drivers\disk.sys
0x82F9A000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x82FBB000 \SystemRoot\system32\drivers\crcdisk.sys
0x82FDB000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x82FE6000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x82FEF000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8C200000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8CBFA000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x8CC07000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8CCA7000 \SystemRoot\System32\drivers\watchdog.sys
0x8CCB3000 \SystemRoot\system32\DRIVERS\fdc.sys
0x8CCBE000 \SystemRoot\system32\DRIVERS\serial.sys
0x8CCD8000 \SystemRoot\system32\DRIVERS\serenum.sys
0x8CCE2000 \SystemRoot\system32\DRIVERS\parport.sys
0x8CCFA000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8CD04000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8CD42000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8CD51000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8CD69000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8CE0F000 \SystemRoot\system32\DRIVERS\3xHybrid.sys
0x8CEB4000 \SystemRoot\system32\DRIVERS\ks.sys
0x8CEDE000 \SystemRoot\system32\DRIVERS\BdaSup.SYS
0x8CEE1000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8CEF1000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8CEFF000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8CF8C000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8CFD0000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0x8CD6F000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8CFD2000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8CFDD000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8CFF4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8CD9E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8CE00000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8CDC1000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8CDD5000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8CDEA000 \SystemRoot\system32\DRIVERS\termdd.sys
0x82D83000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x82D8E000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8CDFA000 \SystemRoot\system32\DRIVERS\swenum.sys
0x82D99000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x82DA3000 \SystemRoot\system32\DRIVERS\umbus.sys
0x82DB0000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0x82DBA000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x82DEF000 \SystemRoot\system32\drivers\libusb0.sys
0x8CDFC000 \SystemRoot\system32\drivers\usbd.sys
0x8D401000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8D601000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8D92A000 \SystemRoot\system32\drivers\portcls.sys
0x8D957000 \SystemRoot\system32\drivers\drmk.sys
0x8D97C000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x8D9A3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8D9AC000 \SystemRoot\System32\Drivers\Null.SYS
0x8D9B3000 \SystemRoot\System32\Drivers\Beep.SYS
0x8D9C3000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8D9CA000 \SystemRoot\System32\drivers\vga.sys
0x8D9D6000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8D9F7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8D9BA000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8D412000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8D41D000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8D42B000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8D434000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8D44A000 \SystemRoot\system32\DRIVERS\smb.sys
0x8D45E000 \SystemRoot\system32\drivers\afd.sys
0x8D4A6000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8D4D8000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8D4EE000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8D4FC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8D50F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8D54B000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8D555000 \SystemRoot\System32\Drivers\dfsc.sys
0x8D56C000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x8D581000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8D598000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x8D5A5000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x8E801000 \SystemRoot\system32\DRIVERS\LV302V32.SYS
0x8EA90000 \SystemRoot\system32\drivers\usbaudio.sys
0x8EAA2000 \SystemRoot\system32\DRIVERS\netr28u.sys
0x8EB6B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8EB74000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8EB84000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8EB8D000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8EB95000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x8EBAB000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8EBB8000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x8EBC2000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x812F0000 \SystemRoot\System32\win32k.sys
0x8D5AF000 \SystemRoot\System32\drivers\Dxapi.sys
0x8D5B9000 \SystemRoot\system32\DRIVERS\monitor.sys
0x81510000 \SystemRoot\System32\TSDDD.dll
0x81530000 \SystemRoot\System32\cdd.dll
0x8D5C8000 \SystemRoot\system32\drivers\luafv.sys
0x9BE00000 \SystemRoot\system32\drivers\spsys.sys
0x9BEB0000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x9BEC0000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9BEEA000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9BEF4000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9BF07000 \SystemRoot\system32\drivers\HTTP.sys
0x9BF74000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9BF91000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x9BF9A000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9BFB3000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9BFC8000 \SystemRoot\system32\drivers\mrxdav.sys
0x82D4C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9D400000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9D439000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9D451000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9D479000 \SystemRoot\System32\DRIVERS\srv.sys
0x9D4C7000 \SystemRoot\system32\DRIVERS\parvdm.sys
0x9D4CE000 \SystemRoot\system32\drivers\peauth.sys
0x9D5AC000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9D5B6000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9D5C2000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x9D5D7000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0x9D5E9000 \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
0x9D5EE000 \SystemRoot\system32\DRIVERS\MpNWMon.sys
0x9BFE9000 \SystemRoot\system32\DRIVERS\NisDrvWFP.sys
0x9D5F8000 \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{012B212A-16AA-4F4F-8BBE-23CE02C00920}\MpKsl753704e8.sys
0xABA07000 \SystemRoot\System32\Drivers\fastfat.SYS
0x77D00000 \Windows\System32\ntdll.dll

