Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search redirects & regedit, cmd won't run, AVG will not update


  • This topic is locked This topic is locked
114 replies to this topic

#31 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 21 March 2010 - 02:03 PM

Link to site was blocked from the infected PC, so I downloaded from laptop and emailed file to account on the other then unzipped so both TDSSKiller.exe and eula.txt were on desktop, then ran your command.

Below: contents of TDSSKiller.txt



14:58:22:296 2812 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
14:58:22:296 2812 ================================================================================
14:58:22:296 2812 SystemInfo:

14:58:22:296 2812 OS Version: 5.1.2600 ServicePack: 3.0
14:58:22:296 2812 Product type: Workstation
14:58:22:296 2812 ComputerName: DELL
14:58:22:296 2812 UserName: Chase
14:58:22:296 2812 Windows directory: C:\WINDOWS
14:58:22:296 2812 Processor architecture: Intel x86
14:58:22:296 2812 Number of processors: 1
14:58:22:296 2812 Page size: 0x1000
14:58:22:296 2812 Boot type: Normal boot
14:58:22:296 2812 ================================================================================
14:58:22:296 2812 UnloadDriverW: NtUnloadDriver error 2
14:58:22:296 2812 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:58:22:328 2812 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:58:22:328 2812 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:58:22:328 2812 wfopen_ex: Trying to KLMD file open
14:58:22:328 2812 wfopen_ex: File opened ok (Flags 2)
14:58:22:328 2812 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:58:22:328 2812 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:58:22:328 2812 wfopen_ex: Trying to KLMD file open
14:58:22:328 2812 wfopen_ex: File opened ok (Flags 2)
14:58:22:328 2812 Initialize success
14:58:22:328 2812
14:58:22:328 2812 Scanning Services ...
14:58:22:390 2812 GetAdvancedServicesInfo: Raw services enum returned 375 services
14:58:22:406 2812
14:58:22:406 2812 Scanning Kernel memory ...
14:58:22:406 2812 Devices to scan: 6
14:58:22:406 2812
14:58:22:406 2812 Driver Name: Disk
14:58:22:406 2812 IRP_MJ_CREATE : F76BABB0
14:58:22:406 2812 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
14:58:22:406 2812 IRP_MJ_CLOSE : F76BABB0
14:58:22:406 2812 IRP_MJ_READ : F76B4D1F
14:58:22:406 2812 IRP_MJ_WRITE : F76B4D1F
14:58:22:406 2812 IRP_MJ_QUERY_INFORMATION : 804F9759
14:58:22:406 2812 IRP_MJ_SET_INFORMATION : 804F9759
14:58:22:406 2812 IRP_MJ_QUERY_EA : 804F9759
14:58:22:406 2812 IRP_MJ_SET_EA : 804F9759
14:58:22:406 2812 IRP_MJ_FLUSH_BUFFERS : F76B52E2
14:58:22:406 2812 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
14:58:22:406 2812 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
14:58:22:406 2812 IRP_MJ_DIRECTORY_CONTROL : 804F9759
14:58:22:406 2812 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
14:58:22:406 2812 IRP_MJ_DEVICE_CONTROL : F76B53BB
