Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect persists despite all efforts - help!


  • This topic is locked This topic is locked
10 replies to this topic

#1 Chris Dobson

Chris Dobson

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 18 November 2009 - 06:39 PM

Hello
Please help me - I'm fed up spending evenings trying to understand what's wrong with my machine.
First up, mea culpa, I didn't have a firewall activated so you might say I brought the problems on myself. And probaly will. Duh. Anyway.
Running XP, using free AVR. Have had repeated nasty redirects of Google searches to all sorts of random (some unpleasant) sites.
I've run Spyware S&D, Malwarebytes Anti-Malware, SuperAntiSpyware, Adaware - although the latter stops after a minute or so, generally on the ntuser.dat file - as well as others I've since discarded. I pick up Trojan.Agent and Trojan.Banker with the malwarebytes thing and remove them each time. I've also found Trojan.Dropper. Could be that there was a conflict causing false positives as somehow McAfee had got onto my machine (negligence I guess) but I've removed that now. I've stopped all the suspicious looking or spurious processes from starting up. Still it persists. AAAAAAAAAAAAAAAAAAAAAGH.
Could anyone help me - please?
I ran HijackThis and the result is below
Would be so grateful
Thanks
Chris

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:15:36, on 18/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
c:program filescommon fileslogitechlvmvfmLVPrcSrv.exe
C:Program FilesCobian Backup 9cbService.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32wuauclt.exe
C:WINDOWSExplorer.EXE
C:WINDOWSRTHDCPL.EXE
C:Program FilesJavajre1.6.0_07binjusched.exe
C:WINDOWSsystem32LVCOMSX.EXE
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:Program FilesREALTEK RTL8185 Wireless LAN Driver and UtilityRtWLan.exe
C:Program FilesOpenOffice.org 2.4programsoffice.exe
C:Program FilesOpenOffice.org 2.4programsoffice.BIN
C:WINDOWSSystem32svchost.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:WINDOWSsystem32notepad.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.starbarsearch.com/?useie5=1&q=
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.starbarsearch.com/?useie5=1&q=
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:PROGRA~1Yahoo!Commonyiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_07binssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier5.1.1309.3572swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:Program FilesEPSONEPSON Web-To-PageEPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:Program FilesEPSONEPSON Web-To-PageEPSON Web-To-Page.dll
O3 - Toolbar: Star - {4F5693B2-381B-4293-BBEE-0E7283B48034} - (no file)
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_07binjusched.exe"
O4 - HKLM..Run: [LVCOMSX] C:WINDOWSsystem32LVCOMSX.EXE
O4 - HKLM..Run: [Malwarebytes Anti-Malware (reboot)] "C:Program FilesMalwarebytes' Anti-Malwarembam.exe" /runcleanupscript
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKCU..Run: [SUPERAntiSpyware] C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:Program FilesOpenOffice.org 2.4programquickstart.exe
O4 - Global Startup: REALTEK RTL8185 Wireless LAN Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:PROGRA~1Yahoo!Commonyiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:Program FilesYahoo!CommonYinsthelper.dll
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:Program FilesCitrixGoToAssist570G2AWinLogon.dll
O23 - Service: Cobian Backup 9 service (CobianBackupAmanita) - Luis Cobian - C:Program FilesCobian Backup 9cbService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:Program FilesLavasoftAd-AwareAAWService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:program filescommon fileslogitechlvmvfmLVPrcSrv.exe

--
End of file - 6919 bytes

One additional piece of information which might be relevant. I followed someone's advice by running Ad-Aware, then Spybot S&D then Spyware Blaster in Safe mode and then subsequently found I couldn't run in Safe mode any more - and I still can't. When I F8 out of the starting sequence it just says sorry, last good config or start XP normally?

As before, be v grateful for help. Not trying to bump and understand if this takes me down the queue - just providing full information as best I can.

Chris

Merged posts. ~ OB

Hi
OK, now I actually read the instructions. I guess I'm a typical throw-the-instructions-away type.
Here's the DDS result below and I've also attached the Attach file as well as the RootRepeal. Again, I'm not trying to bump and understand if this shoves me down the list!
I do keep thinking I may have solved the problem in my ignorance - the Security Tool (I think) attached itself yesterday and the Malwarebytes tool got rid of it among 11 nasties. The redirect is still happening, darn it.
Look forward to hearing from you
Chris