Processes (total 67):
0 System Idle Process
4 System
440 C:\Windows\System32\smss.exe
520 csrss.exe
572 C:\Windows\System32\wininit.exe
580 csrss.exe
616 C:\Windows\System32\services.exe
632 C:\Windows\System32\lsass.exe
640 C:\Windows\System32\lsm.exe
688 C:\Windows\System32\winlogon.exe
852 C:\Windows\System32\svchost.exe
896 C:\Windows\System32\nvvsvc.exe
924 C:\Windows\System32\svchost.exe
964 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1088 C:\Windows\System32\svchost.exe
1152 C:\Windows\System32\svchost.exe
1196 C:\Windows\System32\svchost.exe
1296 C:\Windows\System32\audiodg.exe
1320 C:\Windows\System32\svchost.exe
1356 C:\Windows\System32\SLsvc.exe
1424 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
1444 C:\Windows\System32\nvvsvc.exe
1468 C:\Windows\System32\svchost.exe
1676 C:\Windows\System32\svchost.exe
1820 C:\Windows\System32\wlanext.exe
1880 C:\Windows\System32\spoolsv.exe
1924 C:\Windows\System32\svchost.exe
1452 C:\Windows\System32\svchost.exe
1640 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1956 C:\Program Files\Bonjour\mDNSResponder.exe
2008 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
2116 C:\Windows\System32\libusbd-nt.exe
2144 C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
2176 C:\Windows\System32\svchost.exe
2200 C:\Program Files\Ralink\Common\RaRegistry.exe
2244 C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
2272 C:\Windows\System32\svchost.exe
2336 C:\Windows\System32\svchost.exe
2384 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
2440 C:\Windows\System32\SearchIndexer.exe
2524 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
2676 WUDFHost.exe
2804 WmiPrvSE.exe
2972 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
3108 C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
3176 C:\Windows\System32\taskeng.exe
3540 C:\Windows\System32\dwm.exe
3632 C:\Windows\explorer.exe
3644 C:\Windows\System32\taskeng.exe
3872 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
3900 C:\Program Files\iTunes\iTunesHelper.exe
3980 C:\Program Files\Windows Media Player\wmpnscfg.exe
2168 C:\Users\Thomas\AppData\Roaming\cacaoweb\cacaoweb.exe
1036 C:\Program Files\Windows Media Player\wmpnetwk.exe
3528 C:\Program Files\iPod\bin\iPodService.exe
3040 C:\Nexon\NEXON_EU_Downloader\NEXON_EU_Downloader_Engine.exe
2608 C:\Program Files\Mozilla Firefox\firefox.exe
3240 C:\Windows\System32\svchost.exe
1260 C:\Program Files\Steam\Steam.exe
2236 C:\Program Files\Common Files\Steam\SteamService.exe
1496 C:\Windows\System32\SearchProtocolHost.exe
3976 C:\Windows\System32\SearchFilterHost.exe
3096 WmiPrvSE.exe
3708 C:\Windows\servicing\TrustedInstaller.exe
2672 MpCmdRun.exe
4160 C:\Users\Thomas\Desktop\MBRCheck.exe
4228 C:\Windows\System32\wbem\WMIADAP.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000008`ca100000 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD502HJ, Rev: 1AJ1
PhysicalDrive1 Model Number: SAMSUNGHD103SI, Rev:

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 RE: Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979
931 GB \\.\PhysicalDrive1 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
gander
Regular Member
 
Posts: 39
Joined: March 27th, 2011, 8:44 am

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby Dakeyras » April 3rd, 2011, 7:28 pm

Hi. :)

Sorry :( I was looking on the previous page not this one but here is the one you asked for :
No problem.

It appears the main drive on your machine has a Windows 2008 MBR rather than a Vista one, this in itself is not a bad thing and is fine to leave as. Now the MBR on the other drive is unknown, it may be a extra internal drive and or a external one but as long as it only used as a storage medium and not to load a actual Operating System on it is fine to leave as also. Anyway lets proceed as follows shall we...

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activitity and asks to reboot the system, please allow this to be done.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper


When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby gander » April 4th, 2011, 1:55 pm

Here you go :