14:58:22:406 2812 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B8F28
14:58:22:406 2812 IRP_MJ_SHUTDOWN : F76B52E2
14:58:22:406 2812 IRP_MJ_LOCK_CONTROL : 804F9759
14:58:22:406 2812 IRP_MJ_CLEANUP : 804F9759
14:58:22:406 2812 IRP_MJ_CREATE_MAILSLOT : 804F9759
14:58:22:406 2812 IRP_MJ_QUERY_SECURITY : 804F9759
14:58:22:406 2812 IRP_MJ_SET_SECURITY : 804F9759
14:58:22:406 2812 IRP_MJ_POWER : F76B6C82
14:58:22:406 2812 IRP_MJ_SYSTEM_CONTROL : F76BB99E
14:58:22:406 2812 IRP_MJ_DEVICE_CHANGE : 804F9759
14:58:22:406 2812 IRP_MJ_QUERY_QUOTA : 804F9759
14:58:22:406 2812 IRP_MJ_SET_QUOTA : 804F9759
14:58:22:421 2812 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:58:22:421 2812
14:58:22:421 2812 Driver Name: USBSTOR
14:58:22:421 2812 IRP_MJ_CREATE : F7939218
14:58:22:421 2812 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
14:58:22:421 2812 IRP_MJ_CLOSE : F7939218
14:58:22:421 2812 IRP_MJ_READ : F793923C
14:58:22:421 2812 IRP_MJ_WRITE : F793923C
14:58:22:421 2812 IRP_MJ_QUERY_INFORMATION : 804F9759
14:58:22:421 2812 IRP_MJ_SET_INFORMATION : 804F9759
14:58:22:421 2812 IRP_MJ_QUERY_EA : 804F9759
14:58:22:421 2812 IRP_MJ_SET_EA : 804F9759
14:58:22:421 2812 IRP_MJ_FLUSH_BUFFERS : 804F9759
14:58:22:421 2812 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
14:58:22:421 2812 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
14:58:22:421 2812 IRP_MJ_DIRECTORY_CONTROL : 804F9759
14:58:22:421 2812 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
14:58:22:421 2812 IRP_MJ_DEVICE_CONTROL : F7939180
14:58:22:421 2812 IRP_MJ_INTERNAL_DEVICE_CONTROL : F79349E6
14:58:22:421 2812 IRP_MJ_SHUTDOWN : 804F9759
14:58:22:421 2812 IRP_MJ_LOCK_CONTROL : 804F9759
14:58:22:421 2812 IRP_MJ_CLEANUP : 804F9759
14:58:22:421 2812 IRP_MJ_CREATE_MAILSLOT : 804F9759
14:58:22:421 2812 IRP_MJ_QUERY_SECURITY : 804F9759
14:58:22:421 2812 IRP_MJ_SET_SECURITY : 804F9759
14:58:22:421 2812 IRP_MJ_POWER : F79385F0
14:58:22:421 2812 IRP_MJ_SYSTEM_CONTROL : F7936A6E
14:58:22:421 2812 IRP_MJ_DEVICE_CHANGE : 804F9759
14:58:22:421 2812 IRP_MJ_QUERY_QUOTA : 804F9759
14:58:22:421 2812 IRP_MJ_SET_QUOTA : 804F9759
14:58:22:437 2812 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
14:58:22:437 2812
14:58:22:437 2812 Driver Name: Disk
14:58:22:437 2812 IRP_MJ_CREATE : F76BABB0
14:58:22:437 2812 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
14:58:22:437 2812 IRP_MJ_CLOSE : F76BABB0
14:58:22:437 2812 IRP_MJ_READ : F76B4D1F
14:58:22:437 2812 IRP_MJ_WRITE : F76B4D1F
14:58:22:437 2812 IRP_MJ_QUERY_INFORMATION : 804F9759
14:58:22:437 2812 IRP_MJ_SET_INFORMATION : 804F9759
14:58:22:437 2812 IRP_MJ_QUERY_EA : 804F9759
14:58:22:437 2812 IRP_MJ_SET_EA : 804F9759
14:58:22:437 2812 IRP_MJ_FLUSH_BUFFERS : F76B52E2
14:58:22:437 2812 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
14:58:22:437 2812 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
14:58:22:437 2812 IRP_MJ_DIRECTORY_CONTROL : 804F9759
