Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

related problems? antivirus system pro, google redirect, blue screen on safe mode boot


  • Please log in to reply
23 replies to this topic

#1 jamesr01

jamesr01

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 29 November 2009 - 04:54 PM

Hi, yesterday I got hit with the Antivirus System pro / Netguard 2010 virus. As I tried to fix it, it was like peeling an onion. More problems continued to emerge. Here is a run down:

My system briefly is a Dell notebook running XP.

What I've done so far is basically the 8-step virus/spyware removal plan on techspot.com with a few other things mixed in. I started off by running rkill. Then I installed and ran Malware Bytes Anti-Malware.

The name of my virus process was nstxsysguard.exe. Other posts have indicated that the 4 letter prefix is random. I located an NSTXSYSGUARD.EXE process in C:\WINDOWS\Prefetch and deleted it manually. It was also in C:\Documents and Settings\James\Local Settings\Application Data\tcwrwl

Then I ran the 8-step process (minus generating hijackthis log):
-Installed and ran ccleaner twice.
- Temporarily disabled AVG resident shield
- Ran Malware Bytes Anti-Malware again
- Installed and ran SuperAntiSpyware free ed

Here is my current set of symptoms:
(1) Google redirect problem - when clicking on google links, get directed to unwanted sites, some with other viruses/malware
(2) There is a process called CLI.exe running that constantly takes up 50% cpu. Easy enough to kill it but no antivirus or spyware program finds and gets rid of it.
(3) When I boot up in safe mode, I immediately get a blue screen and can't do anything else, forcing me to only boot in normal mode. The blue screen looks weird - it only has two characters at the top left of the screen. The first is a sideways L character and the other is a question mark (?).

So that's where I'm at right now. Can't fix those three problems. Also to the people who can't get IE to work, I think the Antivirus System Pro virus changed your IE settings to use a manual proxy and unchecked the "automatically detect settings" radio box. So all I had to do to get back on the internet was go in and check that radio box again.

I hope someone can please help me out or point me in the right direction. I have Hijackthis installed now, but I haven't run it or tried to generate a log. Let me know if I should do this and post it. Thanks a lot for your help in advance!

--James R.

BC AdBot (Login to Remove)

 


#2 sketch17

sketch17

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 30 November 2009 - 01:20 AM

Hey James, I'm having the same issue with the odd blue screen and it started on the 28th, yesterday, I'm not sure where it came from but all I remember doing was DL'ing Google Chrome and I had one BitTorrent going. When I try to start normally I get a BSOD with the stop error 0x00000024. I was thinking about running through and restoring the registry but I'm not totally confident with myself to attempt changing flies and such.

Also, like a moron, I restarted while the fake spy protection thing was running and didnt do the 8 steps like you, so I have no access to the start screen even w/ normal mode.

Please help! Anyone. :thumbsup:

-Dylan M.

Edit: I found this http://www.bleepingcomputer.com/virus-remo...irus-system-pro

That might help you, but it doesnt for me because I cant get past the windows XP loading screen

Edited by sketch17, 30 November 2009 - 01:27 AM.


#3 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:54 PM

Posted 30 November 2009 - 03:43 AM

@ jamesr01
Please go to Control Panel > Add-Remove Programs and uninstall your ATI Catalyst Control Center software (there is no need to uninstall the ATI drivers if/when you are offered the choice to do that): cli.exe is part of the ATI software and is not necessary to the running of your computer. It is of course legitimate software. I no longer install CCC software for this reason.
Let me know how things are running when you have done that, and we'll see what else we can do then.

Edit: Remove Antivirus System Pro (Uninstall Guide)
11/29/09 - Updated removal technique due to new protection system used by Antivirus System Pro
http://www.bleepingcomputer.com/virus-remo...irus-system-pro

@ sketch17
I suggest that you start your own new thread and describe your own situation as fully and as clearly as possible to receive help. It is not practical to attempt to assist two people with different problems in the same thread.
Thank you. (PM me ... if you wish ... when you have done that and I will have a look at your situation)

Edited by AustrAlien, 30 November 2009 - 04:00 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#4 jamesr01

jamesr01
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 30 November 2009 - 08:53 PM

Thanks for your help - I deleted the ATI stuff and now CLI.exe is gone.