ComboFix 11-04-03.03 - Thomas 04/04/2011 17:01:32.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1070 [GMT 1:00]
Running from: c:\users\Thomas\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Thomas gander.User-PC\Sword_2_20100806.exe.downloading
c:\users\Thomas\AppData\Roaming\Adobe\plugs
c:\users\Thomas\AppData\Roaming\Adobe\shed
c:\users\Thomas\AppData\Roaming\cacaoweb
c:\users\Thomas\AppData\Roaming\cacaoweb\adstorage.db
c:\users\Thomas\AppData\Roaming\cacaoweb\cacaoweb.exe
c:\users\Thomas\AppData\Roaming\cacaoweb\storage.db
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-04 to 2011-04-04 )))))))))))))))))))))))))))))))
.
.
2011-04-04 16:08 . 2011-04-04 16:08 -------- d-----w- c:\users\Thomas\AppData\Local\temp
2011-04-04 16:08 . 2011-04-04 16:08 -------- d-----w- c:\users\THOMAS~1~USE\AppData\Local\temp
2011-04-04 16:08 . 2011-04-04 16:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-04 16:08 . 2011-04-04 16:08 -------- d-----w- c:\users\Daddy\AppData\Local\temp
2011-04-04 15:53 . 2011-04-04 15:53 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DE4B3D03-76DC-4804-9191-D5F2BA536917}\MpKslad3fa2cd.sys
2011-04-04 15:53 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DE4B3D03-76DC-4804-9191-D5F2BA536917}\mpengine.dll
2011-04-01 20:22 . 2011-04-01 20:22 -------- d-----w- C:\_OTL
2011-04-01 20:11 . 2011-04-01 20:11 -------- d-----w- c:\program files\ERUNT
2011-03-31 19:04 . 2011-03-31 19:13 -------- d-----w- c:\users\Thomas\AppData\Roaming\Ventrilo
2011-03-31 19:03 . 2011-03-31 19:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-03-30 17:42 . 2011-03-30 17:42 -------- d-----w- c:\program files\Common Files\Adobe
2011-03-29 17:40 . 2011-03-29 17:45 -------- d-----w- c:\program files\Game_Maker8
2011-03-27 10:41 . 2011-03-27 10:41 388096 ----a-r- c:\users\Thomas\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-27 10:41 . 2011-03-27 10:41 -------- d-----w- c:\program files\Trend Micro
2011-03-26 15:51 . 2011-03-26 15:51 -------- d-----w- c:\users\Thomas\AppData\Roaming\MotioninJoy
2011-03-26 15:51 . 2010-08-19 19:24 255496 ----a-w- c:\windows\system32\MijFrc.dll
2011-03-26 15:51 . 2011-03-26 15:51 -------- d-----w- c:\program files\MotioninJoy
2011-03-26 15:37 . 2011-03-26 15:37 -------- d-----w- c:\program files\LibUSB-Win32-0.1.10.1
2011-03-26 15:37 . 2005-03-09 20:50 19456 ----a-w- c:\windows\system32\libusbd-9x.exe
2011-03-26 15:37 . 2005-03-09 20:50 18944 ----a-w- c:\windows\system32\libusbd-nt.exe
2011-03-26 15:37 . 2005-03-09 20:50 33792 ----a-w- c:\windows\system32\drivers\libusb0.sys
2011-03-26 15:37 . 2005-03-09 20:50 46592 ----a-w- c:\windows\system32\libusb0.dll
2011-03-26 13:49 . 2011-03-26 13:49 0 ----a-w- c:\users\Thomas\AppData\Local\Qlalofum.bin
2011-03-25 16:41 . 2011-03-04 20:13 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-03-25 16:41 . 2011-03-04 20:13 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3B366A5-B8DA-4E7D-9280-2599C4B44F6D}\gapaengine.dll
2011-03-24 19:21 . 2011-03-24 19:21 -------- d-----w- c:\users\Thomas\AppData\Roaming\FlashGet
2011-03-24 19:21 . 2011-03-25 19:02 -------- d-----w- c:\program files\FlashGet
2011-03-22 19:00 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-22 19:00 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-22 19:00 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-16 22:09 . 2011-03-16 22:09 -------- d-----w- C:\Bri'2000
2011-03-13 13:06 . 2011-03-13 13:06 -------- d-----w- c:\users\Daddy\AppData\Local\Apple
2011-03-09 19:38 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 19:38 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 19:38 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 19:38 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 19:38 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 19:38 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-08 19:32 . 2011-03-08 19:32 -------- d-----w- c:\users\Thomas\AppData\Roaming\OpenCandy
2011-03-08 19:32 . 2010-07-27 16:13 27136 ----a-w- c:\temp\npijjiautoinstallpluginff.dll
2011-03-08 19:32 . 2010-03-24 16:57 713312 ----a-w- c:\windows\system32\ijjiSetup.exe