DDS (Ver_09-10-26.01) - NTFSx86
Run by Rosalind at 16:53:56.60 on 22/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1318 [GMT 0:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Windows System Defender *On-access scanning enabled* (Updated) {27BA207B-5933-44F0-BE8C-930400B01A29}
FW: Windows System Defender *enabled* {932986AD-9E84-4771-BF7D-A6BA7828F807}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
c:program filescommon fileslogitechlvmvfmLVPrcSrv.exe
svchost.exe
C:Program FilesCobian Backup 9cbService.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSExplorer.EXE
C:WINDOWSRTHDCPL.EXE
C:Program FilesJavajre1.6.0_07binjusched.exe
C:WINDOWSsystem32LVCOMSX.EXE
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:Program FilesREALTEK RTL8185 Wireless LAN Driver and UtilityRtWLan.exe
C:Program FilesOpenOffice.org 2.4programsoffice.exe
C:Program FilesOpenOffice.org 2.4programsoffice.BIN
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesJavajre1.6.0_07binjucheck.exe
C:Documents and SettingsRosalindDesktopdds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.starbarsearch.com/?useie5=1&q=
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
mSearch Bar = hxxp://www.starbarsearch.com/?useie5=1&q=
uInternet Settings,ProxyOverride = *.local
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:program filesyahoo!companioninstallscpnyt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:program filesspybot - search & destroySDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:progra~1yahoo!commonyiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0_07binssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.1.1309.3572swg.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:program filesepsonepson web-to-pageEPSON Web-To-Page.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:program filesepsonepson web-to-pageEPSON Web-To-Page.dll
TB: Star: {4f5693b2-381b-4293-bbee-0e7283b48034} -
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
uRun: [SUPERAntiSpyware] c:program filessuperantispywareSUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:program filesjavajre1.6.0_07binjusched.exe"
mRun: [LVCOMSX] c:windowssystem32LVCOMSX.EXE
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:windowssystem32CTFMON.EXE
dRun: [Nokia.PCSync] e:program filesnokianokia pc suite 6PcSync2.exe /NoDialog
StartupFolder: c:docume~1rosalindstartm~1programsstartupopenof~1.lnk - c:program filesopenoffice.org 2.4programquickstart.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuprealte~1.lnk - c:program filesrealtek rtl8185 wireless lan driver and utilityRtWLan.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_07binssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:progra~1yahoo!commonyiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:program filesspybot - search & destroySDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:program filesyahoo!commonYinsthelper.dll
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:program filescitrixgotoassist570G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:docume~1rosalindapplic~1mozillafirefoxprofiles5ycm0msu.default
FF - prefs.js: keyword.enabled - false
FF - plugin: c:program filescommon filesmotivenpMotive.dll
FF - plugin: c:program filesgooglegoogle updater2.4.1536.6592npCIDetect13.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpbittorrent.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpBTEmailConfig.dll
FF - plugin: e:program filesnetscape6nppl3260.dll
FF - plugin: e:program filesnetscape6nprjplug.dll
FF - plugin: e:program filesnetscape6nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-11-18 64288]
R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2009-11-11 9968]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2009-11-11 74480]
R2 CobianBackupAmanita;Cobian Backup 9 service;c:program filescobian backup 9cbService.exe [2009-11-16 583168]
R2 EAPPkt;Realtek EAPPkt Protocol;c:windowssystem32driversEAPPkt.sys [2008-9-23 38144]
R2 npf;NetGroup Packet Filter Driver;c:windowssystem32driversnpf.sys [2007-11-15 34064]
R3 SASENUM;SASENUM;c:program filessuperantispywareSASENUM.SYS [2009-11-11 7408]
S1 sp_rsdrv2;Spyware Terminator Driver 2;??c:windowssystem32driverssp_rsdrv2.sys --> c:windowssystem32driverssp_rsdrv2.sys [?]
S3 getPlusHelper;getPlusŪ Helper;c:windowssystem32svchost.exe -k getPlusHelper [2008-4-14 14336]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2009-9-24 1184912]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:program filesaviraantivir desktopsched.exe [2009-7-29 108289]

=============== Created Last 30 ================

2009-11-21 17:09:09 0 d-----w- c:program filesWinPcap
2009-11-18 22:44:56 64288 ----a-w- c:windowssystem32driversLbd.sys
2009-11-18 22:40:42 0 dc-h--w- c:docume~1alluse~1applic~1{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-18 22:40:30 0 d-----w- c:program filesLavasoft
2009-11-18 22:04:32 0 d-----w- c:docume~1alluse~1applic~1SUPERAntiSpyware.com
2009-11-18 22:04:25 0 d-----w- c:program filesSUPERAntiSpyware
2009-11-18 22:04:25 0 d-----w- c:docume~1rosalindapplic~1SUPERAntiSpyware.com
2009-11-18 22:03:58 0 d-----w- c:program filescommon filesWise Installation Wizard
2009-11-18 21:51:26 0 d--h--w- c:windowsPIF
2009-11-18 21:23:00 0 d-----w- c:docume~1rosalindapplic~1Uniblue
2009-11-16 23:07:20 0 d-----w- c:program filesCobian Backup 9
2009-11-10 23:14:13 118784 ------w- c:windowssystem32MSSTDFMT.DLL
2009-11-10 23:14:13 1071088 ------w- c:windowssystem32MSCOMCTL.OCX
2009-11-09 23:44:10 0 d-----w- c:windowspss
2009-11-09 21:42:52 36 ------w- c:windowsrasqervy.dll
2009-11-09 21:42:51 8 ------w- c:windowssdfinacs.dll
2009-11-08 15:02:39 93360 ------w- c:windowssystem32driversSBREDrv.sys
2009-11-08 10:36:21 0 d-----w- c:program filesSpybot - Search & Destroy
2009-11-08 10:36:21 0 d-----w- c:docume~1alluse~1applic~1Spybot - Search & Destroy
2009-11-03 20:26:43 5 ----a-w- c:windowssdfixwcs.dll
2009-10-31 15:46:12 0 d-----w- c:program filesTrend Micro
2009-10-31 13:47:50 0 d-----w- c:program filesCCleaner
2009-10-30 01:02:56 0 d-----w- c:docume~1rosalindapplic~1Malwarebytes
2009-10-30 01:02:47 38224 ------w- c:windowssystem32driversmbamswissarmy.sys
2009-10-30 01:02:43 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2009-10-30 01:02:42 19160 ------w- c:windowssystem32driversmbam.sys
2009-10-30 01:02:41 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2009-10-30 00:36:55 0 d-sh--w- c:docume~1alluse~1applic~10c72e9d

