Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ads being redirected on google search


  • This topic is locked This topic is locked
15 replies to this topic

#1 Ramblingace

Ramblingace

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 08 February 2010 - 02:23 PM

Hi! I'm new to bleeping computer and a bit lacking when it comes to computer security, etc so please bear with me.

Recently, for the last two days, many of my searches on google are being redirected to random ad pages. In addition, I removed an aggressive malware called Your PC Protector (with the help from your forums-Thank you!!!) yesterday but I believe I might still have some type of trojans or virus or maware on my computer.

I ran Ad-Aware, SpyBot, CCleaner and Symantec Anti-virus but they are not finding anything.

I would really appreciate any help I can get because I am quite reliant on my laptop for work and these virus problems are killing me!

Thank you so much in advance!!!

In addition, here's my HijackThis logfile.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:13 PM, on 2/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\LiveUpdate\luall.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\LIVEUP~1\DOWNLO~1\Updt347\spa.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 spyware-protector-2009.com
O1 - Hosts: 91.212.65.122 www.spyware-protector-2009.com
O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com
O1 - Hosts: 91.212.65.122 knocker
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Lynn H\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.download.microsoft.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154378214305
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - https://register.resnet.stonybrook.edu/CAT/CNICAT.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://pdc.resnet.stonybrook.edu/sav/webinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{744FF731-0895-4135-838C-14AB80602D6E}: NameServer = 194.54.90.226
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: rakedolo.dll c:\windows\system32\vamozeje.dll c:\windows\system32\vihevavi.dll,janodewi.dll
O20 - Winlogon Notify: geBqQHXo - geBqQHXo.dll (file missing)
O20 - Winlogon Notify: jkklkhi - jkklkhi.dll (file missing)
O20 - Winlogon Notify: wvuvtrq - wvuvtrq.dll (file missing)
O21 - SSODL: gayomageh - {8aef92f9-e1eb-46f9-b8f0-fa2adaaa252b} - c:\windows\system32\vamozeje.dll (file missing)
O21 - SSODL: sawiyogiz - {c6a2cbf9-237e-4b28-a73f-f6a7f3dacfa8} - c:\windows\system32\vihevavi.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {8aef92f9-e1eb-46f9-b8f0-fa2adaaa252b} - c:\windows\system32\vamozeje.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {c6a2cbf9-237e-4b28-a73f-f6a7f3dacfa8} - c:\windows\system32\vihevavi.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13167 bytes


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 09 February 2010 - 10:26 AM

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
  • In the Files Created Within and Files Modified Within section, set it to File Age
  • At the bottom, tick on all Safe List and Use Company Name WhiteList option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
      Reg - Disabled MS Config Items
      Reg - Drivers32
      Reg - Ext
      Reg - IE Explorer Bar
      Reg - NetSvcs
      Reg - Safeboot Minimal
      Reg - Safeboot Network
      File - Lop Check
      File - Purity Scan
    • Please copy/paste below script into Custom Scans box
      CODE
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..




NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results




ATTACH these logs in your next reply

1. OTS
2. GMER

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Ramblingace

Ramblingace
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 10 February 2010 - 07:58 PM

Hi there! Thanks for the fast response and help.
I followed your instructions as directed but I could not finish the GMER program. For some reason, my computer kept freezing during the scan when it hit
C:\windows\system32\drivers\disk.sys (happened 3 times) so I was not able to finish that part of your instructions.

I have attached the log of the OTS.

If that is not enough I can try the GMER scan again.

Thank you!

Attached Files

  • Attached File  OTS.Txt   302.49KB   13 downloads


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 11 February 2010 - 07:12 AM

Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

CODE
Begin copying here:
Files to delete:
c:\program files\skynet.dat
c:\windows\dfc71n19.dll
c:\windows\ejewasaxov.dll
c:\windows\izagehusucamunum.dll
c:\windows\scuian.dll
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\29358.exe
c:\windows\system32\6334.exe
c:\windows\system32\qomgdddt.dll
c:\windows\system32\vamozeje.dll
c:\windows\system32\vihevavi.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.