2011-03-08 19:32 . 2010-03-24 16:56 62048 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2011-03-08 16:57 . 2011-03-08 16:57 -------- d-----w- C:\ijji
2011-03-06 13:31 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2011-03-06 13:31 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2011-03-06 13:31 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-03-06 13:31 . 2009-09-25 01:33 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-03-06 13:31 . 2009-09-25 02:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-03-06 13:31 . 2009-09-25 02:07 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-03-06 13:31 . 2009-09-25 02:04 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-03-06 13:31 . 2009-09-25 01:33 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-03-06 13:31 . 2009-09-25 01:32 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-03-06 13:31 . 2009-09-25 01:31 519680 ----a-w- c:\windows\system32\d3d11.dll
2011-03-06 13:29 . 2011-01-20 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-03-06 13:28 . 2011-01-20 16:07 586240 ----a-w- c:\windows\system32\stobject.dll
2011-03-06 13:28 . 2011-01-20 16:07 258048 ----a-w- c:\windows\system32\winspool.drv
2011-03-06 13:28 . 2011-01-20 16:06 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-03-06 13:28 . 2011-01-20 16:04 98816 ----a-w- c:\windows\system32\mfps.dll
2011-03-06 13:28 . 2010-05-04 19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2011-03-04 20:14 6792528 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-17 21:31 . 2011-02-17 21:31 459616 ----a-w- c:\windows\system32\drivers\EagleXNt.sys
2011-02-14 21:07 . 2011-02-05 21:04 235 ----a-w- c:\windows\system32\nxEuUninstall.bat
2011-02-14 21:07 . 2011-02-05 21:04 446464 ----a-w- c:\windows\NEXON_EU_DownloaderUpdater.exe
2011-02-02 13:31 . 2011-02-02 13:31 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-02-02 13:31 . 2011-02-02 13:31 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-29 19:29 . 2011-01-29 17:48 214592 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-01-19 18:00 . 2011-01-19 18:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-08 08:47 . 2011-02-09 16:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 16:37 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-01-08 03:27 . 2011-01-19 23:47 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-01-08 03:27 . 2011-01-19 23:47 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-01-08 03:27 . 2011-01-19 23:47 57960 ----a-w- c:\windows\system32\OpenCL.dll
2011-01-08 03:27 . 2011-01-19 23:47 5653096 ----a-w- c:\windows\system32\nvwgf2um.dll
2011-01-08 03:27 . 2011-01-19 23:47 4941928 ----a-w- c:\windows\system32\nvcuda.dll
2011-01-08 03:27 . 2011-01-19 23:47 2895976 ----a-w- c:\windows\system32\nvcuvid.dll
2011-01-08 03:27 . 2011-01-19 23:47 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-01-08 03:27 . 2011-01-19 23:47 15047272 ----a-w- c:\windows\system32\nvoglv32.dll
2011-01-08 03:27 . 2011-01-19 23:47 10467656 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-01-08 03:27 . 2011-01-19 23:47 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
2011-01-08 03:27 . 2011-01-19 23:47 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2011-01-08 03:27 . 2010-07-10 05:37 1965672 ----a-w- c:\windows\system32\nvapi.dll
2011-01-08 03:27 . 2010-07-10 05:37 10078312 ----a-w- c:\windows\system32\nvd3dum.dll
2011-01-07 21:06 . 2011-01-07 21:06 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-01-07 21:06 . 2011-01-07 21:06 3597416 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-07 21:06 . 2011-01-07 21:06 2620520 ----a-w- c:\windows\system32\nvsvc.dll
2011-01-07 21:06 . 2011-01-07 21:06 608872 ----a-w- c:\windows\system32\nvvsvc.exe
2011-01-07 21:06 . 2011-01-07 21:06 2558568 ----a-w- c:\windows\system32\nvsvcr.dll
2011-01-07 21:06 . 2011-01-07 21:06 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-03-18 17:57 . 2011-03-25 18:57 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"KPeerNexonEU"="c:\nexon\NEXON_EU_Downloader\nxEULauncher.exe" [2011-02-14 438272]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-11-30 9914984]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=c:\windows\pss\Ralink Wireless Utility.lnk.CommonStartup
