Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware Removal Help Please (Web Browser Search Redirect)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware Removal Help Please (Web Browser Search Redirect)

Unread postby holybananas » January 22nd, 2012, 10:25 pm

Hi,

I have been experiencing search redirects with my web browsers (IE, Google, Firefox). I recently did a full recovery on my laptop (Windows 7 Home Premium x64) but the problems still persist despite running scans with Trend Micro Internet Security, Malwarebytes Anti-Malware and Combofix. Below are my DDS and Attach logs. Please let me know how to proceed. Thanks in advance.


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by victor at 10:03:43 on 2012-01-23
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.65.1033.18.4095.2104 [GMT 8:00]
.
AV: Trend Micro Internet Security *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Internet Security *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\FBAgent.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Windows\SysWOW64\ACEngSvr.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe
C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\AsScrPro.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\Explorer.exe
C:\Users\victor\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [Microsoft Pinyin IME Migration] C:\PROGRA~2\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
mRun: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
mRun: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
mRun: [HControlUser] C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\victor\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\victor\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\FANCYS~1.LNK - C:\Windows\Installer\{F0DF4513-3C4C-4EB8-8012-2C5F70AF3988}\_A1DDD39913A1970387B7B3.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SRSPRE~1.LNK - C:\Windows\Installer\{D42F84B6-3709-4A50-8502-6719D16AE6C8}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
TCP: DhcpNameServer = 218.186.2.16 218.186.1.58 218.186.2.6
TCP: Interfaces\{26F0D42A-DA51-4369-BD8F-0A12259D7068} : DhcpNameServer = 218.186.2.16 218.186.1.58 218.186.2.6
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO-X64: Search Helper - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
mRun-x64: [Microsoft Pinyin IME Migration] C:\PROGRA~2\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
mRun-x64: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
mRun-x64: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
mRun-x64: [HControlUser] C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\victor\AppData\Roaming\Mozilla\Firefox\Profiles\n3ddfqyl.default\
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\2.0.31005.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AFBAgent;AFBAgent;"C:\Windows\system32\FBAgent.exe" --> C:\Windows\system32\FBAgent.exe [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 ASMMAP64;ASMMAP64;C:\Program Files\ATKGFNEX\ASMMAP64.sys [2009-11-20 14904]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-1-22 1153368]
R2 tmpreflt;tmpreflt;C:\Windows\system32\DRIVERS\tmpreflt.sys --> C:\Windows\system32\DRIVERS\tmpreflt.sys [?]
R3 acpials;ALS Sensor Filter;C:\Windows\system32\DRIVERS\acpials.sys --> C:\Windows\system32\DRIVERS\acpials.sys [?]
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\system32\DRIVERS\ETD.sys --> C:\Windows\system32\DRIVERS\ETD.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
R3 NETw1v64;Intel(R) Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw1v64.sys --> C:\Windows\system32\DRIVERS\NETw1v64.sys [?]
R3 TmProxy;Trend Micro Proxy Service;C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [2009-11-20 917768]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-1-22 652872]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2008-12-8 533344]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSG664.sys --> C:\Windows\system32\DRIVERS\SiSG664.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
.
=============== Created Last 30 ================
.
2012-01-23 02:03:01 -------- d-----r- C:\Users\victor\Dropbox
2012-01-23 01:59:57 -------- d-sh--w- C:\$RECYCLE.BIN
2012-01-23 01:57:37 -------- d-----w- C:\Users\victor\AppData\Roaming\Dropbox
2012-01-23 00:20:56 98816 ----a-w- C:\Windows\sed.exe
2012-01-23 00:20:56 518144 ----a-w- C:\Windows\SWREG.exe
2012-01-23 00:20:56 256000 ----a-w- C:\Windows\PEV.exe