However, the google redirect and blue screen on safe mode boot problems remain. Based on what the admins were telling other people to do, I have generated three log files: (1) from Goored, (2) from Smitfraudfix, and (3) from Rootrepeal. I'm posting them below:





GooredFix by jpshortstuff (27.11.09.1)
Log created at 19:42 on 30/11/2009 (James)
Firefox version 2.0.0.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org [00:26 31/08/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:26 31/08/2007]
{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} [07:06 06/09/2007]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG9\Firefox" [04:53 04/11/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [00:22 09/11/2009]

-=E.O.F=-





SmitFraudFix v2.424

Scan done at 19:15:32.13, Mon 11/30/2009
Run from C:\Documents and Settings\James\Desktop\antivirus_28nov09\antivirus\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\James\Desktop\antivirus_28nov09\antivirus\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\James


C:\DOCUME~1\James\LOCALS~1\Temp


C:\Documents and Settings\James\Application Data


Start Menu


C:\DOCUME~1\James\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.87.68.166
DNS Server Search Order: 68.87.74.166

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9B8E217A-3A83-48E2-8B51-83D193260A0C}: DhcpNameServer=68.87.68.166 68.87.74.166
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9B8E217A-3A83-48E2-8B51-83D193260A0C}: DhcpNameServer=68.87.68.166 68.87.74.166
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.166 68.87.74.166
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.166 68.87.74.166


Scanning for wininet.dll infection


End







ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/30 19:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB27BA000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\tempfile
Status: Allocation size mismatch (API: 24559616, Raw: 0)

Path: c:\documents and settings\all users\application data\avg9\chjw\cm-2-i.dat
Status: Size mismatch (API: 104976, Raw: 10936)

Path: c:\documents and settings\all users\application data\avg9\chjw\cm-2-p.dat
Status: Size mismatch (API: 1420736, Raw: 1370136)

==EOF==

#5 jamesr01

jamesr01
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 01 December 2009 - 02:57 AM

I just ran DrWeb-CureIt (Express and Full Scans) and it found BackDoor.Tdss.565 and eradicated it. Does this mean that I have the really bad rootkit that everyone else has? What do I do now?

Here is the DrWeb Log for Express Scan:

Process in memory: C:\WINDOWS\system32\svchost.exe:208;;BackDoor.Tdss.565;Eradicated.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;


Here is the full scan log:

3 Months Free NetZero.exe;C:\Documents and Settings\All Users\Start Menu;Trojan.Click.1487;Deleted.;
Process.exe;C:\Documents and Settings\James\Desktop\antivirus_28nov09\antivirus\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\James\Desktop\antivirus_28nov09\antivirus\SmitfraudFix;Tool.ShutDown.14;;
3 Months Free NetZero.exe;C:\Program Files\Dell\Launcher\files;Trojan.Click.1487;Deleted.;
A0023238.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP208;Trojan.Click.1487;Deleted.;
A0023251.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP208;Trojan.Click.1487;Deleted.;

#6 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:54 PM

Posted 01 December 2009 - 04:59 AM

There is no obvious problem shown in your RootRepeal log, but do the following as a double-check.
Step 1 Please run Win32kDiag: This tool will create a diagnostic report.

Download Win32kDiag.exe by AD and save it to your Desktop.
alternate download 1
alternate download 2

* Double-click on Win32kDiag.exe to run and let it finish.
* When it states Finished! Press any key to exit ..., press any key on your keyboard to close the program.
* A file called Win32kDiag.txt should be created on your Desktop.
* Open that file in Notepad and copy/paste the entire contents (from Starting up ... to Finished! Press any key to exit ...) in your next reply.