14:58:22:437 2812 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
14:58:22:437 2812 IRP_MJ_DEVICE_CONTROL : F76B53BB
14:58:22:437 2812 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B8F28
14:58:22:437 2812 IRP_MJ_SHUTDOWN : F76B52E2
14:58:22:437 2812 IRP_MJ_LOCK_CONTROL : 804F9759
14:58:22:437 2812 IRP_MJ_CLEANUP : 804F9759
14:58:22:437 2812 IRP_MJ_CREATE_MAILSLOT : 804F9759
14:58:22:437 2812 IRP_MJ_QUERY_SECURITY : 804F9759
14:58:22:437 2812 IRP_MJ_SET_SECURITY : 804F9759
14:58:22:437 2812 IRP_MJ_POWER : F76B6C82
14:58:22:437 2812 IRP_MJ_SYSTEM_CONTROL : F76BB99E
14:58:22:437 2812 IRP_MJ_DEVICE_CHANGE : 804F9759
14:58:22:437 2812 IRP_MJ_QUERY_QUOTA : 804F9759
14:58:22:437 2812 IRP_MJ_SET_QUOTA : 804F9759
14:58:22:437 2812 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:58:22:437 2812
14:58:22:437 2812 Driver Name: Disk
14:58:22:437 2812 IRP_MJ_CREATE : F76BABB0
14:58:22:437 2812 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
14:58:22:437 2812 IRP_MJ_CLOSE : F76BABB0
14:58:22:437 2812 IRP_MJ_READ : F76B4D1F
14:58:22:437 2812 IRP_MJ_WRITE : F76B4D1F
14:58:22:437 2812 IRP_MJ_QUERY_INFORMATION : 804F9759
14:58:22:437 2812 IRP_MJ_SET_INFORMATION : 804F9759
14:58:22:437 2812 IRP_MJ_QUERY_EA : 804F9759
14:58:22:437 2812 IRP_MJ_SET_EA : 804F9759
14:58:22:437 2812 IRP_MJ_FLUSH_BUFFERS : F76B52E2
14:58:22:437 2812 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
14:58:22:437 2812 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
14:58:22:437 2812 IRP_MJ_DIRECTORY_CONTROL : 804F9759
14:58:22:437 2812 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
14:58:22:437 2812 IRP_MJ_DEVICE_CONTROL : F76B53BB
14:58:22:437 2812 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B8F28
14:58:22:437 2812 IRP_MJ_SHUTDOWN : F76B52E2
14:58:22:437 2812 IRP_MJ_LOCK_CONTROL : 804F9759
14:58:22:437 2812 IRP_MJ_CLEANUP : 804F9759
14:58:22:437 2812 IRP_MJ_CREATE_MAILSLOT : 804F9759
14:58:22:437 2812 IRP_MJ_QUERY_SECURITY : 804F9759
14:58:22:437 2812 IRP_MJ_SET_SECURITY : 804F9759
14:58:22:437 2812 IRP_MJ_POWER : F76B6C82
14:58:22:453 2812 IRP_MJ_SYSTEM_CONTROL : F76BB99E
14:58:22:453 2812 IRP_MJ_DEVICE_CHANGE : 804F9759
14:58:22:453 2812 IRP_MJ_QUERY_QUOTA : 804F9759
14:58:22:453 2812 IRP_MJ_SET_QUOTA : 804F9759
14:58:22:453 2812 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:58:22:453 2812
14:58:22:453 2812 Driver Name: Disk
14:58:22:453 2812 IRP_MJ_CREATE : F76BABB0
14:58:22:453 2812 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
14:58:22:453 2812 IRP_MJ_CLOSE : F76BABB0
14:58:22:453 2812 IRP_MJ_READ : F76B4D1F
14:58:22:453 2812 IRP_MJ_WRITE : F76B4D1F
14:58:22:453 2812 IRP_MJ_QUERY_INFORMATION : 804F9759
14:58:22:453 2812 IRP_MJ_SET_INFORMATION : 804F9759
14:58:22:453 2812 IRP_MJ_QUERY_EA : 804F9759
14:58:22:453 2812 IRP_MJ_SET_EA : 804F9759
14:58:22:453 2812 IRP_MJ_FLUSH_BUFFERS : F76B52E2
14:58:22:453 2812 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
