Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google Search has been hijacked

  • This topic is locked This topic is locked
14 replies to this topic

#1 VEGA0426-BC


  • Members
  • 14 posts
  • Local time:12:24 AM

Posted 11 June 2009 - 01:14 AM

Recommended from AII


DDS (Ver_09-05-14.01)

Microsoft® Windows Vistaâ„¢ Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 10/28/2008 10:24:34 PM
System Uptime: 6/10/2009 3:11:31 AM (16 hours ago)

Motherboard: ECS | | Nettle2
Processor: AMD Athlon™ 64 X2 Dual Core Processor 6000+ | Socket M2 | 3000/201mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 436 GiB total, 245.074 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 1.206 GiB free.
E: is FIXED (NTFS) - 21 GiB total, 20.915 GiB free.
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.1
Apple Software Update
Avanquest update
AVG Free 8.5
Beyond Compare Version 3.0.11
Bullzip PDF Printer
CoffeeCup Free HTML Editor
CoffeeCup HTML Editor 2008
Compatibility Pack for the 2007 Office system
Convert Word To HTML COM 1.01
Crystal Reports Basic for Visual Studio 2008
Desktop Video Player by LongTail Video
DHTML Editing Component
Ephox EditLive! 6.6.2
FileZilla Client
GPL Ghostscript Lite 8.63
Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB952241)
HP Officejet Pro K550 Series Toolbox
Java 2 Runtime Environment, SE v1.4.2_15
Magellan POI File Editor
Malwarebytes' Anti-Malware
Microsoft .NET Compact Framework 2.0 SP2
Microsoft .NET Compact Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Device Emulator version 3.0 - ENU
Microsoft Document Explorer 2008
Microsoft Office 2000 Professional
Microsoft Office Professional Edition 2003
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft SQL Server Compact 3.5 for Devices ENU
Microsoft SQL Server Database Publishing Wizard 1.2
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Virtual PC 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2008 Professional Edition - ENU
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Visual Studio Web Authoring Component
Microsoft Web Publishing Wizard 1.53
Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
Microsoft Windows SDK for Visual Studio 2008 Tools
Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
MSDN Library - Office 2000 Developer
MSDN Library for Visual Studio 2008 - ENU
NDAS Software 3.20.1523
NVIDIA Drivers
PageBreeze Free HTML Editor
PanaVue ImageAssembler 3.5.0
ParetoLogic DriverCure
Realtek High Definition Audio Driver
Registry Mechanic 8.0
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for Microsoft Office system 2007 (KB954326)
Soft Data Fax Modem with SmartCP
Spelling Dictionaries Support For Adobe Reader 9
Spyware Doctor 6.0
TeamViewer 4
Ultimate Extras sounds from Microsoft® Tinkerâ„¢
UltraVNC 1.0.5
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Script Editor Help (KB963671)
VC Runtimes MSI
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio Tools for the Office system 3.0 Runtime
Web Easy Professional
Web Easy Professional 7
WinDjView 1.0.1
Windows Mobile 5.0 SDK R2 for Pocket PC
Windows Mobile 5.0 SDK R2 for Smartphone
Windows Sound Schemes

==== End Of File ===========================


DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 19:52:00.16 on Wed 06/10/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Ultimate 6.0.6001.1.1252.1.1033.18.2942.1270 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Visual Studio\VB98\vb6.exe

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [BitZip - Powered by Miro] c:\program files\participatory culture foundation\miro\Miro.exe --theme "BitZip"
uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ndasde~1.lnk - c:\program files\ndas\system\ndasmgmt.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {0C5CF442-582C-4357-B116-765DA99CAA8C} - hxxp://www.beavercountypa.gov/wx/client/IrcViewer.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll

============= SERVICES / DRIVERS ===============

R0 lfsfilt;Lean File Sharing;c:\windows\system32\drivers\lfsfilt.sys [2008-11-9 254440]
R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2007-6-29 62056]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-8 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-24 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-31 108552]
R1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [2008-11-9 372584]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-24 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-24 298776]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-6-8 348752]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-1-28 185640]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2007-6-29 75880]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-6-11 968064]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-06-09 22:45 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-09 22:45 636,928 a------- c:\windows\system32\localspl.dll
2009-06-09 22:45 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-09 00:32 --d----- c:\users\owner\appdata\roaming\Malwarebytes
2009-06-09 00:25 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 00:25 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-09 00:25 --d----- c:\programdata\Malwarebytes
2009-06-09 00:25 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 00:25 --d----- c:\progra~2\Malwarebytes
2009-06-08 23:38 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-06-08 23:38 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-08 23:38 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-08 23:38 --d----- c:\program files\common files\PC Tools
2009-06-08 23:38 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-06-08 23:38 --d----- c:\users\owner\appdata\roaming\PC Tools
2009-06-08 23:38 --d----- c:\programdata\PC Tools
2009-06-08 23:38 --d----- c:\program files\Spyware Doctor
2009-06-08 23:38 --d----- c:\progra~2\PC Tools
2009-06-08 23:38 506,368 a------- c:\windows\system32\msxml.dll
2009-06-08 23:22 955,820 a------- c:\users\owner\Update.zip
2009-06-08 23:10 a-d----- c:\programdata\TEMP
2009-06-06 11:06 286,720 -------- c:\windows\Setup1.exe
2009-06-06 11:06 73,216 a------- c:\windows\ST6UNST.EXE
2009-06-06 11:04 49,152 a------- c:\windows\system32\DOC2HTML.dll
2009-06-06 11:04 --d----- C:\Word2HTML
2009-05-25 12:33 7,143 a------- c:\windows\system32\nvide.nvu
2009-05-25 11:48 --d----- C:\NVIDIA
2009-05-16 23:00 48 a------- c:\windows\.prj
2009-05-16 22:12 --d----- c:\program files\PageBreeze
2009-05-16 18:38 --d----- c:\programdata\Apple Computer
2009-05-16 18:38 --d----- c:\programdata\Apple

==================== Find3M ====================

2009-05-26 03:00 86,016 a------- c:\windows\inf\infstrng.dat
2009-05-26 03:00 51,200 a------- c:\windows\inf\infpub.dat
2009-05-25 12:32 86,016 a------- c:\windows\inf\infstor.dat
2009-05-09 08:52 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-09 08:52 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-09 08:52 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-03-16 23:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 23:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 23:38 24,064 a------- c:\windows\system32\amxread.dll
2008-11-17 08:43 48 a------- c:\users\owner\BACKUPcounty.BAT
2008-11-01 23:21 174 a--sh--- c:\program files\desktop.ini
2008-11-01 23:14 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 19:53:17.71 ===============

Edited by garmanma, 11 June 2009 - 03:05 PM.

BC AdBot (Login to Remove)


#2 VEGA0426-BC

  • Topic Starter

  • Members
  • 14 posts
  • Local time:12:24 AM

Posted 12 June 2009 - 01:29 PM

Thanks for everyone's help!

Just to review, the problem started with hijacked browser search on my Vista Ultimate PC. After some difficulties getting dds to run in another forum, the above logs were generated. What's next?

Hello VEGA0426-BC,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.


The weatherman

Edited by The weatherman, 12 June 2009 - 05:17 PM.

#3 thcbytes


  • Malware Response Team
  • 14,790 posts
  • Gender:Male
  • Local time:11:24 PM

Posted 20 June 2009 - 09:41 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!


#4 VEGA0426-BC

  • Topic Starter

  • Members
  • 14 posts
  • Local time:12:24 AM

Posted 20 June 2009 - 03:06 PM

I do not want to bump this but... Many days(9) have passed with no further response for me to try. Now Task Manager reports 100%cpu usage and accordingly response is atrocious. Help is urgently needed!

#5 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 AM

Posted 20 June 2009 - 07:31 PM

Hi VEGA0426-BC,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

I will be back with the first instructions soon.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 AM

Posted 20 June 2009 - 07:42 PM

Hi VEGA0426-BC,

I have read the problems you were having downloading and running certain tools and reviewed your logs. The logs show no sign of infection so we need to run some deeper scans.

Firstly, I need you to rerun MBAM. I want to see what's not being removed.

Please run it on Full Scan.


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


We need to create an OTL Report
  • Please download OTL from the mirror:
    This is THE Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:[list]
    OTListIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 VEGA0426-BC

  • Topic Starter

  • Members
  • 14 posts
  • Local time:12:24 AM

Posted 22 June 2009 - 10:48 PM

mbam does not run Vista displays a dialog box that says mbam-setup.exe has stopped running

Edited by VEGA0426-BC, 22 June 2009 - 10:57 PM.

#8 VEGA0426-BC

  • Topic Starter

  • Members
  • 14 posts
  • Local time:12:24 AM

Posted 23 June 2009 - 08:32 AM

GMER.exe produces the same error: GMER.EXE has stopped working

#9 VEGA0426-BC

  • Topic Starter

  • Members
  • 14 posts
  • Local time:12:24 AM

Posted 23 June 2009 - 10:18 AM

OTL files attached - Gmer.exe downloaded but did not install

Attached Files

#10 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 AM

Posted 23 June 2009 - 02:57 PM

MBAM is often stopped by malware. Please open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe extension to .bat, .com, .pif, or .scr

If that works run it and then please post the log. Whether it runs or not please do the following next.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 VEGA0426-BC

  • Topic Starter

  • Members
  • 14 posts
  • Local time:12:24 AM

Posted 24 June 2009 - 03:24 PM

Combofix.txt attached
mbam log attached - had to rename exe.

Attached Files

#12 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 AM

Posted 24 June 2009 - 07:37 PM

Okay that's removed the trojan. How is the computer running now?

The Combofix log looks clean too but let's double check with an online scan.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Please post fresh DDS logs too. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 VEGA0426-BC

  • Topic Starter

  • Members
  • 14 posts
  • Local time:12:24 AM

Posted 24 June 2009 - 10:31 PM

Combofix and DDS logs attached. Bitdefender seams to have locked up at 100%. CCPU Usage is back to normal and search now gives expected results. Thanks!

Attached Files

#14 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 AM

Posted 25 June 2009 - 12:02 PM

Hey VEGA0426-BC.

Even with BitDefender failing to work I can see no signs of malware anywhere else and as your symptoms are clear you have a clean computer once more.

Good stuff! :thumbup2:

Let's firstly do some housekeeping

Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Here's a list of ways you can avoid problems in the future:

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

That's it VEGA0426-BC, happy surfing!


Posted Image
m0le is a proud member of UNITE

#15 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:04:24 AM

Posted 30 June 2009 - 12:59 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users