Step 2
Click Start > Run > and type "cmd" and press <ENTER>
Copy/paste the following code (Do NOT copy the word "Code:") at the prompt, and press <ENTER>
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Peek.txt & START notepad Peek.txt
A file called Peek.txt should be created on your Desktop, and will open in Notepad.
Copy/paste the contents in your next reply.
(Close the Peek.txt window. In the command window, type "exit" at the command prompt and press <ENTER> to close the command window.)
------------------------------------

From what you have said, your system is stable and running without any problems (other than the ones you have mentioned). I will therefore ask you to do the following at this time ....
Export SafeBoot key for diagnosis
Let's have a look at your SafeBoot registry key.

* Click Start > Run
* Copy/paste the following code (Do NOT copy the word "Code:") in the open "Run" box and press <ENTER>
regedit /e C:\SafeBootK.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"
* Double-click/Open My Computer and then navigate to C:\ drive
* In there, you should see a file called SafeBootK.txt
* Double-click it to open the file with Notepad.
* Copy/paste the whole contents of SafeBootK.txt in your next reply please.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#7 jamesr01

jamesr01
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 02 December 2009 - 03:20 AM

Here's the Win32Diag log:

Running from: C:\Documents and Settings\James\Desktop\antivirus_28nov09\antivirus\Win32kDiag.exe

Log file at : C:\Documents and Settings\James\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

----

Here's the Peek log:

Volume in drive C has no label.
Volume Serial Number is 9026-C1CD

Directory of C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7

04/13/2008 18:12 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7

04/13/2008 18:11 56,320 eventlog.dll
2 File(s) 237,568 bytes

Directory of C:\WINDOWS\system32

08/10/2004 04:00 180,224 scecli.dll

Directory of C:\WINDOWS\system32

08/10/2004 04:00 55,808 eventlog.dll
2 File(s) 236,032 bytes

Total Files Listed:
4 File(s) 473,600 bytes
0 Dir(s) 16,146,354,176 bytes free

#8 jamesr01

jamesr01
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 02 December 2009 - 03:27 AM

And here's the SafeBootK log:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

#9 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:54 PM

Posted 02 December 2009 - 03:38 AM

Win32kDiag shows clean of rootkits.

I am not quite sure what to make of Peek log just yet: There seems to be a little missing ... like a netlogon.dll file. Will check that out.

Your SafeBoot key is all there and matches up nicely with what should be there! So, that is not the reason you can't load Safe Mode. It looks like malware is blocking access to it some other way.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#10 jamesr01

jamesr01
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 03 December 2009 - 05:33 PM

Hi, I just wanted to say thanks for your help so far. Yeah, malware blocking safe mode sounds plausible to me too. Please let me know if you have any new ideas on how to fix the Google redirect issue or the safe mode boot issue.

Reading these forums, it looks like lots of people are getting this Google redirect bug. Has anyone successfully gotten rid of it yet? If so, how did they do it?

--James

#11 jamesr01

jamesr01
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 04 December 2009 - 12:27 AM

I was again reading about people having similar problems to mine in other forums. Someone recommended running an application called TDSSKiller (from the Kaspersky site). So I tried this and here is the end of the log that was generated:


23:8:47:921 1300 DetectCureTDL3: All IRP handlers pointed to one addr: 87100618
23:8:47:921 1300 KLMD_ReadMem: Trying to ReadMemory 0x87100618[0x400]
23:8:47:921 1300 TDL3_HookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
23:8:47:921 1300 Driver atapi infected by TDSS rootkit ... 23:8:47:921 1300 TDL3_HookCure: Processing driver in memory: atapi
23:8:47:921 1300 KLMD_WriteMem: Trying to WriteMemory 0x8710067D[0xD]
23:8:47:921 1300 cured
23:8:47:921 1300 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\atapi.sys
23:8:47:921 1300 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
23:8:47:937 1300
Completed

Results:
23:8:47:937 1300 Infected / Cured drivers in memory: 1 / 1
23:8:47:937 1300 Infected / Cured drivers on disk: 0 / 0
23:8:47:937 1300 Files deleted on next reboot: 0
23:8:47:937 1300 Registry nodes deleted on next reboot: 0
23:8:47:937 1300


So then I rebooted my machine. I went to google and some of my searches were still being redirected and I still couldn't boot in safe mode. So I tried running TDSSKiller again and it did the exact same thing (cured the same TDSS rootkit in atapi.sys). So I guess that means that this thing somehow keeps regenerating itself after it has been cured.