==================== Find3M ====================

2009-11-22 16:48:09 0 ----a-w- c:windowssystem32driverslvuvc.hs
2009-10-22 19:15:02 286720 ------w- c:windowsSetup1.exe
2009-10-22 19:15:01 73216 ------w- c:windowsST6UNST.EXE
2009-09-11 14:18:39 136192 ------w- c:windowssystem32msv1_0.dll
2009-09-04 21:03:36 58880 ------w- c:windowssystem32msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:windowssystem32wininet.dll
2009-08-26 08:00:21 247326 ------w- c:windowssystem32strmdll.dll

============= FINISH: 16:55:22.29 ===============

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 22 November 2009 - 12:29 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:07 AM

Posted 26 November 2009 - 03:09 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Chris Dobson

Chris Dobson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 26 November 2009 - 04:55 AM

Hi

No worries about the delay. I really appreciate your getting back to me.

I tried to follow the instructions and attached the Attach.txt file to the topic along with the RootRepeal. Is the latter the same as the file you've asked for below? I can't tell from here - I'm not on my home machine now. I'll attach the DDS later. In the meantime, are you able to get anything useful from the files I've previously attached?

With best wishes

Chris

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:07 AM

Posted 26 November 2009 - 05:00 AM

Hi Chris,

DDS is same tool you used earlier (just want to see fresh logs) but GMER replaces RootRepeal here. Have to see those logs before further steps.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Chris Dobson

Chris Dobson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 26 November 2009 - 06:33 AM

OK great - I'll (re)run them tonight and attach them.

Finland eh?

Cheers

Chris

#6 Chris Dobson

Chris Dobson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 26 November 2009 - 05:30 PM

OK, trouble. I installed the software, double clicked on it, ran DDS and....the machine restarted with an error on a driver, saying I had to boot from the disk. Can't find the bloody thing so borrowed someone else's for now - no idea if this will work obv - and it won't even let me boot from disk. Says

STOP: 0x0000007E (0x8053A593, 0xBACF3688, 0xBACF3384)

With a blue screen.

I can't use Safe mode as I mentioned previously. Damn damn damn! Any clues!

really need some help...

Chris

#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:07 AM

Posted 27 November 2009 - 12:47 AM

Hi,

DDS shouldn't make any changes to your system. Did I understand right that you're not able to boot in any way?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 Chris Dobson

Chris Dobson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 27 November 2009 - 05:05 AM

Hi
That's right. Can't boot at all - Safe mode doesn't work and it won't get past the blue screen. I've downloaded the new BIOS from the Gigabyte site and that hasn't fixed it. Wife very worried about her data! Have a work guy looking at it at lunchtime - he's suggesting installing a new version of XP alongside the old one to get it booted up and grab the data. Hopefully he'll have it covered: sure as heck it's in safer hands than mine...
I'll report back if a) it gets fixed without the hard drive being wiped (aaaaaaaaaagh no backup - tried to do it before all this but the Cobian (?) thing failed) and :( if I'm still getting the old malware problems
Thanks for being there
Chris

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:07 AM

Posted 27 November 2009 - 10:01 AM

Hi Chris,

You told:

OK, trouble. I installed the software, double clicked on it, ran DDS and....the machine restarted with an error on a driver, saying I had to boot from the disk. Can't find the bloody thing so borrowed someone else's for now - no idea if this will work obv - and it won't even let me boot from disk.


What is that software you installed? I need to know exactly what programs did you run before this thing happened.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 Chris Dobson

Chris Dobson
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 01 December 2009 - 05:37 AM

Hi
I put on GMER from the link you gave me. It may be immaterial - I have had another version of XP installed on my machine alongside the old one for the meantime and have recovered my files to an external hard disk. Need now to contact Arbico for the installation cd for my XP! Then I'll format and re-install - I guess it's a radical solution but that'll mean the end of the malware!
Thanks for your help anyway.
Chris

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:07 AM

Posted 01 December 2009 - 10:57 AM

Ok. Thanks for letting me know. Still I think that the infection must have caused the issue. Never heard GMER cause endless BSODs (those errors on blue background). Its run may end to BSOD but it never should continue after reboot.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users