Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect - Possible Rootkit


  • This topic is locked This topic is locked
12 replies to this topic

#1 esimms

esimms

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 25 November 2009 - 04:32 AM

After getting assistance and posting my logs in the "Am I Infected Forum" I was directed here.

Here is the orginal problem:

Sometimes when I search through google and click on the resulting links I am redirected to random sites. I looked around on some forums for what to do, and ended up downloading SpywareDoctor.

It identified Rootkit.tdss as a critical malware. I went ahead and purchased the full SpywareDoctor in order to remove it and other infections, and it did so. I thought this would have fixed the problem, but it did not. When I run Spyware Doctor now it doesn't show Rootkit.tdss anymore, but again the problem still exists.

Here are logs are produced, first RootRepeal:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/24 00:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: eamon.sys
Image Path: C:\WINDOWS\system32\DRIVERS\eamon.sys
Address: 0x9CA7E000 Size: 770048 File Visible: No Signed: -
Status: -

Name: ehdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
Address: 0xA7FE0000 Size: 118784 File Visible: No Signed: -
Status: -

Name: epfwtdir.sys
Image Path: C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
Address: 0x9ECAA000 Size: 102400 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAF306000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Desktop\Microsoft
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner.YOUR-A846B26098\Application Data\Mozilla\Firefox\Profiles\c46p3ve4.default\localstore.rdf
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Owner.YOUR-A846B26098\Application Data\Mozilla\Firefox\Profiles\c46p3ve4.default\parent.lock
Status: Invisible to the Windows API!

Path: c:\documents and settings\owner.your-a846b26098\application data\mozilla\firefox\profiles\c46p3ve4.default\places.sqlite-journal
Status: Size mismatch (API: 386288, Raw: 181088)

Path: C:\Documents and Settings\Owner.YOUR-A846B26098\Application Data\Mozilla\Firefox\Profiles\c46p3ve4.default\prefs.js
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Owner.YOUR-A846B26098\Application Data\Mozilla\Firefox\Profiles\c46p3ve4.default\sessionstore.js
Status: Invisible to the Windows API!

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8980a8a0

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xb9e6de22

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9e4ecdc

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xb9e4eece

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xb9e6e610

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9e6e8c4

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xb9e6cb14

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x89809cb0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8980a0d0

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xb9e6ed30

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9e6e0e2

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8980a6d0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8980a4f0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9e4e982

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8980a310

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x8a1c7920]
Process: System Address: 0x89808930 Size: 1000

==EOF==

Here is win32 Diagnostics:

Running from: C:\Documents and Settings\Owner.YOUR-A846B26098\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner.YOUR-A846B26098\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

DDS/Hijack This:

DDS (Ver_09-11-24.02) - NTFSx86
Run by Owner at 2:29:36.39 on Wed 11/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.942 [GMT -7:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\HGRA\HGRA\WENGINE\wmonitor.exe
C:\Program Files\HGRA\HGRA\FLUtilsSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\oracle\ora90\Apache\Apache\Apache.exe
c:\oracle\ora90\bin\ORACLE.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\HGRA\HGRA\ServiceMgr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\oracle\ora90\Apache\jdk\bin\java.exe
C:\oracle\ora90\Apache\Apache\Apache.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HGRA\HGRA\e360SysTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MP4 Player\mp4Player.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\PROGRA~1\COMMON~1\AOL\114999~1\EE\AOLHOS~1.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\AOL\114999~1\EE\AOLServiceHost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner.YOUR-A846B26098\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4026E
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.2.7.dll
{57bfb484-11cc-4b96-b57a-dcd05ee40593}
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: WeatherBug Browser Bar - powered by MyWebSearch: {8eab99c9-f9ec-4b64-a4ba-d9bcae8779c2} - c:\program files\mywebsearchwb\bar\1.bin\W6BAR.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AnyDVD] "c:\program files\slysoft\anydvd\AnyDVD.exe"
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [MP4 Player] "c:\program files\mp4 player\mp4Player.exe" hmw
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [HostManager] c:\program files\common files\aol\1149992508\ee\AOLHostManager.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_01\bin\jusched.exe"
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [e360SysTray] c:\program files\hgra\hgra\e360SysTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t configuration utility\wlan111t.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\npjpi150_11.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: honeywell.com\eshophcmo
Trusted Zone: honeywell.com\pki
Trusted Zone: honeywell.com\timeerp
DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} - hxxps://pki.honeywell.com/pki/VSApps/vspta3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ckpNotify - ckpNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\nnnolkiG
Hosts: 91.212.127.227 esysprotector2009.com
Hosts: 91.212.127.227 www.esysprotector2009.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.you\applic~1\mozilla\firefox\profiles\c46p3ve4.default\
FF - prefs.js: browser.startup.homepage - espn.com
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMySrWB.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-15 207280]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2008-7-9 2234320]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-11-16 112592]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2008-7-9 36400]
R2 FiberlinkCommMonitor;FiberlinkComm Monitor Service;c:\program files\hgra\hgra\wengine\wmonitor.exe [2006-1-13 69692]
R2 OracleOraHome90HTTPServer;OracleOraHome90HTTPServer;c:\oracle\ora90\apache\apache\Apache.exe [2001-8-17 3584]
R2 OracleServiceHOME;OracleServiceHOME;c:\oracle\ora90\bin\oracle.exe home --> c:\oracle\ora90\bin\ORACLE.EXE HOME [?]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2008-7-9 109072]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2008-7-9 671408]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-2 17536]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-8-9 17149]
R4 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys --> c:\windows\system32\drivers\ehdrv.sys [?]
R4 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys --> c:\windows\system32\drivers\epfwtdir.sys [?]
S0 egc12f6;egc12f6;\SystemRoot\\SystemRoot\System32\drivers\egc12f6.sys --> \SystemRoot\\SystemRoot\System32\drivers\egc12f6.sys [?]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S0 xhhpyein;xhhpyein;c:\windows\system32\drivers\rnlzrfco.sys --> c:\windows\system32\drivers\rnlzrfco.sys [?]
S1 55a2324f.sys;55a2324f.sys;\??\c:\windows\system32\drivers\55a2324f.sys --> c:\windows\system32\drivers\55a2324f.sys [?]
S2 BlackICE;BlackICE;"c:\program files\network ice\blackice\blackd.exe" --> c:\program files\network ice\blackice\blackd.exe [?]
S2 gupdate1c9d3b282afc3f6;Google Update Service (gupdate1c9d3b282afc3f6);c:\program files\google\update\GoogleUpdate.exe [2009-5-13 133104]
S2 OracleOraHome90TNSListener;OracleOraHome90TNSListener;c:\oracle\ora90\bin\tnslsnr --> c:\oracle\ora90\bin\TNSLSNR [?]
S2 wacn;wacn;c:\windows\system32\drivers\znwkx.sys --> c:\windows\system32\drivers\znwkx.sys [?]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\athfmwdl.sys [2008-1-27 43392]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2005-1-9 14336]
S3 OracleOraHome90ClientCache;OracleOraHome90ClientCache;c:\oracle\ora90\bin\ONRSD.EXE [2001-8-14 425828]
S3 OracleOraHome90PagingServer;OracleOraHome90PagingServer;c:\oracle\ora90\bin\pagntsrv.exe [2001-8-28 52224]
S3 OracleOraHome90SNMPPeerEncapsulator;OracleOraHome90SNMPPeerEncapsulator;c:\oracle\ora90\bin\encsvc.exe [2001-8-16 189952]
S3 OracleOraHome90SNMPPeerMasterAgent;OracleOraHome90SNMPPeerMasterAgent;c:\oracle\ora90\bin\agntsvc.exe [2001-8-16 256512]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2007-10-9 36676]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2007-10-9 24344]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-15 358600]
S3 xsSmartAgent;Visibroker Smart Agent;c:\oracle\ora90\bin\osagent.exe [2001-3-30 205312]
S4 black;black;c:\windows\system32\drivers\blackdrv.sys [2007-10-9 227285]

