Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

Google redirect problem ...

Started by gbseagull , Oct 28 2009 01:18 AM

This topic is locked

2 replies to this topic

#1 gbseagull

Members
1 posts
OFFLINE

Local time:03:28 PM

Posted 28 October 2009 - 01:18 AM

Hi, I have been having this problem for nearly 2 months now. I search something in google, then when I press the link of one of the results, the link redirects me to another website with suspicious names. If I want to go to the real link, I have to go back and press it again for like 3-4 times. I used to have this problem in another computer and the problem there was more severe ( google results where links to suspicious sites, and 9 out of 10 times a link will redirect to a fishy website ).
I searched on the web and some say that the culprit is a tdsserver.sys file or something associated with it.

I have windows xp sp3, avast antivirus, adaware, mbam, atf cleaner, windows malicious software removal tool.
I have ran full scans on these programs and deleted everything they have found.

These are the logs I need to post here, so hopefully somebody else has already gone through this process and know how to get rid of it

DDS (Ver_09-10-26.01) - NTFSx86
Run by HP_Administrator at 22:49:16.64 on Tue 10/27/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.115 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 091027-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\tservice.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\windows\system\hpsysdrv.exe
C:\program files\hp\HPMShellAdjust\HPMShellAdjust.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\SYSTEM32\AREVENT.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [HPMShellAdjust] c:\program files\hp\hpmshelladjust\HPMShellAdjust.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [ARMsg] c:\windows\system32\AREVENT.EXE
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mPolicies-explorer: NoSMBalloonTip = 1 (0x1)
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Filter: text/html - {957cc0bc-9360-45d3-941e-182c4348e346} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

============= SERVICES / DRIVERS ===============

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2004-6-29 7680]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-4 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-11 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-11 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R2 TService;DEC Front Panel Display Service;c:\windows\system32\tservice.exe [2009-1-20 86016]
R3 ATIDDCXX;ATI DTV Wonder Digital BDA Capture Device;c:\windows\system32\drivers\atiddcxx.sys [2006-5-3 10112]
R3 ATIDTUDD;ATI DTV Wonder Digital Tuner Device;c:\windows\system32\drivers\atidtuxx.sys [2006-5-3 44416]
R3 ATIDVCXX;ATI DTV Wonder Digital AV Capture Device;c:\windows\system32\drivers\atidvcxx.sys [2006-5-3 201216]
S2 gupdate1c98c695a464d42;Google Update Service (gupdate1c98c695a464d42);c:\program files\google\update\GoogleUpdate.exe [2009-2-11 133104]
S3 SydexFDD;Sydex Diskette Driver;c:\windows\system32\drivers\SYDEXFDD.SYS [2009-5-29 13359]
S3 WN5401;Liteon Wireless LAN PCI 802.11 a/b/g adapter WN5401A;c:\windows\system32\drivers\wn5401.sys [2006-5-3 449920]

=============== Created Last 30 ================

2009-10-18 20:33:56 0 d-----w- C:\freethewads
2009-10-16 15:20:26 2189056 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-16 15:20:26 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-16 15:20:26 2145280 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-16 15:20:26 2066048 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-10-16 15:20:26 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-16 15:20:26 2023936 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe

==================== Find3M ====================

2009-10-04 21:10:45 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 21:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:35:52 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-27 01:49:13 520192 ----a-w- c:\windows\system32\pl2_screensaver.scr
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2009-08-07 02:24:18 327896 ----a-w- c:\windows\system32\dllcache\wucltui.dll
2009-08-07 02:24:18 209632 ----a-w- c:\windows\system32\dllcache\wuweb.dll
2009-08-07 02:24:10 35552 ----a-w- c:\windows\system32\dllcache\wups.dll
2009-08-07 02:24:06 53472 ----a-w- c:\windows\system32\dllcache\wuauclt.exe
2009-08-07 02:24:04 96480 ----a-w- c:\windows\system32\dllcache\cdm.dll
2009-08-07 02:23:54 575704 ----a-w- c:\windows\system32\dllcache\wuapi.dll
2009-08-07 02:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23:46 1929952 ----a-w- c:\windows\system32\dllcache\wuaueng.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 09:01:48 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-01-12 19:18:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010520090112\index.dat
2009-01-12 19:18:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011220090113\index.dat

============= FINISH: 22:51:31.92 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/27 22:57
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF249E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B11000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8E42000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\hp_administrator\local settings\temp\~df4ef6.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp\~df59fc.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp\~df5ce2.tmp
Status: Allocation size mismatch (API: 327680, Raw: 16384)

Path: c:\documents and settings\hp_administrator\local settings\temp\~dff5f3.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\all users\application data\pure networks\log\logfile.nmsrvc_exe.txt
Status: Size mismatch (API: 65016, Raw: 64748)

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\TelerikCommon.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\2DF FreePlay Client.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\2DF FreePlay Client.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\Damdai.Forms.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\Damdai.Forms.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\Damdai.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\Damdai.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\ICSharpCode.SharpZipLib.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\ICSharpCode.SharpZipLib.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\TelerikCommon.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\Telerik.WinControls.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\Telerik.WinControls.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\Telerik.WinControls.UI.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Apps\2.0\0RC7JEH9.097\K83DKGXB.9OG\manifests\Telerik.WinControls.UI.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf250a6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf250a574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf250aa52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf250a14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf250a64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf250a08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf250a0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf250a76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf250a72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf250a8ae

Stealth Objects
-------------------
Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 988) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: tdlwsp.dll]
Process: Explorer.EXE (PID: 1692) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: tdlwsp.dll]
Process: iexplore.exe (PID: 2980) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: tdlwsp.dll]
Process: iexplore.exe (PID: 1708) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: tdlwsp.dll]
Process: iexplore.exe (PID: 1948) Address: 0x10000000 Size: 28672

==EOF==

Attached Files

Attach.txt 14.63KB 1 downloads

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Farbar

Just Curious

Security Developer
21,719 posts
OFFLINE

Gender:Male
Location:The Netherlands
Local time:12:28 AM

Posted 28 October 2009 - 09:07 AM

Hi gbseagull,

Welcome to BC HijackThis forum . I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning with other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

You are having a rootkit on the computer and I would like to take a look at the device it is attached to.

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
Click on this link to see a list of programs that should be disabled.
Disconnect from the Internet and close all running programs.
Double click GMER. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
- Sections
- IAT/EAT
- Drives/Partition other than C:\ drive (C:\ drive should remain checked)
Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
When the scan is finished (you will see the scan button appears again, or the scan activity is stopped). Click Save to save the scan results to your Desktop.
Save the file as gmer.log and copy/paste the contents in your next reply.