NEXT


OTS Fix

Open OTS.. Copy/paste below into Paste Fix Here and then click on the Run Fix button.. Let it finishes and reboot the computer.. Post the log here in your next reply..

CODE
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< HOSTS File > (373161 bytes and 12910 lines) -> C:\WINDOWS\system32\drivers\etc\hosts
YN -> 91.212.65.122 browser-security.microsoft.com ->
YN -> 91.212.65.122 spyware-protector-2009.com ->
YN -> 91.212.65.122 www.spyware-protector-2009.com ->
YN -> 91.212.65.122 secure.spyware-protector-2009.com ->
YN -> 91.212.65.122 knocker ->
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YN -> rakedolo.dll c:\windows\system32\vamozeje.dll c:\windows\system32\vihevavi.dll ->
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> geBqQHXo ->
YN -> jkklkhi ->
YN -> wvuvtrq ->
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{8aef92f9-e1eb-46f9-b8f0-fa2adaaa252b}" [HKLM] -> C:\WINDOWS\System32\vamozeje.dll [gayomageh]
YY -> "{c6a2cbf9-237e-4b28-a73f-f6a7f3dacfa8}" [HKLM] -> C:\WINDOWS\System32\vihevavi.dll [sawiyogiz]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{8aef92f9-e1eb-46f9-b8f0-fa2adaaa252b}" [HKLM] -> C:\WINDOWS\System32\vamozeje.dll [tokatiluy]
YY -> "{c6a2cbf9-237e-4b28-a73f-f6a7f3dacfa8}" [HKLM] -> C:\WINDOWS\System32\vihevavi.dll [tokatiluy]
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
YY -> "%windir%\system32\drivers\svchost.exe" -> C:\WINDOWS\System32\drivers\svchost.exe [%windir%\system32\drivers\svchost.exe:*:Enabled:svchost]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YY -> "%windir%\system32\drivers\svchost.exe" -> C:\WINDOWS\System32\drivers\svchost.exe [%windir%\system32\drivers\svchost.exe:*:Enabled:svchost]
[Registry - Additional Scans - Safe List]
< Ext (Stats) - [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\
YY -> {51FFF8A3-A173-4763-862A-A645CB6A65D7} [HKLM] -> C:\WINDOWS\System32\qoMgddDt.dll [Reg Error: Value error.]
< SafeBoot-Minimal Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
YN -> Winah18.sys ->
YN -> Windl08.sys ->
YN -> Winen76.sys ->
YN -> Wingo21.sys ->
YN -> Winhp10.sys ->
YN -> Winjr20.sys ->
YN -> Winmu54.sys ->
YN -> Winnw32.sys ->
YN -> Winqx35.sys ->
YN -> Winsa07.sys ->
YN -> Winwe07.sys ->
YN -> Winxg43.sys ->
< SafeBoot-Network Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
YN -> Winah18.sys ->
YN -> Windl08.sys ->
YN -> Winen76.sys ->
YN -> Wingo21.sys ->
YN -> Winhp10.sys ->
YN -> Winjr20.sys ->
YN -> Winmu54.sys ->
YN -> Winnw32.sys ->
YN -> Winqx35.sys ->
YN -> Winsa07.sys ->
YN -> Winwe07.sys ->
YN -> Winxg43.sys ->
[Files/Folders - Modified Within 90 Days]
NY ->  skynet.dat -> C:\Program Files\skynet.dat
NY ->  26962.exe -> C:\WINDOWS\System32\26962.exe
NY ->  29358.exe -> C:\WINDOWS\System32\29358.exe
NY ->  11478.exe -> C:\WINDOWS\System32\11478.exe
NY ->  15724.exe -> C:\WINDOWS\System32\15724.exe
NY ->  19169.exe -> C:\WINDOWS\System32\19169.exe
NY ->  26500.exe -> C:\WINDOWS\System32\26500.exe
NY ->  6334.exe -> C:\WINDOWS\System32\6334.exe
NY ->  18467.exe -> C:\WINDOWS\System32\18467.exe
[Files - No Company Name]
NY ->  skynet.dat -> C:\Program Files\skynet.dat
NY ->  26962.exe -> C:\WINDOWS\System32\26962.exe
NY ->  29358.exe -> C:\WINDOWS\System32\29358.exe
NY ->  11478.exe -> C:\WINDOWS\System32\11478.exe
NY ->  15724.exe -> C:\WINDOWS\System32\15724.exe
NY ->  19169.exe -> C:\WINDOWS\System32\19169.exe
NY ->  26500.exe -> C:\WINDOWS\System32\26500.exe
NY ->  6334.exe -> C:\WINDOWS\System32\6334.exe
NY ->  18467.exe -> C:\WINDOWS\System32\18467.exe
NY ->  izagehusucamunum.dll -> C:\WINDOWS\izagehusucamunum.dll
NY ->  scuian.dll -> C:\WINDOWS\scuian.dll
NY ->  DFC71n19.dll -> C:\WINDOWS\DFC71n19.dll
NY ->  ejewasaxov.dll -> C:\WINDOWS\ejewasaxov.dll
[Empty Temp Folders]
[Start Explorer]
[Reboot]