=============== Created Last 30 ================

2009-11-18 08:41:36 0 d-----w- c:\program files\Security Task Manager
2009-11-18 08:26:06 0 d-----w- c:\program files\IObit
2009-11-16 12:21:50 0 d-----w- c:\program files\Trend Micro
2009-11-16 07:51:46 98816 ----a-w- c:\windows\sed.exe
2009-11-16 07:51:46 77312 ----a-w- c:\windows\MBR.exe
2009-11-16 07:51:46 260608 ----a-w- c:\windows\PEV.exe
2009-11-16 07:51:46 161792 ----a-w- c:\windows\SWREG.exe
2009-11-16 07:00:38 883 ----a-w- c:\windows\RegSDImport.xml
2009-11-16 07:00:38 880 ----a-w- c:\windows\RegISSImport.xml
2009-11-16 07:00:38 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-16 07:00:38 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-16 07:00:38 131 ----a-w- c:\windows\IDB.zip
2009-11-16 07:00:38 1152470 ----a-w- c:\windows\UDB.zip
2009-11-16 07:00:37 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-16 07:00:37 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-16 06:54:59 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-11-16 06:54:59 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-16 06:54:45 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-16 06:54:45 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-11-16 06:54:45 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-16 06:54:45 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-16 06:54:37 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-11-16 06:54:37 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-16 06:54:30 0 d-----w- c:\program files\Spyware Doctor
2009-11-16 06:54:30 0 d-----w- c:\program files\common files\PC Tools
2009-11-16 06:54:30 0 d-----w- c:\docume~1\owner~1.you\applic~1\PC Tools
2009-11-15 12:03:35 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-05 10:43:48 0 d-----w- C:\DVDMovie
2009-11-05 10:39:06 0 d-----w- c:\program files\Xvid
2009-11-05 10:39:04 0 d-----w- c:\program files\AoA DVD Ripper

==================== Find3M ====================

2009-09-11 14:03:37 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2003-06-20 10:05:04 49776 ----a-w- c:\windows\inf\usbhub20.sys
2003-06-20 10:05:04 24752 ----a-w- c:\windows\inf\hidclass.sys
2003-06-20 10:05:04 20688 ----a-w- c:\windows\inf\usbd.sys
2003-06-20 10:05:04 19728 ----a-w- c:\windows\inf\usbehci.sys
2003-06-20 10:05:04 138288 ----a-w- c:\windows\inf\usbport.sys

============= FINISH: 2:31:35.06 ===============

And the final log:

Volume in drive C has no label.
Volume Serial Number is 302B-8166

Directory of C:\WINDOWS\$NtUninstallKB968389$

08/10/2004 12:00 PM 407,040 netlogon.dll
1 File(s) 407,040 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356

04/13/2008 05:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356

04/13/2008 05:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356

04/13/2008 05:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

08/10/2004 12:00 PM 180,224 scecli.dll

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:27 PM

Posted 25 November 2009 - 09:15 AM

Hello esimms

Welcome to BleepingComputer :(
==========================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 esimms

esimms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 25 November 2009 - 04:35 PM

Unfortunately, I have an even bigger problem now. Last night windows update automatically restarted my computer after latest updates. Now the os won't start, I can't even get into safe mode.

When I try safe mode, it shows the drivers being loaded, but stops there and can't load. One of the drivers it shows as being loaded is PCTCore.sys that is shown in rootrepeal log, could this be the problem?

If I re-install windows xp, will that get past this. That is the only real thing I can think of.

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:27 PM

Posted 25 November 2009 - 08:20 PM

Hi that file is related to Spyware Doctor.

