BleepingComputer.com: Infected with Google redirect virus

Hello

We have a perfectly functioning backup


I think this is the best thing to do and I will check things once it is working again



could have been worse - nobody in my family is hurt - still no power at home


Gringo

Sorry to hear things are a mess, Glad everyone is OK. I had already done the reghosting and the original disk is active as it was when we started the whole process. I have seen products like simplysup.com Trojan Remover? Thanks ready when you are.

Hello

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here


Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

New log Combofix. I thought I got Mcafee turned off but I saw a message that a EICAR testfile was quarantined. and I got the same VolSnap.exe infection message in the blue window as I did the first time.

ComboFix 11-08-24.06 - Administrator 08/24/2011 18:57:13.3.2 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1403 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Resident AV is active
.
.
/wow section - STAGE 10
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\winnt\system32\comct332.ocx
.
.
.
.
((((((((((((((((((((((((( Files Created from 2011-07-25 to 2011-08-25 )))))))))))))))))))))))))))))))
.
.
2011-07-30 16:40 . 2011-07-30 16:40 -------- d-----w- C:\FOUND.015
2011-07-29 17:23 . 2011-05-13 18:21 1407280 ----a-w- C:\TADA.com
2011-07-29 00:15 . 2011-07-29 00:15 -------- d-----w- C:\FOUND.014
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 14:11 . 2009-08-29 01:51 39984 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11 . 2009-08-29 01:51 21048 ----a-w- c:\winnt\system32\drivers\mbam.sys
2003-05-08 21:22 . 2006-02-17 04:13 36963 ----a-w- c:\program files\Common Files\CYDrvIns.dll
2011-03-18 17:53 . 2011-04-18 20:33 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 10:06 163328 --sh--r- c:\winnt\system32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\winnt\system32\msfDX.dll
2008-03-16 13:30 216064 --sh--r- c:\winnt\system32\nbDX.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2005-09-23 10:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [ERROR: 0x0] . . c:\winnt\system32\linkinfo.dll
[-] 2005-09-23 10:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [ERROR: 0x0] . . c:\winnt\system32\dllcache\linkinfo.dll
[7] 2004-09-02 20:03 . 814222ED1C5C31B135B6F97585FE6B41 . 17168 . . [ERROR: 0x0] . . c:\winnt\$NtUpdateRollupPackUninstall$\linkinfo.dll
.
[-] 2005-01-12 18:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [ERROR: 0x0] . . c:\winnt\system32\scecli.dll
[-] 2005-01-12 18:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [ERROR: 0x0] . . c:\winnt\system32\dllcache\scecli.dll
[7] 2004-03-24 02:17 . 0B476C9305098B37BE70F0AC29E671E5 . 111376 . . [ERROR: 0x0] . . c:\winnt\$NtUpdateRollupPackUninstall$\scecli.dll
.
[-] 2002-11-27 00:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [ERROR: 0x0] . . c:\winnt\system32\mspmsnsv.dll
.
[-] 2004-07-09 09:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [ERROR: 0x0] . . c:\winnt\system32\d3d9.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-07-30 2424192]
"Steam"="c:\program files\Steam\Steam.exe" [2011-04-18 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-07-14 111376]
"nwiz"="nwiz.exe" [2007-10-28 1626112]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"Joystick 2 Mouse"="c:\program files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe" [2005-07-28 176128]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-21 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-18 155648]
"Gene USB Monitor"="c:\winnt\system32\UMonit2k.exe" [2003-12-16 49152]
"SiteAdvisor"="c:\program files\SiteAdvisor\6261\SiteAdv.exe" [2006-07-24 35992]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Ai Nap"="c:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
"CPU Power Monitor"="c:\program files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe" [2007-10-05 626176]
"Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-12-02 2221352]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2007-10-28 8531968]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2007-10-28 81920]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-03-16 1040384]
"NIC Monitor"="VNICMon.exe" [2005-01-10 40960]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Popup"="c:\program files\MegaRAID Storage Manager\MegaPopup\Popup.exe" [2007-12-18 81096]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-05 5367664]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-07-14 186640]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2002-7-18 299008]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-26 51984]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-26 111376]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-6-1 113664]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2007-6-22 106496]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2007-6-22 151552]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184]