2012-01-23 00:20:56 208896 ----a-w- C:\Windows\MBR.exe
2012-01-23 00:19:43 -------- d-----w- C:\ComboFix
2012-01-23 00:13:18 -------- d-----w- C:\PHD 2012
2012-01-23 00:11:17 -------- d-----w- C:\Users\victor\AppData\Local\Adobe
2012-01-22 14:24:34 -------- d-----w- C:\Users\victor\AppData\Local\Apple Computer
2012-01-22 14:24:16 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2012-01-22 14:24:16 126312 ----a-w- C:\Windows\System32\GEARAspi64.dll
2012-01-22 14:24:16 107368 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2012-01-22 14:23:54 -------- d-----w- C:\Program Files\iPod
2012-01-22 14:23:53 -------- d-----w- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-01-22 14:23:53 -------- d-----w- C:\Program Files\iTunes
2012-01-22 14:23:53 -------- d-----w- C:\Program Files (x86)\iTunes
2012-01-22 14:22:38 -------- d-----w- C:\Users\victor\AppData\Local\Apple
2012-01-22 14:21:42 -------- d-----w- C:\Program Files\Bonjour
2012-01-22 14:21:42 -------- d-----w- C:\Program Files (x86)\Bonjour
2012-01-22 14:20:16 -------- d-----w- C:\Program Files (x86)\VideoLAN
2012-01-22 12:32:22 -------- d-----w- C:\Users\victor\AppData\Roaming\Malwarebytes
2012-01-22 12:31:25 -------- d-----w- C:\ProgramData\Malwarebytes
2012-01-22 12:31:22 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-01-22 12:09:02 8602168 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6EA502E6-E909-4F6C-A913-ECE1C0C5A216}\mpengine.dll
2012-01-22 12:09:02 270720 ------w- C:\Windows\System32\MpSigStub.exe
2012-01-22 11:32:13 42768 ----a-w- C:\Windows\System32\drivers\tmpreflt.sys
2012-01-22 11:32:13 342288 ----a-w- C:\Windows\System32\drivers\tmxpflt.sys
2012-01-22 11:32:13 2077456 ----a-w- C:\Windows\System32\drivers\vsapint.sys
2012-01-22 11:31:24 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-01-22 11:31:24 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-01-22 11:31:24 139264 ----a-w- C:\Windows\System32\cabview.dll
2012-01-22 11:31:24 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2012-01-22 11:27:55 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-01-22 11:27:55 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-01-22 09:13:32 -------- d-----w- C:\Users\victor\AppData\Local\ATI
2012-01-22 09:12:36 -------- d-----w- C:\Users\victor\AppData\Local\SRS Labs
2012-01-22 09:12:35 -------- d-----w- C:\Users\victor\AppData\Roaming\Asus WebStorage
2012-01-22 09:10:55 61792 ----a-w- C:\Windows\System32\drivers\fssfltr.sys
2012-01-22 09:09:58 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2012-01-22 09:09:58 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2012-01-22 09:09:53 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-01-22 09:09:09 -------- d-----w- C:\Program Files (x86)\Microsoft
2012-01-22 09:08:51 -------- d-----w- C:\Program Files (x86)\Windows Live SkyDrive
2012-01-22 09:08:27 -------- d-----w- C:\Users\victor\AppData\Local\Power2Go
2012-01-22 09:08:24 -------- d-----w- C:\Users\victor\AppData\Local\VirtualStore
2012-01-22 09:08:14 4865408 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\5f175fbf1ccd8e5\Silverlight.2.0.exe
2012-01-22 09:08:02 74520 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\583384141ccd8e5\DSETUP.dll
2012-01-22 09:08:02 484632 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\583384141ccd8e5\DXSETUP.exe
2012-01-22 09:08:02 1670936 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\583384141ccd8e5\dsetup32.dll
.
==================== Find3M ====================
.
.
============= FINISH: 10:12:25.08 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 22/1/2012 5:06:58 PM
System Uptime: 23/1/2012 9:15:10 AM (1 hours ago)
.
Motherboard: ASUSTeK Computer Inc. | | U80V
Processor: Intel(R) Core(TM)2 Duo CPU T9600 @ 2.80GHz | Socket 478 | 2801/267mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 116 GiB total, 81.917 GiB free.
D: is FIXED (NTFS) - 335 GiB total, 323.593 GiB free.
E: is CDROM (CDFS)
F: is FIXED (NTFS) - 466 GiB total, 81.993 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1 MUI
Alcor Micro USB Card Reader
Apple Application Support
Apple Software Update
ASUS FancyStart
ASUS LifeFrame3
ASUS Live Update
ASUS MultiFrame
ASUS SmartLogon
ASUS Splendid Video Enhancement Technology
ASUS Virtual Camera
ASUS_U_Series_Screensaver
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
ATK Generic Function Service
ATK Hotkey
ATK Media
ATKOSD2
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Choice Guard
ControlDeck
CyberLink LabelPrint