backupExtension=.CommonStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 13:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 15:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 13:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 18:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2010-11-30 13:20 997408 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetFxUpdate_v1.1.4322]
2004-08-10 16:20 106496 ----a-w- c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2010-11-30 15:13 9914984 ----a-w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
R1 MpKsl91392050;MpKsl91392050;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{05255DED-F74C-43F4-B9AA-88521F0FAD71}\MpKsl91392050.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-02 136176]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [2011-02-17 459616]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-10-26 4060752]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2006-11-02 1083520]
R3 vtany;vtany;c:\windows\vtany.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 XDva346;XDva346;c:\windows\system32\XDva346.sys [x]
R3 XDva359;XDva359;c:\windows\system32\XDva359.sys [x]
R3 XDva375;XDva375;c:\windows\system32\XDva375.sys [x]
R3 XDva380;XDva380;c:\windows\system32\XDva380.sys [x]
R3 XDva383;XDva383;c:\windows\system32\XDva383.sys [x]
R3 xhunter1;xhunter1;c:\windows\xhunter1.sys [x]
S1 MpKslad3fa2cd;MpKslad3fa2cd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DE4B3D03-76DC-4804-9191-D5F2BA536917}\MpKslad3fa2cd.sys [2011-04-04 28752]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;c:\windows\system32\libusbd-nt.exe [2005-03-09 18944]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-07 378984]
S3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2007-04-20 674048]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-09 33792]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2009-09-15 798208]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLAD3FA2CD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-02 15:00]
.
2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-02 15:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.skip-search.com/?cfg=2-82-0- ... country=GB
uInternet Settings,ProxyOverride = *.local
LSP: c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll
FF - ProfilePath - c:\users\Thomas\AppData\Roaming\Mozilla\Firefox\Profiles\l8iw4m3r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-cacaoweb - c:\users\Thomas\AppData\Roaming\cacaoweb\cacaoweb.exe
MSConfigStartUp-lxdxmon - (no file)
MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-04 17:08
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
cacaoweb = "c:\users\Thomas\AppData\Roaming\cacaoweb\cacaoweb.exe" -noplayer?abled:cacaoweb?ng???P????u??????????P???P???????????P???????P?tz?u`??u????????????r???????Service Pack 2??????????????????????????????????????????????????????????????????????????????????Q??????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: SAMSUNG_ rev.1AJ1 -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x852D7ECC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0xab82f879; SUB DWORD [EBP-0x4], 0xab82f135; PUSH EDI; CALL 0xffffffffffffdf2c; }
1 ntkrnlpa!IofCallDriver[0x82057912] -> \Device\Harddisk0\DR0[0x861A0398]
3 CLASSPNP[0x883A48B3] -> ntkrnlpa!IofCallDriver[0x82057912] -> [0x8488B2A0]
5 acpi[0x806956BC] -> ntkrnlpa!IofCallDriver[0x82057912] -> [0x8447A630]
[0x86BEC4A8] -> IRP_MJ_CREATE -> 0x852D7ECC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\0000005d -> \??\SCSI#Disk&Ven_SAMSUNG&Prod_HD502HJ#4&358dcf36&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2011-04-04 17:09:56
ComboFix-quarantined-files.txt 2011-04-04 16:09
.
Pre-Run: 293,336,244,224 bytes free
Post-Run: 295,565,160,448 bytes free
.
- - End Of File - - 5F4AA218A63B73106519AAF31FC8B526
gander
Regular Member
 