Let's try a few things before reinstalling,that is unless you just want to reinstall.
But give this a shot.
When booting the computer instead of choosing Safe Mode choose Last known good Configuration.
Let me know if that gets you into Windows.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 esimms

esimms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 25 November 2009 - 08:46 PM

Yes, I'm for trying whatever before re-installing. I tried last known good config, and still doesn't start.

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:27 PM

Posted 25 November 2009 - 08:50 PM

ok please do the following:
=================
Download RC.ISO and burn it to a cd as an ISO image. You may need a burning toy like ISO Recorder to do this...be sure to get the version for your operating system.

Once you have burned this as an ISO image, insert the CD into the drive, and then restart the computer. Watch for the prompt to "Press any key to boot from cd" and press the spacebar when you see it. You may have to change the boot priority in BIOS Setup to accomplish this...we'll cross that bridge if we get to it.

When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console...by number (usually 1)
When you are prompted to do so, type the Administrator password. If you have not set an administrator password, leave it blank and just press "Enter".

When you get to the Recovery Console prompt, type cd \ and press "Enter".

Type cd system~1\_resto~1 and press "Enter".

Type dir and press "Enter".

After you press enter you will see a list of folders (like rp1, rp2) If the list of restore points has more than one page then press the "Enter" key until you reach the end of the list

Type cd rp {number of the second to last folder in the list} and press "Enter".
Note: Example: cd rp9 if the last restore point is rp10

Type cd snapshot and press "Enter".

Type copy _registry_machine_system c:\windows\system32\config\system and press "Enter".

Type copy _registry_machine_software c:\windows\system32\config\software and press "Enter".

Type exit and press "Enter".

Your PC will reboot.

=======================

If you get an access denied error when doing the above, then do the following at the recovery console:

Type cd \ and press "Enter".

Type cd windows\system32\config and press "Enter".

Type ren system system.bak and press "Enter".

Type exit and press "Enter".

Your PC will reboot, go back into the Recovery Console and start from the beginning.
============================
After doing that see if that get's you back into Windows.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 esimms

esimms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 26 November 2009 - 05:39 AM

I could get to cd system~1\, but there was no _resto~1.

Also if i try cd \, cd windows, there is no windows.

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:27 PM

Posted 26 November 2009 - 08:34 AM

Not good thanks to that update reformat reinstall is the only way to fix it.
You can also do a repair install that will at least keep your data but it still would be a good idea to back up your documents prior to doing this.
You can do this by reading the following tutorial:
http://www.howtogeek.com/howto/windows-vis...ndows-computer/
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 esimms

esimms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 27 November 2009 - 02:32 AM

I have a windows xp professional installation disk. Can I just do a completely new install? Can you help me with that?

#10 esimms

esimms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 27 November 2009 - 02:55 AM

I went ahead and started a clean install, but it gives me a warning that I'm installing on partition that already has an os. I thought the clean install would remove the current windows xp? How should I proceed here.

I went ahead and started a clean install, but it gives me a warning that I'm installing on partition that already has an os. I thought the clean install would remove the current windows xp? How should I proceed here.

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:27 PM

Posted 27 November 2009 - 07:16 AM

Hi you will have to first delete the exisiting partion that Windows is installed on.
When you are present with the partition layout highlight the one that has the C:\ beside it then choose D to delete it then L for confirmation.
Then it will format that partition.
Then you can select it to install Windows on after that.

Here is a few tutorials on it:
http://lifehacker.com/157578/geek-to-live-...xp-from-scratch
http://michaelstevenstech.com/cleanxpinstall.html
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 esimms

esimms
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 30 November 2009 - 12:47 AM

I did a clean install and everything seems to be good. It was a nasty virus but my computer is running faster with the clean install so it's all good.

Thanks for all the help, especially the UBUNTU trick for saving all my important data from the hard drive.

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:27 PM

Posted 30 November 2009 - 07:38 AM

You are welcome :(


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :(

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users