CyberLink Power2Go
Dropbox
Express Gate
Junk Mail filter update
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft Office Excel MUI (Arabic) 2007
Microsoft Office Excel MUI (Chinese (Simplified)) 2007
Microsoft Office Excel MUI (Chinese (Traditional)) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (French) 2007
Microsoft Office Excel MUI (Portuguese (Brazil)) 2007
Microsoft Office Excel MUI (Portuguese (Portugal)) 2007
Microsoft Office Excel MUI (Spanish) 2007
Microsoft Office Excel MUI (Thai) 2007
Microsoft Office Excel MUI (Turkish) 2007
Microsoft Office Home and Student 2007
Microsoft Office IME (Chinese (Simplified)) 2007
Microsoft Office IME (Chinese (Traditional)) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (Arabic) 2007
Microsoft Office OneNote MUI (Chinese (Simplified)) 2007
Microsoft Office OneNote MUI (Chinese (Traditional)) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office OneNote MUI (French) 2007
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2007
Microsoft Office OneNote MUI (Portuguese (Portugal)) 2007
Microsoft Office OneNote MUI (Spanish) 2007
Microsoft Office OneNote MUI (Thai) 2007
Microsoft Office OneNote MUI (Turkish) 2007
Microsoft Office PowerPoint MUI (Arabic) 2007
Microsoft Office PowerPoint MUI (Chinese (Simplified)) 2007
Microsoft Office PowerPoint MUI (Chinese (Traditional)) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (French) 2007
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2007
Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2007
Microsoft Office PowerPoint MUI (Spanish) 2007
Microsoft Office PowerPoint MUI (Thai) 2007
Microsoft Office PowerPoint MUI (Turkish) 2007
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (Basque) 2007
Microsoft Office Proof (Catalan) 2007
Microsoft Office Proof (Chinese (Simplified)) 2007
Microsoft Office Proof (Chinese (Traditional)) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Galician) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Portuguese (Brazil)) 2007
Microsoft Office Proof (Portuguese (Portugal)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Thai) 2007
Microsoft Office Proof (Turkish) 2007
Microsoft Office Proofing (Arabic) 2007
Microsoft Office Proofing (Chinese (Simplified)) 2007
Microsoft Office Proofing (Chinese (Traditional)) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (French) 2007
Microsoft Office Proofing (Portuguese (Brazil)) 2007
Microsoft Office Proofing (Portuguese (Portugal)) 2007
Microsoft Office Proofing (Spanish) 2007
Microsoft Office Proofing (Thai) 2007
Microsoft Office Proofing (Turkish) 2007
Microsoft Office Shared MUI (Arabic) 2007
Microsoft Office Shared MUI (Chinese (Simplified)) 2007
Microsoft Office Shared MUI (Chinese (Traditional)) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (French) 2007
Microsoft Office Shared MUI (Portuguese (Brazil)) 2007
Microsoft Office Shared MUI (Portuguese (Portugal)) 2007
Microsoft Office Shared MUI (Spanish) 2007
Microsoft Office Shared MUI (Thai) 2007
Microsoft Office Shared MUI (Turkish) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (Arabic) 2007
Microsoft Office Word MUI (Chinese (Simplified)) 2007
Microsoft Office Word MUI (Chinese (Traditional)) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (French) 2007
Microsoft Office Word MUI (Portuguese (Brazil)) 2007
Microsoft Office Word MUI (Portuguese (Portugal)) 2007
Microsoft Office Word MUI (Spanish) 2007
Microsoft Office Word MUI (Thai) 2007
Microsoft Office Word MUI (Turkish) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Mozilla Firefox 9.0.1 (x86 en-GB)
MSVCRT
Realtek High Definition Audio Driver
Spybot - Search & Destroy
VLC media player 1.1.11
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
WinFlash
Wireless Console 3
.
==== Event Viewer Messages From Past Week ========
.
23/1/2012 9:53:26 AM, Error: atikmdag [43029] - Display is not active
23/1/2012 9:01:37 AM, Error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
23/1/2012 9:01:37 AM, Error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
23/1/2012 8:59:16 AM, Error: atikmdag [52236] - CPLIB :: General - Invalid Parameter
23/1/2012 8:57:57 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
23/1/2012 8:54:50 AM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
22/1/2012 4:56:25 PM, Error: Service Control Manager [7022] - The Windows Search service hung on starting.
.
==== End Of File ===========================
holybananas
Active Member
 