I'm still open to suggestions...

#12 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:54 PM

Posted 04 December 2009 - 01:07 AM

Let's start with the following and see what these logs look like now ...
Please use the instructions provided in post #2 by garmanma at the following link, to run MBAM (Quick Scan), ATF Cleaner, SAS and Dr.Web CureIt!
http://www.bleepingcomputer.com/forums/ind...t&p=1499922

*Remember to update MBAM & SAS before running each scan, and to download and use the latest version of Dr.Web CureIt!
If you can't access Safe Mode, when the instructions call for doing so, just use Windows in normal mode.
Remove all problems found: Then post the logs from each of the scans (no log from ATF Cleaner).

Follow that up with a Full Scan by MBAM, remove any problems found, and post the log from that too.
Please restart your computer after each scan, whether asked to or not.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:54 AM

Posted 04 December 2009 - 09:41 AM

NOTE: Malwarebytes Anti-Malware was updated to v1.42 yesterday. Please ensure you download and install the most current version from here if you already have the previous or an older version installed.
You may have to reboot after updating in order to overwrite any "in use" protection module files.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and rename it to wuauclt.exe. Then double-click on it to run.

IMPORTANT NOTE: One or more of the identified infections was related to a nasty variant of the TDSSSERV rootkit also known as Backdoor.Tidserv.

Your previous logs show evidence of:

Process in memory: C:\WINDOWS\system32\svchost.exe:208;;BackDoor.Tdss.565;Eradicated.;
23:8:47:921 1300 Driver atapi infected by TDSS rootkit ... 23:8:47:921 1300 TDL3_HookCure


Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 jamesr01

jamesr01
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 06 December 2009 - 01:36 AM

Here are my logs. I should note that I have a new symptom now. When I do a google search, the search results come up but another instance of the browser also comes up. Sometimes it displays an error, sometimes it displays a different website. The error page says:

404 Bad Request
Google Error. Bad Request. Your client has issued a malformed or illegal request.


MBAM log:

Malwarebytes' Anti-Malware 1.42
Database version: 3298
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

12/5/2009 1:11:04 AM
mbam-log-2009-12-05 (01-11-04).txt

Scan type: Quick Scan
Objects scanned: 114147
Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/05/2009 at 03:05 AM

Application Version : 4.31.1000

Core Rules Database Version : 4338
Trace Rules Database Version: 2191

Scan type : Complete Scan
Total Scan Time : 01:42:36

Memory items scanned : 461
Memory threats detected : 0
Registry items scanned : 5942
Registry threats detected : 1
File items scanned : 128084
File threats detected : 0

Trojan.Agent/Gen
HKU\S-1-5-21-2741033699-2205035124-1307431378-1005\Software\Microsoft\Windows\CurrentVersion\Run#ttool [ C:\WINDOWS\srcdll.exe ]


DrWebCureIt log:

Process in memory: C:\WINDOWS\System32\WLTRYSVC.EXE:128;;BackDoor.Tdss.565;Eradicated.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\James\Desktop\antivirus_28nov09\antivirus\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\James\Desktop\antivirus_28nov09\antivirus\SmitfraudFix.exe;Tool.ShutDown.14;;
SmitfraudFix.exe;C:\Documents and Settings\James\Desktop\antivirus_28nov09\antivirus;Archive contains infected objects;Moved.;
A0024147.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP213\A0024147.exe;Tool.Prockill;;
A0024147.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP213\A0024147.exe;Tool.ShutDown.14;;
A0024147.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP213;Archive contains infected objects;Moved.;

Edited by jamesr01, 06 December 2009 - 12:59 PM.


#15 jamesr01

jamesr01
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 06 December 2009 - 01:41 AM

Well, I've been trying to read about rootkits a little bit. It seems like I have to be able to "work outside my system" in some way to be able to get rid of it. Do you know if there is a way to fix it using BartPE or one of these other "lightweight" versions of Windows XP that can run from a CD or thumbdrive?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users