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe [2011-4-18 1643808]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
R0 aacsas;Adaptec SAS/SATA-II RAID Miniport Driver;c:\winnt\system32\drivers\aacsas.sys [4/3/2008 12:12 PM 83839]
R0 hotcore2;hotcore2;c:\winnt\system32\drivers\hotcore2.sys [8/5/2008 6:42 PM 30808]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [9/4/2009 9:09 AM 64160]
R0 megasas;megasas;c:\winnt\system32\drivers\megasas.sys [2/23/2010 4:19 PM 19968]
R0 Pnp680;SiI 680 ATA Controller;c:\winnt\system32\drivers\pnp680.sys [4/20/2009 9:59 PM 37031]
R1 NmPar;MosChip PCI Parallel Port;c:\winnt\system32\drivers\NmPar.sys [10/11/2006 11:12 AM 76416]
R1 nmserial;MosChip PCI Serial Port;c:\winnt\system32\drivers\NmSerial.sys [10/12/2006 8:23 PM 60032]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/15/2009 11:42 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 67656]
R2 DriverX;DriverX;c:\winnt\system32\drivers\Driverx.sys [6/11/2001 10:01 PM 52512]
R2 io.sys;IO.DLL Driver;c:\winnt\system32\drivers\io.sys [7/30/2008 12:23 PM 5152]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2/5/2010 10:06 PM 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2/5/2010 10:06 PM 712048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\winnt\system32\drivers\Scutum50.sys [4/18/2011 9:41 AM 19072]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/7/2009 4:26 PM 24652]
R3 AmbFilt;AmbFilt;c:\winnt\system32\drivers\Ambfilt.sys [4/21/2009 6:36 AM 1683712]
R3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;c:\winnt\system32\drivers\DLKRTS.SYS [4/21/2009 12:54 AM 25434]
R3 FIXUSTOR;FIXUSTOR;c:\winnt\system32\drivers\fixustor.sys [11/30/2007 8:50 PM 12672]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [4/20/2009 11:38 PM 49776]
R3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Ethernet Controller;c:\winnt\system32\drivers\yk50x86.sys [12/9/2008 4:06 AM 296320]
S1 CypressUsbDev;Cypress USB Devices;c:\winnt\system32\drivers\CyUsbGen.sys [2/16/2006 11:10 PM 14356]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/23/2009 2:48 PM 135664]
S3 Asushwio;Asushwio;\??\d:\bin\Asushwio.sys --> d:\bin\Asushwio.sys [?]
S3 PhilCam8116_2K;Logitech QuickCam Pro 3000(PID_08B1);c:\winnt\system32\drivers\CamDrL20.sys [3/21/2005 1:44 PM 236121]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 12872]
S3 USA19H;USA19H;c:\winnt\system32\drivers\USA19H2k.sys [9/18/2008 9:26 PM 704000]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\winnt\system32\drivers\USA19H2kp.sys [9/18/2008 9:26 PM 24192]
S3 UStor;Lexar RW018;c:\winnt\system32\drivers\UStor.sys [11/26/2006 12:32 PM 25246]
S3 USTOR2K;Genesys USB Mass Storage Windows Driver;c:\winnt\system32\drivers\ustor2k.sys [12/24/2006 10:17 PM 21248]
S3 VNICPKT5;VNICPKT5 Protocol Driver;c:\winnt\system32\VNICPKT5.sys [4/28/2009 4:24 PM 16066]
S3 XilinxFirmwareLoader;XilinxFirmwareLoader;c:\winnt\system32\drivers\xusbdfwu.sys [4/21/2009 3:33 AM 17280]
S3 XilinxFirmwarePusb2Loader;XilinxFirmwarePusb2Loader;c:\winnt\system32\drivers\xusb_xp2.sys [4/21/2009 3:33 AM 17920]
S4 viafilter;VIA USB Filter;c:\winnt\system32\drivers\viausb.sys [3/23/2005 4:52 AM 9038]
S4 viasraid;viasraid;c:\winnt\system32\drivers\viasraid.sys [11/5/2004 2:52 PM 78988]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2010-01-01 c:\winnt\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-22 17:22]
.
2009-10-27 c:\winnt\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 18:46]
.
2010-08-25 c:\winnt\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 18:46]
.
2011-08-22 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:13]
.
2009-10-27 c:\winnt\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 18:46]
.
2011-08-24 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-23 19:48]
.
2011-08-24 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-23 19:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.0.1 68.94.156.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tozlwhf0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-24 19:01
Windows 5.0.2195 Service Pack 4 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.0.2195
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(252)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\WRLogonNTF.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2011-08-24 19:02:08
ComboFix-quarantined-files.txt 2011-08-25 00:02
ComboFix2.txt 2011-07-30 15:23
ComboFix3.txt 2011-07-29 20:31
.
Pre-Run: 60,277,456,896 bytes free
Post-Run: 60,354,117,632 bytes free
.
- - End Of File - - 007A2EA347F9FB8CED515435E72D4EBB