14:58:22:453 2812 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
14:58:22:453 2812 IRP_MJ_DIRECTORY_CONTROL : 804F9759
14:58:22:453 2812 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
14:58:22:453 2812 IRP_MJ_DEVICE_CONTROL : F76B53BB
14:58:22:453 2812 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B8F28
14:58:22:453 2812 IRP_MJ_SHUTDOWN : F76B52E2
14:58:22:453 2812 IRP_MJ_LOCK_CONTROL : 804F9759
14:58:22:453 2812 IRP_MJ_CLEANUP : 804F9759
14:58:22:453 2812 IRP_MJ_CREATE_MAILSLOT : 804F9759
14:58:22:453 2812 IRP_MJ_QUERY_SECURITY : 804F9759
14:58:22:453 2812 IRP_MJ_SET_SECURITY : 804F9759
14:58:22:453 2812 IRP_MJ_POWER : F76B6C82
14:58:22:453 2812 IRP_MJ_SYSTEM_CONTROL : F76BB99E
14:58:22:453 2812 IRP_MJ_DEVICE_CHANGE : 804F9759
14:58:22:453 2812 IRP_MJ_QUERY_QUOTA : 804F9759
14:58:22:453 2812 IRP_MJ_SET_QUOTA : 804F9759
14:58:22:453 2812 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:58:22:453 2812
14:58:22:453 2812 Driver Name: iaStor
14:58:22:453 2812 IRP_MJ_CREATE : F74E8D1E
14:58:22:453 2812 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
14:58:22:453 2812 IRP_MJ_CLOSE : F74E8D1E
14:58:22:453 2812 IRP_MJ_READ : 804F9759
14:58:22:453 2812 IRP_MJ_WRITE : 804F9759
14:58:22:453 2812 IRP_MJ_QUERY_INFORMATION : 804F9759
14:58:22:453 2812 IRP_MJ_SET_INFORMATION : 804F9759
14:58:22:453 2812 IRP_MJ_QUERY_EA : 804F9759
14:58:22:453 2812 IRP_MJ_SET_EA : 804F9759
14:58:22:453 2812 IRP_MJ_FLUSH_BUFFERS : 804F9759
14:58:22:453 2812 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
14:58:22:453 2812 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
14:58:22:453 2812 IRP_MJ_DIRECTORY_CONTROL : 804F9759
14:58:22:453 2812 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
14:58:22:453 2812 IRP_MJ_DEVICE_CONTROL : F74EB056
14:58:22:453 2812 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74EB316
14:58:22:453 2812 IRP_MJ_SHUTDOWN : 804F9759
14:58:22:453 2812 IRP_MJ_LOCK_CONTROL : 804F9759
14:58:22:453 2812 IRP_MJ_CLEANUP : 804F9759
14:58:22:453 2812 IRP_MJ_CREATE_MAILSLOT : 804F9759
14:58:22:453 2812 IRP_MJ_QUERY_SECURITY : 804F9759
14:58:22:453 2812 IRP_MJ_SET_SECURITY : 804F9759
14:58:22:453 2812 IRP_MJ_POWER : F74EF2B0
14:58:22:453 2812 IRP_MJ_SYSTEM_CONTROL : F74EF33C
14:58:22:453 2812 IRP_MJ_DEVICE_CHANGE : 804F9759
14:58:22:453 2812 IRP_MJ_QUERY_QUOTA : 804F9759
14:58:22:453 2812 IRP_MJ_SET_QUOTA : 804F9759
14:58:22:500 2812 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: 1
14:58:22:500 2812
14:58:22:500 2812 Completed
14:58:22:500 2812
14:58:22:500 2812 Results:
14:58:22:500 2812 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
14:58:22:500 2812 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:58:22:500 2812 File objects infected / cured / cured on reboot: 0 / 0 / 0
14:58:22:500 2812
14:58:22:500 2812 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:58:22:500 2812 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:58:22:500 2812 KLMD(ARK) unloaded successfully