Posts: 39
Joined: March 27th, 2011, 8:44 am

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby Dakeyras » April 4th, 2011, 8:36 pm

Hi. :)

Custom ComboFix-Script:

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: Select all
Driver::
vtany
XDva346
XDva359
XDva375
XDva380
XDva383
xhunter1

File::
c:\windows\system32\PnkBstrB.xtr

Registry::
[-HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetFxUpdate_v1.1.4322]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cacaoweb"=-

Reboot::
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Caution: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Malwarebytes Anti-Malware:

Note: Remember to right click MBAM and select Run As Administrator.

  • Launch the application, Check for Updates >> Perform quick scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • OTL Log from the Custom Script.
  • Malwarebytes Anti-Malware Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby gander » April 5th, 2011, 1:32 pm

Hey, the virus seemed like it has settled abit (it didnt redirect as much) here is ComboFix log :

ComboFix 11-04-04.04 - Thomas 05/04/2011 17:32:06.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1126 [GMT 1:00]
Running from: c:\users\Thomas\Desktop\ComboFix.exe
Command switches used :: c:\users\Thomas\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\PnkBstrB.xtr"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\PnkBstrB.xtr
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_VTANY
-------\Legacy_XDVA346
-------\Legacy_XDVA359
-------\Legacy_XDVA375
-------\Legacy_XDVA380
-------\Legacy_XDVA383
-------\Legacy_XHUNTER1
-------\Service_vtany
-------\Service_XDva346
-------\Service_XDva359
-------\Service_XDva375
-------\Service_XDva380
-------\Service_XDva383
-------\Service_xhunter1
.
.
((((((((((((((((((((((((( Files Created from 2011-03-05 to 2011-04-05 )))))))))))))))))))))))))))))))
.
.
2011-04-05 16:51 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9C8FA70B-0B90-4BB2-B8D0-4B88BA25676F}\mpengine.dll
2011-04-05 16:38 . 2011-04-05 16:38 -------- d-----w- c:\users\THOMAS~1~USE\AppData\Local\temp
2011-04-05 16:38 . 2011-04-05 16:38 -------- d-----w- c:\users\Thomas gander.User-PC\AppData\Local\temp
2011-04-05 16:38 . 2011-04-05 16:38 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2011-04-05 16:38 . 2011-04-05 16:38 -------- d-----w- c:\users\TEMP.THOMAS\AppData\Local\temp
2011-04-05 16:38 . 2011-04-05 16:38 -------- d-----w- c:\users\TEMP.THOMAS.000\AppData\Local\temp
2011-04-05 16:38 . 2011-04-05 16:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-05 16:38 . 2011-04-05 16:38 -------- d-----w- c:\users\Daddy\AppData\Local\temp
2011-04-04 16:09 . 2011-04-05 17:26 -------- d-----w- c:\users\Thomas\AppData\Local\temp
2011-04-01 20:22 . 2011-04-01 20:22 -------- d-----w- C:\_OTL
2011-04-01 20:11 . 2011-04-01 20:11 -------- d-----w- c:\program files\ERUNT
2011-03-31 19:04 . 2011-03-31 19:13 -------- d-----w- c:\users\Thomas\AppData\Roaming\Ventrilo
2011-03-31 19:03 . 2011-03-31 19:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-03-30 17:42 . 2011-03-30 17:42 -------- d-----w- c:\program files\Common Files\Adobe
2011-03-29 17:40 . 2011-03-29 17:45 -------- d-----w- c:\program files\Game_Maker8
2011-03-27 10:41 . 2011-03-27 10:41 388096 ----a-r- c:\users\Thomas\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-27 10:41 . 2011-03-27 10:41 -------- d-----w- c:\program files\Trend Micro
2011-03-26 15:51 . 2011-03-26 15:51 -------- d-----w- c:\users\Thomas\AppData\Roaming\MotioninJoy
2011-03-26 15:51 . 2010-08-19 19:24 255496 ----a-w- c:\windows\system32\MijFrc.dll
2011-03-26 15:51 . 2011-03-26 15:51 -------- d-----w- c:\program files\MotioninJoy
2011-03-26 15:37 . 2011-03-26 15:37 -------- d-----w- c:\program files\LibUSB-Win32-0.1.10.1
2011-03-26 15:37 . 2005-03-09 20:50 19456 ----a-w- c:\windows\system32\libusbd-9x.exe
2011-03-26 15:37 . 2005-03-09 20:50 18944 ----a-w- c:\windows\system32\libusbd-nt.exe
2011-03-26 15:37 . 2005-03-09 20:50 33792 ----a-w- c:\windows\system32\drivers\libusb0.sys
2011-03-26 15:37 . 2005-03-09 20:50 46592 ----a-w- c:\windows\system32\libusb0.dll
2011-03-26 13:49 . 2011-03-26 13:49 0 ----a-w- c:\users\Thomas\AppData\Local\Qlalofum.bin
2011-03-25 16:41 . 2011-03-04 20:13 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-03-25 16:41 . 2011-03-04 20:13 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3B366A5-B8DA-4E7D-9280-2599C4B44F6D}\gapaengine.dll
2011-03-24 19:21 . 2011-03-24 19:21 -------- d-----w- c:\users\Thomas\AppData\Roaming\FlashGet
2011-03-24 19:21 . 2011-03-25 19:02 -------- d-----w- c:\program files\FlashGet
2011-03-22 19:00 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-22 19:00 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-22 19:00 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-16 22:09 . 2011-03-16 22:09 -------- d-----w- C:\Bri'2000
2011-03-13 13:06 . 2011-03-13 13:06 -------- d-----w- c:\users\Daddy\AppData\Local\Apple
2011-03-09 19:38 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 19:38 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 19:38 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 19:38 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 19:38 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 19:38 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-08 19:32 . 2011-03-08 19:32 -------- d-----w- c:\users\Thomas\AppData\Roaming\OpenCandy
2011-03-08 19:32 . 2010-07-27 16:13 27136 ----a-w- c:\temp\npijjiautoinstallpluginff.dll
2011-03-08 19:32 . 2010-03-24 16:57 713312 ----a-w- c:\windows\system32\ijjiSetup.exe
2011-03-08 19:32 . 2010-03-24 16:56 62048 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2011-03-08 16:57 . 2011-03-08 16:57 -------- d-----w- C:\ijji
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2011-03-04 20:14 6792528 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-17 21:31 . 2011-02-17 21:31 459616 ----a-w- c:\windows\system32\drivers\EagleXNt.sys
2011-02-14 21:07 . 2011-02-05 21:04 235 ----a-w- c:\windows\system32\nxEuUninstall.bat
2011-02-14 21:07 . 2011-02-05 21:04 446464 ----a-w- c:\windows\NEXON_EU_DownloaderUpdater.exe