NEXT



Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)





Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..



Post these logs in your next reply..

1. The Avenger
2. OTS
3. TDSSKiller
4. ComboFix

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Ramblingace

Ramblingace
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 11 February 2010 - 01:25 PM

Hi! For some reason, my computer is getting worse...I'm not sure why or how but it will not start up normally. When I started up my computer today I got this message:

A problem has been detected and windows has been shut down to prevent damage to your computer......

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps"

.....

Technical Information
***STOP: 0 X 0000007E (0XC000001D, 0X80537008, 0XF79A0508, 0XF79A0204)


I tried restarting on SAFEMODE but when I do, my computer freezes at multi (0) disk (0) rdisk (0) partition (2) \WINDOWS\System32\Drivers\Mup.sys

This has never happened before and I am getting pretty worried!

Any help would be great. Thanks!

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 12 February 2010 - 04:55 AM

Hello, tell me, what's the last step you did before getting this mess

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Ramblingace

Ramblingace
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 12 February 2010 - 06:04 PM

I tried the previous GMER program (the first time around) but I did not have time to follow your second set of instructions....

thanks

I think it's possible that my windows updated last night and that is why this has occurred...because my computer was fine the night before.

Edited by Ramblingace, 13 February 2010 - 12:46 AM.


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 14 February 2010 - 08:09 AM

QUOTE
I think it's possible that my windows updated last night and that is why this has occurred...because my computer was fine the night before.


Most probably due to the infected atapi.sys and a critical update

http://blogs.technet.com/msrc/archive/2010...g-ms10-015.aspx
http://www.krebsonsecurity.com/2010/02/new...ndows-xp-users/

From your explaination I assume you haven't done the OTS fixes yet right? Do you have Windows CD? I'm thinking of doing a "Repair Install" for your computer.. In the mean time please do below, and then answer my question above smile.gif


From a clean computer I need you to do this...

We need to create some logs


First.........After you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:[list]
  • Restart your PC
  • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
  • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
  • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
  • The tab should now show your current boot order.
    If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
  • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
  • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
[*]Please be patient as "Windows" loads
[*]Your system should now display a REATOGO-X-PE desktop.
[*]Double click on the icon on your desktop.
[*]When asked "Do you wish to load the remote registry", select Yes
[*]When asked "Do you wish to load remote user profile(s) for scanning", select Yes
[*]Ensure the box "Automatically Load All Remaining Users" is checked and press OK
[*]OTL should now start. Change the following settings
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
  • Copy and Paste the following code into the textbox. Do not include the word "Code"

    Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
  • Push
  • When finished, the file will be saved in drive C:\OTL.txt
  • Please post the contents of the C:\OTL.txt file in your next reply.
  • Copy this file to your USB drive if you do not have an internet connection.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Ramblingace

Ramblingace
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 15 February 2010 - 01:52 PM

Hi! I tried running the burncdcc on another computer but it says "unable to find or allocate a writable CD/DVD device." Is this something wrong with my computer? (I used a dynex dvd-r to try and burn the cdcc program.)

Thanks for all your help!!!!