Posts: 5
Joined: January 22nd, 2012, 10:00 pm
Advertisement
Register to Remove

Re: Malware Removal Help Please (Web Browser Search Redirect

Unread postby Dakeyras » January 23rd, 2012, 6:52 am

Hi. :)

I recently did a full recovery on my laptop (Windows 7 Home Premium x64)
Do you mean a actual reformat and reinstallation of the Windows Operating System(and or invoked a recovery partition to perform a Factory Reset) and if so did you reapply any backups afterwards?
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Malware Removal Help Please (Web Browser Search Redirect

Unread postby holybananas » January 23rd, 2012, 10:44 am

Hi,
I invoked a recovery partition to perform a factory reset and did a backup of the files into an external drive before I did the factory reset.
holybananas
Active Member
 
Posts: 5
Joined: January 22nd, 2012, 10:00 pm

Re: Malware Removal Help Please (Web Browser Search Redirect

Unread postby Dakeyras » January 23rd, 2012, 6:42 pm

Hi. :)

I invoked a recovery partition to perform a factory reset and did a backup of the files into an external drive before I did the factory reset
Thank you for the clarification. If you have used these backups since it may be that they are infected and thus your machine became infected again. As a precaution please disconnect your external Hard-Drive which contains the aforementioned backups for now and do not connect it again until I advise otherwise, thank you.

Regarding ComboFix, some friendly advice...this particular application is very powerful and should only be used under the guidance of a trained helper as otherwise unpredictable results can occur. If anything was removed by ComboFix please post the log. It can be located:-

C:\ComboFix.txt

Please read the below before continuing:-

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Disable Teatimer:

This is so it will not hinder the actual Malware Removal process, plus it will be causing a security/system conflict with the Malwarebytes' Anti-Malware Protection Module...

We may need to temp disable the aforementioned Protection Module also at some point but leave it be for now.

  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol ) and choose Exit Spybot S&D Resident
  • Run Spybot S&D
  • Go to the Mode menu, and make sure Advanced Mode is selected.
  • On the left hand side, choose Tools >> Resident
  • Uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Right-click on erunt-setup.exe and select Run as Administrator to Install ERUNT by following the prompts.
  • Use the default install settings but say No to the portion that asks you to add ERUNT to the Start-Up folder.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Scan with aswMBR:

Please download aswMBR.exe to your desktop.

  • Right-click the aswMBR.exe and select Run as Administrator to run it.
  • When prompted with The application can use the Avast! Free Antivirus for scanning >> select No
  • Now click on the Scan button to start the scan.
  • On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply.

Note: There will also be a file on your desktop named MBR.dat(or similir) do not delete this for now it is a actual backup of the MBR(master boot record).

Scan with RogueKiller:

Please download RogueKiller to your desktop

Alternate download is here.

  • Quit all running programs
  • Right-click on RogueKiller.exe and select Run as Administrator to start the application.
  • When prompted, type 1 then depress the Enter/Return key.
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
  • Please post the contents of the RKreport.txt in your next Reply.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • ComboFix Log(only if anything was removed).
  • aswMBR Log.
  • RogueKiller.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Malware Removal Help Please (Web Browser Search Redirect

Unread postby holybananas » January 24th, 2012, 1:12 am

Hi,
I have disconnected all backups from the laptop. The search redirect problem still persists in firefox and IE . The following are the aswMBR and RogueKiller logs. Thank you.

aswMBR Log:

aswMBR version 0.9.9.1509 Copyright(c) 2011 AVAST Software
Run date: 2012-01-24 13:06:31
-----------------------------
13:06:31.868 OS Version: Windows x64 6.1.7600
13:06:31.868 Number of processors: 2 586 0x170A
13:06:31.869 ComputerName: VICTOR-PC UserName: victor
13:06:34.430 Initialize success
13:06:44.059 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:06:44.061 Disk 0 Vendor: ST950032 0002 Size: 476940MB BusType: 3
13:06:44.077 Disk 0 MBR read successfully
13:06:44.080 Disk 0 MBR scan
13:06:44.082 Disk 0 Windows XP default MBR code
13:06:44.089 Disk 0 Partition 1 00 1C Hidd FAT32 LBA MSDOS5.0 14997 MB offset 2048
13:06:44.105 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 119235 MB offset 30717952
13:06:44.108 Disk 0 Partition - 00 0F Extended LBA 342705 MB offset 274911232
13:06:44.141 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 342704 MB offset 274913280
13:06:44.145 Service scanning
13:06:50.103 Modules scanning
13:06:50.107 Disk 0 trace - called modules:
13:06:50.130 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8004850254]<<iaStor.sys
13:06:50.134 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004835730]
13:06:50.232 3 CLASSPNP.SYS[fffff880013b343f] -> nt!IofCallDriver -> [0xfffffa800465d940]
13:06:50.237 5 ACPI.sys[fffff88000f99781] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80046a2050]
13:06:50.242 \Driver\iaStor[0xfffffa800465a900] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8004850254
13:06:50.247 Scan finished successfully
13:07:23.669 Disk 0 MBR has been saved successfully to "C:\Users\victor\Desktop\MalwareRemoval\20120124\MBR.dat"
13:07:23.677 The log file has been saved successfully to "C:\Users\victor\Desktop\MalwareRemoval\20120124\aswMBR.txt"





RogueKiller Log:

RogueKiller V6.2.4 [01/12/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: victor [Admin rights]
Mode: Scan -- Date : 01/24/2012 13:07:57

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 548f15a7aadc556e8be51350d920aae5
[BSP] b85488da922acb0ca8a173b6d0c01820 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32 [HIDDEN!] Offset (sectors): 2048 | Size: 15725 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 30717952 | Size: 125026 Mo
2 - [XXXXXX] UNKNW [VISIBLE] Offset (sectors): 274911232 | Size: 359352 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 2f7293d45d8ec04372536349b078c568
[BSP] 272e060d2702a21d685fd35acad4bea5 : MaxSS MBR Code!
Partition table:
0 - [XXXXXX] FAT32 [HIDDEN!] Offset (sectors): 2048 | Size: 15725 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 30717952 | Size: 125026 Mo
2 - [XXXXXX] UNKNW [VISIBLE] Offset (sectors): 274911232 | Size: 359352 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 2f7293d45d8ec04372536349b078c568
[BSP] 272e060d2702a21d685fd35acad4bea5 : MaxSS MBR Code!
Partition table:
0 - [XXXXXX] FAT32 [HIDDEN!] Offset (sectors): 2048 | Size: 15725 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 30717952 | Size: 125026 Mo
2 - [XXXXXX] UNKNW [VISIBLE] Offset (sectors): 274911232 | Size: 359352 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt
holybananas
Active Member
 
Posts: 5
Joined: January 22nd, 2012, 10:00 pm

Re: Malware Removal Help Please (Web Browser Search Redirect

Unread postby Dakeyras » January 24th, 2012, 6:59 am

Hi,

I have bad news I'm afraid. Your machine is infected with a particularly nasty Rootkit of the TDL4 strain, namely MaxSS...

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Next:

Basically this is a hidden partition on the main Hard-Drive that the infection creates and when your machine boots up this is accessed/used first rather than the actual MBR(Master Boot Record). The MBR on your machine does appear to be a XP one and this is probably either due to the infection and or the fact your machine appears to be a ASUS modal.

Unfortunately if I attempt to remove this particular infection it will in most likely hood render the actual Recovery Partition inactive and you would never be able to perform a Factory Reset again, which is far from ideal. Plus it appears if I did attempt a remove of the infection/hidden partition I would be unable to rebuild the actual OEM/Recovery Partition afterwards to re-enable this feature. As your machines manufacturer appears not to provide such a tool to do so as far as I am aware.

Next:

My best advice would be to perform another Factory Reset but before doing so we will need to check/clean your backups/external Hard-Drives to ensure that afterwards when used your machine is not re-infected again.

So would you like for myself to attempt to disinfect your backups or not?
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Malware Removal Help Please (Web Browser Search Redirect

Unread postby holybananas » January 24th, 2012, 7:10 am

Hi,

I had no idea that the problem would be so serious. Please let me know how to disinfect my backup. Thank you
holybananas
Active Member
 
Posts: 5
Joined: January 22nd, 2012, 10:00 pm

Re: Malware Removal Help Please (Web Browser Search Redirect

Unread postby Dakeyras » January 24th, 2012, 9:45 am

Hi. :)

Please let me know how to disinfect my backup. Thank you
You're welcome and by all means as follows...

