Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine re-direct problem


  • This topic is locked This topic is locked
3 replies to this topic

#1 mro46

mro46

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 17 April 2010 - 08:24 PM

I am having the problem with google and yahoo re-directs that a lot of people seem to be having. After looking around I found that most people seem to have an infected atapi.sys rootkit and I believe I do as well. I am running drive emulation software but I have disabled it using defogger as detailed in the preparation guide. I ran a DDS scan and here are the results:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Michael at 18:02:29.32 on Sat 04/17/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2536 [GMT -7:00]

AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271440488734
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271457506531
DPF: {8100d56a-5661-482c-bee8-afece305d968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9c23d886-43cb-43de-b2db-112a68d7e10a} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {e2883e8f-472f-4fb0-9522-ac9bf37916a7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\2kamolz0.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\documents and settings\michael\application data\mozilla\firefox\profiles\2kamolz0.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pnpshark;pnpshark;c:\windows\system32\drivers\pnpshark.sys [2003-10-2 119552]
R0 st3shark;st3shark;c:\windows\system32\drivers\st3shark.sys [2003-9-27 5504]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-8-3 26640]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-8-3 21392]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2008-8-3 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2008-8-3 21648]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-8-3 32528]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-8-2 528640]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-8-3 108368]
S1 26562401;26562401;c:\windows\system32\drivers\26562401.sys --> c:\windows\system32\drivers\26562401.sys [?]
S1 MpKsl33599ea4;MpKsl33599ea4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fdeaa8ca-2933-493f-9804-5c5472a8fd07}\mpksl33599ea4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fdeaa8ca-2933-493f-9804-5c5472a8fd07}\MpKsl33599ea4.sys [?]
S2 knxnz;knxnz;\??\c:\windows\system32\drivers\wxebx.sys --> c:\windows\system32\drivers\wxebx.sys [?]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S2 SessionLauncher;SessionLauncher; [x]
S3 atinysxx;ATI USB 2.0 TV Audio Crossbar;c:\windows\system32\drivers\atinysxx.sys [2008-8-9 93696]
S3 atinyvxx;ATI TV WONDER USB2.0 Video & Audio;c:\windows\system32\drivers\atinyvxx.sys [2008-8-9 185344]
S3 ATITUNEP2;ATI TV WONDER USB2.0 TV Tuner;c:\windows\system32\drivers\atinyuxx.sys [2008-8-9 75776]
S3 ATIUTD;ATI TV WONDER USB2.0 Device Driver;c:\windows\system32\drivers\ATIUTD.sys [2008-8-9 38912]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-7-20 8704]
S3 eugdidrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-7-20 3072]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 TTDec;ATI TV WONDER USB2.0 Teletext Decoder;c:\windows\system32\drivers\atinyttx.sys [2008-8-9 13824]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2008-8-2 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2008-8-2 5248]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S4 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-8-3 144960]
S4 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2008-8-3 243216]

=============== Created Last 30 ================

2010-04-18 00:57:48 95360 ----a-w- c:\windows\system32\drivers\tsk3.tmp
2010-04-18 00:57:48 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-18 00:12:38 28 ----a-w- c:\documents and settings\michael\defogger_reenable
2010-04-17 01:21:11 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-17 01:20:57 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-17 01:20:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-17 00:51:18 0 d-----w- c:\windows\system32\CatRoot_bak
2010-04-17 00:37:23 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-04-17 00:37:23 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-16 22:39:03 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-04-16 22:22:10 19569 ----a-w- c:\windows\000003_.tmp
2010-04-16 21:46:41 0 d-sha-r- C:\cmdcons
2010-04-16 21:11:02 19569 ----a-w- c:\windows\000002_.tmp
2010-04-16 20:59:13 19569 ----a-w- c:\windows\000001_.tmp
2010-04-16 05:23:11 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-16 04:09:07 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-16 04:08:48 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-16 04:08:48 0 d-----w- c:\docume~1\michael\applic~1\SUPERAntiSpyware.com
2010-04-16 02:39:14 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-16 02:33:53 0 d-----w- c:\documents and settings\michael\PrivacIE
2010-04-16 02:33:26 0 d-----w- c:\documents and settings\michael\IETldCache
2010-04-16 02:28:29 0 dc----w- c:\windows\ie8
2010-04-16 00:53:59 0 d-----w- c:\windows\LastGood(2)
2010-04-14 21:33:14 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-14 21:33:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-24 22:03:00 0 d-----w- c:\program files\NVIDIA Corporation
2010-03-24 22:01:52 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-03-24 22:01:52 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-03-24 22:01:52 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-03-24 22:01:52 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-03-24 22:01:51 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-03-24 22:01:51 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-03-24 22:01:51 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-03-24 22:01:50 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-03-24 22:01:50 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-03-24 22:01:49 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2010-03-24 21:32:16 0 d-----w- c:\program files\Mass Effect 2
2010-03-24 18:58:45 0 d-----w- c:\program files\common files\BioWare
2010-03-24 18:45:50 0 d-----w- c:\program files\Mass Effect

==================== Find3M ====================

2010-04-16 23:33:49 24392 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2010-04-16 23:15:38 95360 ----a-w- c:\windows\atapi_old.sys
2010-03-30 07:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-12 23:32:51 3296 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-25 06:38:45 696832 ----a-w- c:\windows\is-86LP8.exe
2008-08-08 01:35:56 56 --sh--r- c:\windows\system32\A13EFAF76B.sys

============= FINISH: 18:02:44.87 ===============


I also tried running the gmer scan but I received an error message, the screen shot of which is attatched. It is also worth noting that i recently ran a combofix scan before finding this site and realizing that you recomend against it. I have since uninstalled it using the run Combofix /Uninstall that I found on other posts. Other problems I have noticed are that I cannot get to the microsoft update website or get the automatic installer to run. Also my malwarebytes scans now stop after only 3 minutes without finding anything when they normally take about 20 minutes to finish so I think something is affecting that as well. I am posting this from a laptop that I have so I am able to do things I might not be able to from my infected computer or can't do while it is being scanned. If you need any other information please let me know and I will be happy to provide it. Thank you in advance to anyone who can help me.

Attached Files



BC AdBot (Login to Remove)

 


#2 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:03:39 PM

Posted 22 April 2010 - 10:36 PM

Hi mro46,

Welcome to Bleeping Computer.

My name is mpascal, and I will be helping you fix your problem.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:
  • Be sure to follow all my instructions carefully! If there is anything you don''t understand, don''t hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
  • Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.
  • If you are unsure of how to reply, or need help with anything regarding the website, please look here.

As it has been a few days, I'm going to need some fresh logs. Please run the following:

STEP 1 - MBAM

Open Malwarebyte's Anti-Malware.
  • Under the Updates tab, click Check for Updates. Let the updates install (if any).
  • After that, under the Scanner tab, click Perform Quick Scan and then Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 2 - GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

STEP 3 - OTL

Open OTL. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Change the Standard Registry and Extra Registry options to Use Safelist.
  • Check the boxes beside LOP Check and Purity Check.
  • In the Custom Scans box, copy and paste the following:
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
STEP 4 - Reply

Please reply with the following logs:
  • MBAM Log
  • OTL Log
  • GMER Log

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#3 mro46

mro46
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 22 April 2010 - 10:40 PM

I'm sorry I forgot to ask to close this thread because I was able to fix the problem the other day. Thank you for your response and for trying to help.

#4 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:03:39 PM

Posted 22 April 2010 - 10:51 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users