BC AdBot (Login to Remove)

 


#32 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:52 AM

Posted 21 March 2010 - 04:52 PM

Hi,

please try to run one of the following online scans:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Or use DrWeb:
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Or use Kaspersky:
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#33 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 22 March 2010 - 11:37 AM

Wasn't able to access ESET or the Dr. WEb, but the alternate site for DR Web worked. I ran cureit.exe from desktop, express scan and complete scan and cvs log posted below. FYI: I did get pop up in middle of scan stating Host file modified, copy of it set to Dr Web quarantine, do you want to restore the default, I answered yes and the scan continued.


SkillJamLoader.dll;C:\Documents and Settings\All Users\Application Data\SkillJam\SecurePlayer;Program.PopcapLoader.4;Incurable.Moved.;
WxBug.EXE;C:\Documents and Settings\All Users\Documents\AOL Downloads\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
146dca87-2c47876b\dev/s/AdgredY.class;C:\Documents and Settings\Chase\Application Data\Sun\Java\Deployment\cache\6.0\7\146dca87-2c47876b;Java.Siggen.8;;
146dca87-2c47876b\dev/s/DyesyasZ.class;C:\Documents and Settings\Chase\Application Data\Sun\Java\Deployment\cache\6.0\7\146dca87-2c47876b;Java.Siggen.7;;
146dca87-2c47876b\dev/s/LoaderX.class;C:\Documents and Settings\Chase\Application Data\Sun\Java\Deployment\cache\6.0\7\146dca87-2c47876b;Java.Siggen.5;;
146dca87-2c47876b;C:\Documents and Settings\Chase\Application Data\Sun\Java\Deployment\cache\6.0\7;Archive contains infected objects;Moved.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\Scott\Desktop\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\Scott\Desktop\SmitfraudFix.exe;Tool.ShutDown.14;;
SmitfraudFix.exe;C:\Documents and Settings\Scott\Desktop;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\Scott\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Scott\Desktop\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;
BellesBeautyBoutiqueSetup-dm[1].exe;C:\Downloads;Adware.TryMedia;Incurable.Moved.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
Uninstall.exe\SkillJamLoader.dll;C:\Program Files\SkillJam Technologies\Secure Player\Uninstall.exe;Program.PopcapLoader.4;;
Uninstall.exe;C:\Program Files\SkillJam Technologies\Secure Player;Archive contains infected objects;Moved.;
Process.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32;Tool.Prockill;Incurable.Moved.;
A0238764.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2246;Trojan.MulDrop1.6353;Deleted.;
A0240957.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2248;Tool.Prockill;Incurable.Moved.;
A0244794.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2255\A0244794.exe;Tool.Prockill;;
A0244794.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2255\A0244794.exe;Tool.ShutDown.14;;
A0244794.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2255;Archive contains infected objects;Moved.;
A0244795.exe\SkillJamLoader.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2255\A0244795.exe;Program.PopcapLoader.4;;
A0244795.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2255;Archive contains infected objects;Moved.;


#34 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:52 AM

Posted 24 March 2010 - 12:43 PM

Hi,

can you please let me know how your PC is doing? Are ALL symptoms still present? Are you getting redirected in google? Can you still not access regedit and cmd? Can you reach the security websites?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#35 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 24 March 2010 - 05:36 PM

Update/summary on system functions:
Currently any search in google redirects everytime.
The redirects used to be every once an a while.
I can select the cached page and not get redirected, also if I google search in images it seems to not get redirected.
System freezes if I switch user from the one I booted into. However, if I logout that user I can log in as the second one without locking up. System seems very bogged down when loading web pages.
Seems malaware sites are blocked, for example I couldn't access ESET, DR WEB and Kaspersky. I used the alternate site.
When selecting to update AVG, I get message 'access to server forbbiden'.
I can run commands cmd and regedit.

#36 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:52 AM

Posted 24 March 2010 - 07:30 PM

Hi,

please try this:
  • click on Start
  • select run
  • enter cmd and hit enter
  • a black window will open.
  • please enter the following text into that window and hit enter:
    ipconfig /flushdns
  • let me know if you are still redirected.
If you do not have the run-command in your Start menu:
Please right click on your taskbar, select Properties, select the Start Menu tab, click on Customize and tick the Display Run checkbox and click OK.