2011-02-02 13:31 . 2011-02-02 13:31 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-02-02 13:31 . 2011-02-02 13:31 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-20 16:37 . 2011-03-06 13:29 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-03-06 13:29 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-03-06 13:29 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-03-06 13:29 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-03-06 13:29 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-03-06 13:29 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-03-06 13:29 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-03-06 13:28 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-03-06 13:28 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-03-06 13:29 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-03-06 13:28 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-03-06 13:29 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-03-06 13:28 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-03-06 13:29 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-03-06 13:29 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-03-06 13:29 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-03-06 13:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-03-06 13:29 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-03-06 13:29 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-03-06 13:29 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-03-06 13:29 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-03-06 13:29 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-03-06 13:29 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-03-06 13:29 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-03-06 13:29 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-19 18:00 . 2011-01-19 18:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-08 08:47 . 2011-02-09 16:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 16:37 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-01-08 03:27 . 2011-01-19 23:47 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-01-08 03:27 . 2011-01-19 23:47 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-01-08 03:27 . 2011-01-19 23:47 57960 ----a-w- c:\windows\system32\OpenCL.dll
2011-01-08 03:27 . 2011-01-19 23:47 5653096 ----a-w- c:\windows\system32\nvwgf2um.dll
2011-01-08 03:27 . 2011-01-19 23:47 4941928 ----a-w- c:\windows\system32\nvcuda.dll
2011-01-08 03:27 . 2011-01-19 23:47 2895976 ----a-w- c:\windows\system32\nvcuvid.dll
2011-01-08 03:27 . 2011-01-19 23:47 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-01-08 03:27 . 2011-01-19 23:47 15047272 ----a-w- c:\windows\system32\nvoglv32.dll
2011-01-08 03:27 . 2011-01-19 23:47 10467656 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-01-08 03:27 . 2011-01-19 23:47 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
2011-01-08 03:27 . 2011-01-19 23:47 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2011-01-08 03:27 . 2010-07-10 05:37 1965672 ----a-w- c:\windows\system32\nvapi.dll
2011-01-08 03:27 . 2010-07-10 05:37 10078312 ----a-w- c:\windows\system32\nvd3dum.dll
2011-01-07 21:06 . 2011-01-07 21:06 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-01-07 21:06 . 2011-01-07 21:06 3597416 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-07 21:06 . 2011-01-07 21:06 2620520 ----a-w- c:\windows\system32\nvsvc.dll
2011-01-07 21:06 . 2011-01-07 21:06 608872 ----a-w- c:\windows\system32\nvvsvc.exe
2011-01-07 21:06 . 2011-01-07 21:06 2558568 ----a-w- c:\windows\system32\nvsvcr.dll
2011-01-07 21:06 . 2011-01-07 21:06 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-03-18 17:57 . 2011-03-25 18:57 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"KPeerNexonEU"="c:\nexon\NEXON_EU_Downloader\nxEULauncher.exe" [2011-02-14 438272]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-11-30 9914984]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=c:\windows\pss\Ralink Wireless Utility.lnk.CommonStartup
backupExtension=.CommonStartup
.
R1 MpKsl91392050;MpKsl91392050;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{05255DED-F74C-43F4-B9AA-88521F0FAD71}\MpKsl91392050.sys [x]
R1 MpKslf873e4f5;MpKslf873e4f5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D1B2C252-9778-4D49-90E8-B5AE0DFB1614}\MpKslf873e4f5.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-02 136176]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [2011-02-17 459616]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-10-26 4060752]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2006-11-02 1083520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;c:\windows\system32\libusbd-nt.exe [2005-03-09 18944]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-07 378984]
S3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2007-04-20 674048]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-09 33792]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2009-09-15 798208]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-02 15:00]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-02 15:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.skip-search.com/?cfg=2-82-0- ... country=GB
uInternet Settings,ProxyOverride = *.local
LSP: c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll
FF - ProfilePath - c:\users\Thomas\AppData\Roaming\Mozilla\Firefox\Profiles\l8iw4m3r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-05 18:27
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: SAMSUNG_ rev.1AJ1 -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x852D1ECC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0xab82f879; SUB DWORD [EBP-0x4], 0xab82f135; PUSH EDI; CALL 0xffffffffffffdf2c; }
1 ntkrnlpa!IofCallDriver[0x82096912] -> \Device\Harddisk0\DR0[0x85C44730]
3 CLASSPNP[0x82FAC8B3] -> ntkrnlpa!IofCallDriver[0x82096912] -> [0x84895870]
5 acpi[0x806986BC] -> ntkrnlpa!IofCallDriver[0x82096912] -> [0x84895AA0]
[0x86877ED0] -> IRP_MJ_CREATE -> 0x852D1ECC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\0000005f -> \??\SCSI#Disk&Ven_SAMSUNG&Prod_HD502HJ#4&358dcf36&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Ralink\Common\RaRegistry.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\vssvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-04-05 18:29:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-05 17:29
ComboFix2.txt 2011-04-04 16:09
.
Pre-Run: 294,265,729,024 bytes free
Post-Run: 294,165,778,432 bytes free
.
- - End Of File - - 05916549D5ECD09C208EC15C0877877D
Last edited by gander on April 5th, 2011, 1:46 pm, edited 1 time in total.
gander
Regular Member
 
