Google Redirect Viruse

I'm sure I have a Google redirect virus. In addition to being redirected on every google search link, my computer is running slower than normal. I may well have other problems as well.

I ran the two programs required to open this help request and I've attached the files as instructed. However, I tried running gmer.exe 6 times.
Each time the program ran for 20 or 30 minutes, my computer crashed resulting in a blue screen.

First crash message: "Windows has encountered a problem and has shut down to protect your computer."

Second crash message: A process or thread crucial to system operation has exited or been terminated."

Third crash message: Kernel Data Inpage Error

Fourth crash message: Same as third.

Fifth crash message: Windows Delay Write Error - Windows was unable to save all the data for the file\device\Hard Disk Volume 2\$Mft. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Sixth crash message: STOP: D0000144 unknown Hard error.

Before gmer crashed the last time, I copied the log and saved it to a file and it is attached. Since the program didn't complete, I'm not sure if this log is complete.

Thanks for any help you can provide.

Tom

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Thank you so much for helping me. I know how busy you are and that you are working without compensation so there is no reason to apologize for the delay.

I have just run dds and I'll attach the two files generated. As I mentioned in my initial post, gmer crashed my machine six times, even in safe mode. It always ran for quite a while before crashing but it always crashed. Finally, on the sixth run, I save the file before it crashed. I'm posting that as well, I hope it's adequate.

Thanks again for your help.

Tom

Hello, anonomy
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
• Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
• Please set your system to show all files.
  Click Start, open My Computer, select the Tools menu and click Folder Options.
  Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
  Uncheck: Hide file extensions for known file types
  Uncheck the Hide protected operating system files (recommended) option.
  Click Yes to confirm.

Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.

When finished, it will produce a report for you.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks Tom,

I'll run Combo-Fix now. I cannot find any way to disable McAfee Total Protection. It's very wierd, but I can't. I'll run Combo-Fix in safe-mode.

Tom

Here is my Combo Fix Log file.

Thanks Again,
Tom

ComboFix 10-06-11.01 - Tom 06/12/2010 10:14:22.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.143 [GMT -4:00]
Running from: c:\documents and settings\Tom\Desktop\Schrauber.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ben and Adam\Application Data\alot
c:\documents and settings\Mary Jo\Application Data\alot
c:\documents and settings\Tom\Application Data\1dce0e75-1303-433a-bfc1-6b582bd25551_32.avi
c:\documents and settings\Tom\GoToAssistDownloadHelper.exe
c:\documents and settings\Tom\System
c:\documents and settings\Tom\System\win_qs7.jqx
c:\program files\Internet Explorer\SET1C3.tmp
c:\program files\Internet Explorer\SET1C4.tmp
c:\program files\Internet Explorer\SET1C5.tmp
c:\program files\Internet Explorer\SET428.tmp
c:\program files\Internet Explorer\SET429.tmp
c:\program files\Internet Explorer\SET42A.tmp
c:\program files\Internet Explorer\SET462.tmp
c:\program files\Internet Explorer\SET463.tmp
c:\program files\Internet Explorer\SET464.tmp
c:\program files\Internet Explorer\SET49C.tmp
c:\program files\Internet Explorer\SET49D.tmp
c:\program files\Internet Explorer\SET49E.tmp
c:\program files\Internet Explorer\SET9F7.tmp
c:\program files\Internet Explorer\SET9F8.tmp
c:\program files\Internet Explorer\SET9F9.tmp
c:\program files\Internet Explorer\SETA32.tmp
c:\program files\Internet Explorer\SETA33.tmp
c:\program files\Internet Explorer\SETA34.tmp
c:\program files\Internet Explorer\SETA6C.tmp
c:\program files\Internet Explorer\SETA6D.tmp
c:\program files\Internet Explorer\SETA6E.tmp
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\Data
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2010-05-12 to 2010-06-12 )))))))))))))))))))))))))))))))
.