Can you easily download 370Mb and burn them to a CD or do you have a slow internet connection or no cd-burner?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#37 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 24 March 2010 - 07:57 PM

ran cmd and your command
Symtons still the same, google redirect and no access to avg updates.
I have high speed internet and cd burner.

#38 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 24 March 2010 - 08:05 PM

If it helps.
Google searches redirect to ad pages.
Yahoo and Bing searches go to correct page.

#39 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:52 AM

Posted 24 March 2010 - 08:09 PM

Hi,

let's try to get an objectiv view from your PC then by using a live-cd:
After you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • Please be patient as "Windows" loads
  • Your system should now display a REATOGO-X-PE desktop.
  • Double click on the icon on your desktop.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
    • Copy and Paste the following code into the textbox. Do not include the word "Code"

      Please note: You can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\*. /mp /s
    • Push
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the C:\OTL.txt file in your reply.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#40 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 24 March 2010 - 09:06 PM

Booted with cd. Got as far as the REATOGO X PE desktop, double click the OTL icon and black window pops up for second then I get window on desktop that says"Browse for folder", with options My computer, RAMDisk B:, Removable disk c:, CD Drive d:, ReatogoPe X:,shared docs. If i select any, i get "no windows installations found" or runscanner error "target is not widows 2000or later"

Other features on desktop worked, such as notepad, mycomputer, agent ransack.

#41 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 24 March 2010 - 09:11 PM

Rebooted into REATGO X PE again and still when I click on OTLPE I get Chose windows directory. Couldn't locate a windows directory from the options.
RamDisk B:
Removable Disk C:
CD Drive D:
ReatogoPE X:
shared documents

I actually don't have C: as an option, and couldn't find C: in My Computer from desktop.

Reading ahead a little, I do have my Windows Xp reinstall disk if needed.

Will leave in REATOGO XPE desktop and wait for your help/ thanks.

Edited by pawilderness, 24 March 2010 - 10:45 PM.


#42 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:52 AM

Posted 26 March 2010 - 12:50 PM

Hi,

is your partition encrypted in some way? Do you use an "unusual" setup for your hard drives? a RAID? Sata or something like that?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#43 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 26 March 2010 - 11:02 PM

I'm not sure of technical term for the setup. Is a normal home pc desktop, it does allow our laptops to share it's printer and print through it, and when I shut down I get message "that others are connected, are you sure you want to shut down."
I did boot into setup when I changed boot sequence to CD drive and this is the info for the hard drive.
Drive 0: SATA-0
Controller = Serial ATA
Port = SATA-0



#44 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:52 AM

Posted 27 March 2010 - 12:41 PM

Hi,

it could be a bad burn. Can you please check if OTLPE.iso was downloaded completely by dragging OTLPE.iso into the CustomScan/CustomFix box of OTL.exe. Please provide the log that is created.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#45 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 27 March 2010 - 02:31 PM

The ISO was downloaded on to a clean pc tp make to boot CD. It is 278 MB, I downloaded OTL to laptop and and dragged OTLPE.ISO into custom scan box. Here's log to review, It is of the ISO used but it's not run from OTL from infected PC. Don't know if that helps, I can redo the download and burn.


OTL logfile created on: 3/27/2010 3:21:19 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Chase\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 344.00 Mb Available Physical Memory | 34.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 86.78 Gb Total Space | 15.82 Gb Free Space | 18.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ESTABAHN
Current User Name: Chase
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Custom Scans ==========


< C:\Documents and Settings\Chase\Desktop\OTLPE.iso /MD5 >
[2010/03/24 21:34:51 | 290,242,560 | ---- | M] () MD5=C72B3626EB6F6F8FA839354983749CC7 -- C:\Documents and Settings\Chase\Desktop\OTLPE.iso
< End of report >





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users