Posts: 39
Joined: March 27th, 2011, 8:44 am

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby gander » April 5th, 2011, 1:37 pm

And here is Malwarebytes log :
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5562

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18999

21/01/2011 00:17:56
mbam-log-2011-01-21 (00-17-56).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 307890
Time elapsed: 55 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 10
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\mywebsearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Avatar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Game (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\icons (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Message (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Notifier (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\thomas gander.user-pc\favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\2.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\2.bin\F3SPACER.WMV (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\2.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\2.bin\FWPBUDDY.PNG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Avatar\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\icons\CM.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\icons\MFC.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\icons\PSS.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\icons\SMILEY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\icons\WB.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\icons\ZWINKY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Message\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Notifier\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Notifier\DOG.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Notifier\FISH.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Notifier\KUNGFU.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Notifier\LIFEGARD.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Notifier\MAID.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Notifier\MAILBOX.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Notifier\OPERA.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Notifier\ROBOT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Notifier\SEDUCT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Notifier\SURFER.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
gander
Regular Member
 
Posts: 39
Joined: March 27th, 2011, 8:44 am

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby Dakeyras » April 5th, 2011, 4:28 pm

Hi. :)

Hey, the virus seemed like it has settled abit (it didnt redirect as much) here is ComboFix log :
So you are still experiencing browser misdirection then?

Also you have posted a old Malwarebytes Anti-Malware log, not a updated quick scan log as I requested:
Malwarebytes' Anti-Malware 1.50.1.1100
http://www.malwarebytes.org

Database version: 5562

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18999

21/01/2011 00:17:56
mbam-log-2011-01-21 (00-17-56).txt
Also when did you exactly update your machine to Vista Service Pack 2 if I may enquire?
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby gander » April 5th, 2011, 5:55 pm

Around Feb I think, but a few secs ago when I was starting up my comp got the blue screen of death 0.0, but here is the log :

Malwarebytes' Anti-Malware 1.50.1.1100
http://www.malwarebytes.org

Database version: 6241

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

05/04/2011 18:37:20
mbam-log-2011-04-05 (18-37-20).txt

Scan type: Quick scan
Objects scanned: 195611
Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
gander
Regular Member
 
Posts: 39
Joined: March 27th, 2011, 8:44 am

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby gander » April 5th, 2011, 5:58 pm

And I am still being re-directed as i just tryed to go on amazon and this came up : hxxp://uk.gomeo.co.uk/index.php?a=1&key ... e+minerals
Last edited by Carolyn on April 6th, 2011, 7:13 am, edited 1 time in total.
Reason: disabled malicious URL
gander
Regular Member
 
Posts: 39
Joined: March 27th, 2011, 8:44 am

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby Dakeyras » April 6th, 2011, 7:05 am

Hi. :)

I would like to analyse the MBR.dat file created by aswMBR, the aforementioned file should still be on your Desktop. Please attach it in your next reply, how to attach a file as follows...

Post Reply >> Next to Filename click on Browse... >> Add the file

Next:

Do you recognise the below empty folders? If not please delete them, then empty the Recycle Bin...

C:\Bri'2000
C:\ijji

Reset IE8:

  • Please download this Microsoft FixIt and save it to the desktop.
  • Double click on MicrosoftFixit50195.exe select I Agree and click on Next.
  • Follow the on-screen prompts.
  • You may delete MicrosoftFixit50195.exe when finished and or keep it if any problems in the future with IE8.
  • Next time IE8 is launched you will be prompted to reapply settings again, this is normal.

Note: Any add-ons will require to be reapplied after the above reset.

Router Advice:

If you are using a Router, reset it then change the Admin(login) password. Ensure the NAT(Network Address Translation) Firewall is active. If a actual Wireless Router check it is secure....Further information about this can be read here. Finally check for any firmware updates.

If the default password is retained, a remote attacker can install his own server address in between you and your Internet Service Provider. (The default passwords are published). If you go into the router installation routine, you can take a quick look at the IP addresses in the router setup to make sure no extras have been added.

Scan with TDSSKiller:

Please download TDSSKiller.zip and extract (unzip) it to your Desktop.

  • Right-click on TDSSKiller.exe and select Run as Administrator to launch it.
  • Click on Start Scan, the scan will run.
  • When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
  • Now click on Report to open the log file created by TDSSKiller in your root directory C:\
  • To find the log go to Start > Computer > C:
  • Post the contents of that log in your next reply please.

Note: Do not have TDSSKiller remove anything if found at this point in time!
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: HELP Gomeo type sites redirecting ISSUES

Unread postby gander » April 6th, 2011, 1:57 pm

MBR.dat
You do not have the required permissions to view the files attached to this post.
gander
Regular Member
 
Posts: 39
Joined: March 27th, 2011, 8:44 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware