Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Results Redirecting


  • Please log in to reply
15 replies to this topic

#1 kanorr

kanorr

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 10 August 2009 - 09:54 AM

For the last several days when clicking on any search engine results, I am redirected to various unwanted advertising sites. Malware bytes does not locate any threats. Spybot identified threats associated with Windows Security Center being disabled and some tracing cookies, however the problem continues after the fix in Spybot. Any advice is greatly appreciated...

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 AM

Posted 10 August 2009 - 11:00 AM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 kanorr

kanorr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 10 August 2009 - 11:22 AM

Thank you for your reply!

I extracted RootRepeal to my desktop. When I run it, it returns this message:
"Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog." When I clear this message, it then displays, "Could not load our kernel! Please contact the author!".

I tried to adjust the disk access level within the options, but the same message display when running. Any ideas?

Thanks!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 AM

Posted 10 August 2009 - 11:26 AM

Ok ,,run this one than.
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 kanorr

kanorr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 10 August 2009 - 03:18 PM

The Sophos scan completed, and returned the 2 hidden registry keys and 9 unknown hidden files as indicated below. The two keys were flagged as not removable, and all of the hidden files were removable but not recommended.

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/10/2009 at 13:58:18 PM
User "AB1878" on computer "CORP-L3HLM62"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ytasfwnxrbdryo
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\Temp\ytasfwdbwtrpiijc.tmp
Hidden: file C:\WINDOWS\system32\ytasfwictkxrus.dat
Hidden: file C:\WINDOWS\Temp\ytasfwtepmpeqvfx.tmp
Hidden: file C:\WINDOWS\system32\ytasfwbfousfgb.dat
Hidden: file C:\WINDOWS\system32\drivers\ytasfwtarrofdc.sys
Hidden: file C:\WINDOWS\system32\ytasfwyhjiojxs.dll
Hidden: file C:\WINDOWS\system32\ytasfwaduiyoti.dll
Hidden: file C:\Documents and Settings\ab1878\Local Settings\Temporary Internet Files\Content.IE5\UF6BWL4T\.miami_beach;mcid=10575;PageType=Restaurant_Review;pool=A;kw=Tuscan+Steak+-+Miami+Beach;geo=465668;u=Restaurant_Review%7CA;abr=!webtv;sz=160X600;tile=2;ord=46147318
Hidden: file C:\Documents and Settings\ab1878\Local Settings\Temporary Internet Files\Content.IE5\OHIBCLEF\.miami_beach;mcid=10575;PageType=Restaurant_Review;pool=A;kw=Tuscan+Steak+-+Miami+Beach;geo=465668;u=Restaurant_Review%7CA;abr=!webtv;sz=300X250;tile=3;ord=46147318
Stopped logging on 8/10/2009 at 14:32:01 PM

Thanks for your continued help.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 AM

Posted 10 August 2009 - 03:52 PM

Hello,youare welcome.
run it again and remove this,Hidden: file C:\WINDOWS\system32\drivers\ytasfwtarrofdc.sys

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 kanorr

kanorr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 10 August 2009 - 07:56 PM

Okay.. I completed those steps and completed the anti-malware scan. Here are the results:
______________________________

Malwarebytes' Anti-Malware 1.40
Database version: 2594
Windows 5.1.2600 Service Pack 2

8/10/2009 7:52:26 PM
mbam-log-2009-08-10 (19-52-26).txt

Scan type: Quick Scan
Objects scanned: 100108
Time elapsed: 6 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ytasfwaduiyoti.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ytasfwyhjiojxs.dll (Trojan.Agent) -> Quarantined and deleted successfully.

_____________________
Thanks again...

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 AM

Posted 10 August 2009 - 08:41 PM

OK,excellent.. now you're gonna work :thumbsup: .


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Finally try Rootrepeal agai,, thank you..

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 kanorr

kanorr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 10 August 2009 - 11:42 PM

Again, I really appreciate the help. The scan results of SUPER, MBAM, and RootRepeal are below. I am not sure if any threats still reside anywhere on my PC (since I am a little challenged deciphering all the data in the log files), but the redirect problems are now gone after performing the steps you indicated.