2010-06-02 03:32 . 2010-06-02 03:32 2 --shatr- c:\windows\winstart.bat
2010-06-02 03:30 . 2010-06-06 18:57 -------- d-----w- c:\program files\UnHackMe
2010-05-31 00:10 . 2010-06-06 18:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-30 22:04 . 2010-05-30 22:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\CyberScrub
2010-05-30 21:31 . 2010-05-30 21:31 -------- d-----w- c:\documents and settings\Tom\Application Data\McAfee
2010-05-30 14:59 . 2010-05-30 15:00 -------- d-----w- c:\program files\McAfeeMOBK
2010-05-30 14:58 . 2010-04-14 00:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-05-30 14:57 . 2010-05-30 14:58 -------- d-----w- c:\program files\McAfee Online Backup
2010-05-30 14:53 . 2010-04-14 16:50 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-05-30 14:53 . 2010-04-14 16:50 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-05-30 14:53 . 2010-04-14 16:50 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-05-30 14:53 . 2010-04-14 16:50 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-05-30 14:53 . 2010-04-14 16:50 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-05-30 14:53 . 2010-04-14 16:50 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-05-30 14:53 . 2010-04-14 16:50 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-05-30 14:53 . 2010-04-14 16:50 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-05-30 14:53 . 2010-05-30 14:55 -------- d-----w- c:\program files\Common Files\Mcafee
2010-05-30 14:53 . 2010-05-30 14:53 -------- d-----w- c:\program files\McAfee.com
2010-05-30 14:52 . 2010-05-30 21:31 -------- d-----w- c:\program files\McAfee
2010-05-30 14:40 . 2010-05-30 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-30 14:27 . 2010-05-30 14:27 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Citrix
2010-05-18 01:56 . 2010-05-18 01:56 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-18 01:56 . 2010-05-18 20:06 -------- d-----w- c:\documents and settings\Tom\Application Data\skypePM
2010-05-18 01:53 . 2010-05-18 01:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-05-18 01:52 . 2010-05-18 22:59 -------- d-----w- c:\documents and settings\Tom\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 13:47 . 2008-05-02 01:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-06 18:57 . 2004-08-01 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-06 18:55 . 2009-12-15 00:02 -------- d-----w- c:\program files\PokerStars
2010-06-06 18:50 . 2007-03-04 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-05-30 21:39 . 2010-05-30 21:39 300384 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Supportability\Content\MVT\XMLFiles\detect.dll
2010-05-25 05:52 . 2009-12-10 23:36 -------- d-----w- c:\documents and settings\Tom\Application Data\IObit
2010-05-25 01:10 . 2010-05-25 01:10 503808 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-69660f7f-n\msvcp71.dll
2010-05-25 01:10 . 2010-05-25 01:10 499712 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-69660f7f-n\jmc.dll
2010-05-25 01:10 . 2010-05-25 01:10 348160 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-69660f7f-n\msvcr71.dll
2010-05-25 01:10 . 2010-05-25 01:10 61440 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1947b29a-n\decora-sse.dll
2010-05-25 01:10 . 2010-05-25 01:10 12800 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1947b29a-n\decora-d3d.dll
2010-05-22 11:50 . 2004-01-01 16:10 -------- d-----w- c:\documents and settings\Tom\Application Data\AdobeUM
2010-05-18 23:00 . 2009-04-03 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-05-18 22:57 . 2003-12-23 01:40 -------- d-----w- c:\program files\Google
2010-05-18 22:55 . 2004-03-14 23:39 -------- d-----w- c:\program files\FlexiSIGN-PRO 6.5
2010-05-15 00:38 . 2009-12-10 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-05-04 17:20 . 2004-12-05 23:30 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2008-11-27 05:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-12-05 23:31 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-12-05 23:30 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 02:41 . 2003-09-30 04:24 -------- d-----w- c:\program files\Common Files\Java
2010-04-28 02:41 . 2010-04-28 02:41 503808 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-59e5de27-n\msvcp71.dll
2010-04-28 02:41 . 2010-04-28 02:41 499712 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-59e5de27-n\jmc.dll
2010-04-28 02:41 . 2010-04-28 02:41 348160 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-59e5de27-n\msvcr71.dll
2010-04-28 02:41 . 2010-04-28 02:41 61440 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-41509116-n\decora-sse.dll
2010-04-28 02:41 . 2010-04-28 02:41 12800 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-41509116-n\decora-d3d.dll
2010-04-28 02:40 . 2009-05-11 00:36 -------- d-----w- c:\program files\Java
2010-04-20 05:30 . 2004-12-05 23:31 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-14 16:50 . 2010-04-14 16:50 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-14 16:50 . 2010-04-14 16:50 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-12 21:29 . 2010-04-28 02:41 411368 ----a-w- c:\windows\system32\deployJava1.dll
2008-05-02 01:54 . 2008-05-02 01:54 0 ----a-w- c:\program files\temp01
2004-08-17 12:49 . 2004-08-17 12:49 0 ---h--w- c:\program files\AppUpdate.log
2004-08-05 12:34 . 2004-08-01 14:15 146 ---ha-w- c:\program files\hpothb07.dat
2004-08-01 14:15 . 2004-08-01 14:15 255 ---ha-w- c:\program files\hpothb07.tif