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  
  • Click Start
• When asked, allow the activex control to install
  
  • Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options
  
  Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
  
• Wait for the scan to finish
  
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

ESET log. Thanks.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=5.00.2920.0000
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=14724b661079e942b6fa3b2676d09e75
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-25 06:17:17
# local_time=2011-08-25 01:17:17 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.0.2195 NT Service Pack 4
# scanned=1405394
# found=0
# cleaned=0
# scan_time=16697

Hadn't heard from you did you get power back on?

Hello

Yea my lights came back on - I have been going over the thread and I don't know what else I can try.


The biggest problem I am running into is that alot of the tools won't work on windows 2000 and the ones that do we have already run and not worked. And as support has ended on windows 2000 and IE6 you will find yourself in deeper problems quicker than before.



Gringo

I understand. I still have a few questions reguarding possible rebuild. Windows 2k has many advantages over other windows op system. Such as reinstalling on top of itself. This would require a rollup update, which still looks available. This would fix any system file, except the MBR and any file that was left hanging around, virus or trojans. I assume win2k reinstall does not change the MBR? So I'm not sure whether I would then be able to kill the MBR rootkit or whether I would eraticate the full trojan or virus that installed the rootkit.

ANother question is what is the infection route? Can one disk really infect another dormant op sys by being in the same computer? This is related to how I would take a backup disk and add the changed data files from the infected disk and add them to the backup disk (this would bring my backup up to current). I am still curious why both op sys got infected? Would the infected disk have to be the operational system and infect the dormant one?

One more question. When I created the RAID disk system (I have two disk op system that are infected. one is a 4 disk RAID) to get the partition data space correctly aligned I did an offset when creating the partition. I then copied the op sys from a working disk and then did a FIXMBR. I know I could repeat the whole process, but If I just delete the data and recopy and reFIXMBR (try that in win 7, yah good luck) will I still ensure that any MBR rootkit is gone?

I apreciate the extra help. The thing is before I let you go I want to complete my learning of this culpret. If you think your enemy is gone, you haven't looked far enough. Eh?

Thank you for all your patience, you have done me a great service by trying.

gringo, do you have time to answer my questions?

Hello

Alot of the questions I don't know the answer to.

Windows 2k has many advantages over other windows op system. Such as reinstalling on top of itself. This would require a rollup update, which still looks available. This would fix any system file, except the MBR and any file that was left hanging around, virus or trojans. I assume win2k reinstall does not change the MBR? So I'm not sure whether I would then be able to kill the MBR rootkit or whether I would eraticate the full trojan or virus that installed the rootkit.


Formating the harddrive will remove the MBR and cause a new one to be built during the install

Installing over the top will not rewrite the mbr and it would also keep any infected files that is around

ANother question is what is the infection route? Can one disk really infect another dormant op sys by being in the same computer? This is related to how I would take a backup disk and add the changed data files from the infected disk and add them to the backup disk (this would bring my backup up to current). I am still curious why both op sys got infected? Would the infected disk have to be the operational system and infect the dormant one?

Here I am confused a little

Both OS are on the same harddrive, if so then they share the same MBR and the MBR would infect both OS

seperate harddrives - the MBR on each harddrive if they are conected at the same time will be infected ( I have seen the MBR infected on a harddrive that does not have an OS installed)

One more question. When I created the RAID disk system (I have two disk op system that are infected. one is a 4 disk RAID) to get the partition data space correctly aligned I did an offset when creating the partition. I then copied the op sys from a working disk and then did a FIXMBR. I know I could repeat the whole process, but If I just delete the data and recopy and reFIXMBR (try that in win 7, yah good luck) will I still ensure that any MBR rootkit is gone?

Now here you are talking over My head as I know Nothing about RAID setups at all

Gringo

Thankyou so much for your reply. You did clear up questions I have about the infection. If I erase the data in the partitions and then do a fixmbr could we be sure of replacement of the MBR removing an infection? Since we are not sure that fixmbr was able to do anything to fix the problem seems better to remake the partition from the beginning. We are not sure what fixmbr replaces mbr or if it may not detect the infection and do nothing, potentially leaving the infection present. Thanks again, you have cleared up the rebuild process.

Hello

Since we are not sure that fixmbr was able to do anything to fix the problem seems better to remake the partition from the beginning.

Yes that is correct



gringo