Here are the results of SUPER:
_______________________________

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/10/2009 at 10:39 PM

Application Version : 4.27.1002

Core Rules Database Version : 4048
Trace Rules Database Version: 1988

Scan type : Complete Scan
Total Scan Time : 00:57:44

Memory items scanned : 275
Memory threats detected : 0
Registry items scanned : 6232
Registry threats detected : 0
File items scanned : 64781
File threats detected : 1

Trojan.Malware
C:\Documents and Settings\ab1878\Desktop\access
________________________________

and here are the results of the subsequent MBAM scan:

Malwarebytes' Anti-Malware 1.40
Database version: 2594
Windows 5.1.2600 Service Pack 2

8/10/2009 11:00:43 PM
mbam-log-2009-08-10 (23-00-43).txt

Scan type: Quick Scan
Objects scanned: 98967
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

_________________________________

And lastly, RootRepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/10 23:11
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA6BB9000 Size: 876544 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5EF0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x85cc8838

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa708e350

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x86d38490

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x86cc7b10

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa708e580

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa6dad0b0

Hidden Services
-------------------
Service Name: ytasfwnxrbdryo
Image Path: C:\WINDOWS\system32\drivers\ytasfwtarrofdc.sys

==EOF==


Again, it appears to be working normally now so OUTSTANDING! Let me know if I need to perform any additional scans or changes. Thanks again...

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 AM

Posted 11 August 2009 - 09:32 AM

Hello we look very good. i would like to get a second o[inion on one possible rootkit. Let me know if you see a WARNING!!! about rootkit activity and are asked to fully scan your system. Also if it notes what it sees.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 kanorr

kanorr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 11 August 2009 - 04:06 PM

Okay finally made it through that one. Here are the results:

GMER 1.0.15.15020 [ukqw03q1.exe] - http://www.gmer.net
Rootkit scan 2009-08-11 15:55:13
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Services - GMER 1.0.15 ----

Service system32\drivers\ytasfwtarrofdc.sys (*** hidden *** ) [SYSTEM] ytasfwnxrbdryo <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo@imagepath \systemroot\system32\drivers\ytasfwtarrofdc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\main@sid 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\main\connections
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\main\injector@* ytasfwwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\modules@ytasfwrk.sys \systemroot\system32\drivers\ytasfwtarrofdc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\modules@ytasfwcmd.dll \systemroot\system32\ytasfwyhjiojxs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\modules@ytasfwlog.dat \systemroot\system32\ytasfwbfousfgb.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\modules@ytasfwwsp.dll \systemroot\system32\ytasfwaduiyoti.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ytasfwnxrbdryo\modules@ytasfw.dat \systemroot\system32\ytasfwictkxrus.dat
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo@imagepath \systemroot\system32\drivers\ytasfwtarrofdc.sys
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\main@sid 1
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\main\connections (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\main\injector@* ytasfwwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\modules@ytasfwrk.sys \systemroot\system32\drivers\ytasfwtarrofdc.sys
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\modules@ytasfwcmd.dll \systemroot\system32\ytasfwyhjiojxs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\modules@ytasfwlog.dat \systemroot\system32\ytasfwbfousfgb.dat
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\modules@ytasfwwsp.dll \systemroot\system32\ytasfwaduiyoti.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ytasfwnxrbdryo\modules@ytasfw.dat \systemroot\system32\ytasfwictkxrus.dat

---- EOF - GMER 1.0.15 ----


Thanks again!

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 AM

Posted 11 August 2009 - 08:19 PM

OK, please one more rootrepeal, selecting only FILES>
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 kanorr

kanorr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 11 August 2009 - 09:59 PM

Thank you. Okay.. here are the 'files' only results:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/11 21:50
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

==EOF==

Thanks!

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:40 AM

Posted 11 August 2009 - 11:01 PM

How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 kanorr

kanorr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 11 August 2009 - 11:16 PM

Your expertise is greatly respected and appreciated!

This was my first threat actually making it past Symantec and affecting my PC in many years, but thanks to you it is functioning as new again. I assume you feel the threats are removed... ? Thank you again for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users