2010-04-14 16:50 . 2010-05-30 14:53 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2002-08-01 00:55 . 2005-12-11 01:02 236 --sh--w- c:\windows\WSYS049.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"Privacy Suite RiskMonitor"="c:\program files\CyberScrub Privacy Suite\Launch.exe" [2008-07-29 45192]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-02-08 2343632]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2010-01-22 200280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-21 1193336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^20-20 Shortcut Bar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\20-20 Shortcut Bar.lnk
backup=c:\windows\pss\20-20 Shortcut Bar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=c:\windows\pss\AutoStart IR.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Snsicon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Snsicon.lnk
backup=c:\windows\pss\Snsicon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mary Jo^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Mary Jo\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Tom^Start Menu^Programs^Startup^Deewoo.lnk]
path=c:\documents and settings\Tom\Start Menu\Programs\Startup\Deewoo.lnk
backup=c:\windows\pss\Deewoo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 17:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-03-09 01:05 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2004-07-19 12:51 306688 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 20:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 03:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2004-06-08 16:31 29696 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
2010-04-21 15:20 1193336 ----a-w- c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
2010-04-21 15:20 746352 ----a-w- c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-03 15:16 86016 ----a-w- c:\windows\SYSTEM32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-10-25 23:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2003-09-30 04:42 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"CleanService"=3 (0x3)
"WZCSVC"=2 (0x2)
"wscsvc"=2 (0x2)
"SamSs"=2 (0x2)
"PolicyAgent"=2 (0x2)
"NtLmSsp"=3 (0x3)
"mnmsrvc"=3 (0x3)
"SharedAccess"=2 (0x2)
"iPod Service"=3 (0x3)
"AVGFwSrv"=2 (0x2)
"AVGEMS"=2 (0x2)
"AvgCoreSvc"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"BITS"=3 (0x3)
"WinDefend"=2 (0x2)
"Network Monitor"=2 (0x2)
"MsSecurity1.209.4"=2 (0x2)
"gusvc"=2 (0x2)
"Fax"=2 (0x2)
"Eventlog"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"IDriverT"=3 (0x3)
"CSIScanner"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [5/30/2010 10:53 AM 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\SYSTEM32\DRIVERS\MOBK.sys [5/30/2010 10:58 AM 54776]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/10/2009 7:11 PM 312592]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/30/2010 10:53 AM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/30/2010 10:53 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/30/2010 10:53 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [5/30/2010 10:54 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [5/30/2010 10:53 AM 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 8:11 PM 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [5/30/2010 10:53 AM 55456]
R3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\SYSTEM32\DRIVERS\HCWUSB2.sys [7/19/2006 10:41 PM 1457536]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [5/30/2010 10:53 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/30/2010 10:53 AM 88480]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\SYSTEM32\DRIVERS\LSIPNDS.sys [11/26/2003 12:23 PM 95232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/30/2010 10:53 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [5/30/2010 10:53 AM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\fb8dxqoo.default\
FF - prefs.js: browser.search.selectedEngine - Dogpile
FF - prefs.js: browser.startup.homepage - WWW.FOXNEWS.COM
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\fb8dxqoo.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-1dce0e75-1303-433a-bfc1-6b582bd25551_30 - c:\documents and settings\Tom\Application Data\1dce0e75-1303-433a-bfc1-6b582bd25551_30.avi
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
SafeBoot-svcWRSSSDK
MSConfigStartUp-!AVG Anti-Spyware - c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-CamIM - c:\program files\CamIM\CamIM_Client.exe
MSConfigStartUp-DIGStream - c:\program files\DIGStream\digstream.exe
MSConfigStartUp-Evidence Eliminator - e:\program files\Evidence Eliminator\Evidence Eliminator\ee.exe
MSConfigStartUp-IncrediMail - c:\progra~1\INCRED~1\bin\IncMail.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-SNM - c:\program files\SpyNoMore\SNM.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-{8da11d5c-6936-5082-a51b-96e114946abc} - c:\windows\system32\{2ac93de8-bd59-bab8-7bec-197e2887d9ab}.dll
MSConfigStartUp-{D2-2B-BA-A1-DW} - c:\windows\system32\jnwnw64p.exe
AddRemove-20-20 Version 6.4 - e:\program files\ComUninst32.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-12 10:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x833888C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86faf28
\Driver\ACPI -> ACPI.sys @ 0xf866dcb8
\Driver\atapi -> atapi.sys @ 0xf8628b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf84c2bb0
PacketIndicateHandler -> NDIS.sys @ 0xf84cfa21
SendHandler -> NDIS.sys @ 0xf84ad87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-12 10:51:01
ComboFix-quarantined-files.txt 2010-06-12 14:50

Pre-Run: 45,766,733,824 bytes free
Post-Run: 45,794,168,832 bytes free

- - End Of File - - F50AB8E27FAE6E6C90A1B87078401A09

Hi,



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Tom,

I'm having two problems. First, I simply cannot close McAfee. The best I can do is run in Safe Mode and use the task manager to close as many of the McAfee programs as possible.

Also, I tried dragging your script file onto Combo fix. It started to run and I got an error message asking if I was trying to run a combofix script. It said the file was spelled wrong and the program stopped. I'm going to try it again.

Thanks,
Tom

Tom,

I've tried running ComboFix with your script 3 times. Each time I've gotten the same error message and the program shuts down.

Were you tryi8ng to run CFScript? The name, CFScript appears to be incorrectly spelt.

Please help.
Tom

is this the error message?

Yes, that's the error message.

Error Message was : "Were you trying to run CFScript? The name, CFScript appears to be incorrectly spelt."

Hi,

• Download TDSSKiller and save it to your Desktop.
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
• When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Ok, I'll do that soon. I was able to drag your combofix file onto combofix.exe The program ran and generated a new log file which I will attach to this message. I'll proceed with your next instruction as well. Thanks, Tom

I just ran TDSS Killer and it did not create any log file. The results indicated no files were infected. I'll try running it again.
Tom

No need to run it again, Combofix with script took care of the baddie



Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.





Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

1. Please download OTL from one of the following mirrors:
   • This is THE Mirror
2. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Under the Custom Scan box paste this in
   netsvcs
   %SYSTEMDRIVE%\*.exe
   /md5start
   eventlog.dll
   scecli.dll
   netlogon.dll
   cngaudit.dll
   sceclt.dll
   ntelogon.dll
   logevent.dll
   iaStor.sys
   nvstor.sys
   atapi.sys
   IdeChnDr.sys
   viasraid.sys
   AGP440.sys
   vaxscsi.sys
   nvatabus.sys
   viamraid.sys
   nvata.sys
   nvgts.sys
   iastorv.sys
   ViPrt.sys
   eNetHook.dll
   ahcix86.sys
   KR10N.sys
   nvstor32.sys
   ahcix86s.sys
   nvrd32.sys
   symmpi.sys
   adp3132.sys
   mv61xx.sys
   /md5stop
   %systemroot%\*. /mp /s
   CREATERESTOREPOINT
   %systemroot%\system32\*.dll /lockedfiles
   %systemroot%\Tasks\*.job /lockedfiles
   %systemroot%\system32\drivers\*.sys /lockedfiles
   %systemroot%\System32\config\*.sav
   %systemdrive%\*.sys /90 /md5
   
5. Push the Quick Scan button.
6. Two reports will open, copy and paste them in a reply here:
   • OTL.txt <-- Will be opened
   • Extra.txt <-- Will be minimized