#10 Ramblingace

Ramblingace
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 15 February 2010 - 02:44 PM

Just dried a CD-R disk....also the same message sad.gif

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 15 February 2010 - 07:17 PM

QUOTE
"unable to find or allocate a writable CD/DVD device."


Erm.. This is bad..

Ok, firstly we will attempt to do a "Repair Install" via USB drive (thumbdrive)..

You will need, a "Windows XP SP2 CD", and a "4gb thumbdrive" to do this.. The explaination would be long to be type here, so I will give you three links for your reference..

http://www.bootdisk.com/pendrive.htm
http://articles.techrepublic.com.com/5100-22_11-5928902.html
http://www.weethet.nl/english/hardware_bootfromusbstick.php

Choose which tutorial that suits you well and easy to understand.. Make sure you set the first boot to USB first via BIOS..

Below is the instruction on how to change boot order via BIOS, (the example is to boot from CD, just change it into boot from USB drive)

http://www.hiren.info/pages/bios-boot-cdrom


Then after you successfully create a bootable USB drive, please do a Repair Install via that USB drive.. Please refer below on how to do a "Repair Install"..

http://www.geekstogo.com/forum/How-to-repa...;p=489#entry489


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 15 February 2010 - 07:38 PM

One note.. BEFORE you try the "Repair Install", can you please do this via Windows CD (Or Windows Bootable USB drive)?? If below step still couldn't resolve the issue then please proceed with the "Repair Install" suggestion..


First, you'll need to Enter Recovery Console.. Visit below links for its tutorial

http://pcsupport.about.com/od/fixtheproblem/ss/rconsole.htm
http://www.bleepingcomputer.com/tutorials/...l117.html#start


After you successfully enter Recovery Console, please do below.. (Taken from another site)..

http://social.answers.microsoft.com/Forums...bc-e292b69f2fd1

QUOTE
HERE IS THE PROBABLE SOLUTION: (Thanks to Maxyimus and Angel1776) - It worked for me fine.



Follow these steps:

1. Boot from your Windows XP CD or DVD and start the Recovery Console (see this link http://support.microsoft.com/default.aspx/kb/307654 on how to use recovery console)

Once you are in the Repair Screen..

2. Type this command: CHDIR $NtUninstallKB978262$\spuninst

3. Type this command: BATCH spuninst.txt

4. Type this command: systemroot

5. Repeat steps 2 - 4 for each of the following updates: (marked as the red ones)

* KB978262
* KB971468
* KB978037
* KB975713
* KB978251
* KB978706
* KB977165
* KB975560
* KB977914

6. When complete, type this command: exit

Your computer should restart and everything should be back to normal.

Good Luck Guys!



Please try above step first before doing "Repair Install"


Regards
fenzodahl512

Edited by fenzodahl512, 15 February 2010 - 08:14 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 Ramblingace

Ramblingace
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 16 February 2010 - 12:32 AM

Hey. Thanks for all your help so far even though I keep coming up with more and more problems apparently.

So far I completed all the steps you wrote above (rebooting floppy disk and usb drive) and changed the bios to usb when I realized that I don't have the windows xp cd. I have a dell inspiron 1505 and it did not come with any cds when I purchased it. All the programs were already in place.....do you know of any other options.....

Thanks

PS Again, thanks for all your help and sorry that I keep coming up with more problems for you!!!

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 16 February 2010 - 12:39 AM

Ok.. Lets do this one step at a time.. Since you actually don't have Windows CD, lets begin with answering several questions so that I can understand more about the situation..

1. Do you have access to other clean computer that with it you can burn a bootable CD on it.. You will need a blank CD to make it (a bit hassle but its a must)
2. Do you have any friends/family/colleagues that actually have Windows XP Professional CD? Doesn't matter which version as long as its a Windows CD as what we want to do is to only enter Recovery Console

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 Ramblingace

Ramblingace
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 16 February 2010 - 02:14 AM

Hey fenzodahl512,

Please ignore my last thread. I gave up and called Windows to get it fixed. They basically gave me the same instructions that you just wrote so thanks for your help!

Also, ironically, maybe because of the windows update (I am not sure actually why) my google search is working fine without any ads being redirected.

Thanks for all your help in the meantime! smile.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users