Re-scan with RogueKiller:

  • Quit all running programs.
  • Right-click on RogueKiller.exe and select Run as Administrator to start the application.
  • When prompted, type 2 then depress the Enter/Return key.
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Download/Run Panda USB Vaccine:

Please download Panda USB Vaccine from here to the Desktop of your machine.

  • Right-click on USBVaccineSetup.exe and and select Run as Administrator >> follow the prompts in the installation wizard.
  • At the configuarion screen(settings)...
  • Ensure both Run Panda USB Vaccine automatically when computer boots (/resident mode) & Automatically vaccinate any newly inserted USB key are selected.
  • Now click on Next> >> ensure Launch Panda USB Vaccine is selected >> click on Finish.
  • Insert your External Hard-Drive in your machine...it will be automatically vaccinated.
  • Close Panda USB Vaccine via right-clicking on the Panda USB Vaccine system tray icon and selecting Exit.

Note: If more than one External Hard-Drive in use, connect them one at a time, then leave them connected afterwards.

Next:

Right-click on the Malwarebytes Anti-Malware System Tray icon >> Check for Updates

Now click on Start(Windows 7 Orb) >> Computer >> Right-click on the Drive Icon for your External Hard-Drive >> Scan with Malwarebytes' Anti-Malware

If anything found, have Malwarebytes' Anti-Malware remove it and reboot your machine if prompted...

Repeat the above if more than one External Hard-Drive in use.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan...
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is Not checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files (x86)/ESET/ESET Online Scanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

When completed the above, please post back the following in the order asked for:

  • New RogueKiller Log.
  • Malwarebytes Anti-Malware Log's(If anything removed).
  • Eset Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Malware Removal Help Please (Web Browser Search Redirect

Unread postby holybananas » January 25th, 2012, 4:04 am

One of my backups is in NTSF format which cannot be scanned by the Panda USB Vaccine. May I know if there is an alternative that will be able to deal with this backup.

Also, I would like to ask if it's possible that the rootkit has already infected the hidden recovery partition? I have tried to format the recovery partition but have been unable to. If the recovery partition is infected, I would not hesistate to format the entire harddrive and get a new Windows DVD.

Please advice, thank you.
holybananas
Active Member
 
Posts: 5
Joined: January 22nd, 2012, 10:00 pm

Re: Malware Removal Help Please (Web Browser Search Redirect

Unread postby Dakeyras » January 25th, 2012, 5:47 am

Hi. :)

One of my backups is in NTSF format which cannot be scanned by the Panda USB Vaccine. May I know if there is an alternative that will be able to deal with this backup.
OK there is not a specific application I am aware off that is both NTSF and Windows 7 compatible I'm afraid. However there is a feature availble with Panda USB Vaccine that can accomplish such but it is in the beta stage...

Now as a rule I prefer not to have anyone I assist use any form of beta software as a precaution. Anyway I have just checked the aforementioned on one of my spare NTSF drives and it appears to work just fine with no apparent side effects I could discern.

So the choice to do so is yours alone and or maybe consider cutting your loss's and reformat the drive to FAT32, not ideal that though sadly from a standpoint of using a outdated file system on any one drive.

If you choose to use Panda USB Vaccine again as outlined, uninstall then reinstall and at the configuration screen(settings)... also select the following:-

NTFS support(beta)
Enable NTFS file system support


Also, I would like to ask if it's possible that the rootkit has already infected the hidden recovery partition? I have tried to format the recovery partition but have been unable to.
The Rootkit will not have infected the actual Recovery Partition, it creates a hidden partition that is activated when any one machine is first booted up rather than use the standard MBR(master boot record). I would not try and format the actual Recovery Partition though as this may render it useless. Though usually trying to format such independently is not easily accomplished as a safety feature and the only actual way to overwrite it would be a actual reformat and reinstallation of the Windows Operating System using a genuine Windows 7 Installtion DVD etc to name one example.

I would not hesistate to format the entire harddrive and get a new Windows DVD.
In the long view purchasing such would probably be a prudent move. Myself I am not a fan of OEM installations that utilise a Recovery Partition rather than a actual installation DVD. Why some manufacturers insist on providing such is beyond me, though surmising for them that is the cheaper option. Plus giving today's modern malware strains having a actual Recovery Partition can limit helpers such as myself at times and all we can advise is a Factory Reset in the end.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Malware Removal Help Please (Web Browser Search Redirect

Unread postby Wingman » January 28th, 2012, 10:07 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 116 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware