Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect


  • This topic is locked This topic is locked
10 replies to this topic

#1 ddotsyl

ddotsyl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 14 June 2010 - 10:01 PM

When I use the internet, I'm redirecting to strange sites that I have not requested such as Car & Driver, the Yellow Pages, advertising sites, pop-ups that announce I'm a winner, etc. I have noticed that before I'm routed to these sites, hxxp://ci1i1|c1ilk.com is displayed in the lower left hand corner before the url of the bogus site that I'm directed to is displayed.

I used AVG, adaware, Malwarebytes, Hitman Pro 3.5, and SuperAntiSpyware. Only SuperAntiSpyware seemed to detect anything but it all returns after I reboot.

I followed the instructions in the Preparation guide however I could not save an Ark.txt file. When I tried to run GMER, I got a non-responsive program error the first time. I ran it again and left the room for awhile. I returned to discover that the computer had restarted itself. I ran it again and the same thing happened. I ran it a third time and it seemed to stall or hang. The last completed line displayed reads: Device ->\Driver\Atapi \Device\Harddisk0\DRO 89C98EC5

It seems like it was trying to process SOFTWARE\Classes\Inerace\{000209BB-0000-0000-C000-000000000046}\PrixtStut when it stalled.

I was unable to save an Ark.txt file.

I am attempting to send this post from another computer. When I tried to post from my infected computer, I got one of those Page Cannot Be Displayed errors and the post did not go through.

The DDS file is as follows:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Sylvia Lamping at 12:16:54.67 on Mon 06/14/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1116 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\ntbackup.exe
C:\WINDOWS\system32\rsmsink.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sylvia Lamping\Local Settings\Temporary Internet Files\Content.IE5\KLYJILYA\Defogger[1].exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Sylvia Lamping\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = https://portal.arise.com/Login.aspx
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [PDService.exe] "c:\program files\lenovo\safeguard privatedisk\pdservice.exe"
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_01\bin\jusched.exe
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35[1].exe" /scan:boot
StartupFolder: c:\docume~1\sylvia~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {DA320635-F48C-4613-8325-D75A933C549E} - c:\program files\lenovo\system update\sulauncher.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_01\bin\npjpi150_01.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: arise.com
Trusted Zone: arise.com\*.portal
Trusted Zone: arise.com\*.support
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267797016625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://ns.arise.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-13 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-5 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-5 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-5 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-12 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-12 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352320]
R2 PrivateDisk;PrivateDisk;c:\program files\lenovo\safeguard privatedisk\privatediskm.sys [2006-3-13 58368]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2006-7-14 3968]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]

=============== Created Last 30 ================

2010-06-14 17:01:30 0 ----a-w- c:\documents and settings\sylvia lamping\defogger_reenable
2010-06-14 16:52:23 0 d-----w- c:\windows\system32\NtmsData
2010-06-14 16:05:39 0 d-----w- c:\program files\Trend Micro
2010-06-14 03:43:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-06-13 15:18:56 0 d-----w- c:\docume~1\sylvia~1\applic~1\SUPERAntiSpyware.com
2010-06-13 15:18:56 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-13 15:18:48 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-13 15:07:10 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-13 14:53:24 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 14:53:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-13 14:52:57 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-13 12:41:08 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-13 12:41:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-13 12:34:06 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-13 12:33:27 0 d-----w- c:\program files\Lavasoft
2010-06-08 22:47:20 0 ------w- c:\documents and settings\sylvia lamping\neoteris_write_29789638.reg
2010-06-07 22:32:13 0 d-----w- c:\docume~1\sylvia~1\applic~1\Windows Search
2010-06-04 20:10:47 0 d-----w- c:\docume~1\sylvia~1\applic~1\Windows Desktop Search
2010-06-04 20:09:04 0 d-----w- c:\windows\system32\GroupPolicy
2010-06-04 20:09:04 0 d-----w- c:\program files\Windows Desktop Search
2010-06-04 20:07:48 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2010-06-04 20:07:48 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2010-06-04 20:07:47 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2010-06-02 17:02:39 0 d--h--w- C:\$AVG

==================== Find3M ====================

2010-06-14 17:05:55 3216 ----a-w- c:\windows\system32\encobject.dat
2010-06-13 12:08:06 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-06-02 13:20:12 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-30 19:57:14 28320 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 12:19:00.65 ===============

Attached Files


Edited by Orange Blossom, 16 June 2010 - 06:25 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:58 AM

Posted 19 June 2010 - 07:22 AM

Hi ddotsyl,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum and apologies for the delay. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved please update me on the current condition of your computer.

#3 ddotsyl

ddotsyl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 19 June 2010 - 08:41 AM

Since my original post, I've still had to use the computer that was having the issues so I've been running AVG, SuperAntiSpyware, Hitman Pro 3.5, Adaware, and Malawarebytes to keep ahead of the game. Do you need me to run new reports? I will not run any scans from this point forward unless told to do so.

Thank you,

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:58 AM

Posted 19 June 2010 - 08:50 AM

Please update me on the current condition of your computer before doing anything. What is the issue you are currently facing with and need assistance for to resolve.

#5 ddotsyl

ddotsyl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 19 June 2010 - 03:19 PM

My current situation is the same as it was before. When I do a google search and click on a link, I'm brought to sites other than where I intend to go. The sites are shopping sites, Car and Driver, Yellow Pages, Pop-ups stating that I'm a winner, anything but the site that I intend to go to. I did notice that before it brings me to the bogus links, the url: http:\\www.ci1i1|c1ilk.com is displayed in the lower left hand corner before the url of the actual page is displayed.

Thank you,

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:58 AM

Posted 20 June 2010 - 09:11 AM

Thank you for the feedback.
  1. Run GMER, uncheck all boxes except the box next to Sections (C drive should remain checked), click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

  2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @echo off
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1000 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.


#7 ddotsyl

ddotsyl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 21 June 2010 - 04:57 PM

I'm not able to complete a gmer scan. The computer keeps shutting down. Do you want me to proceed with the remainins steps that you outline? I'll await further instruction.

Thank you.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:58 AM

Posted 21 June 2010 - 05:46 PM

Yes please proceed.

#9 ddotsyl

ddotsyl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 21 June 2010 - 09:13 PM

I tried again and am still unable to run gmer all of the way through without the computer restarting. The log.txt of the mbr.exe is as follows:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,

http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll

atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK

Thank you,


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:58 AM

Posted 22 June 2010 - 03:00 AM

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:58 AM

Posted 27 June 2010 - 10:59 AM

This thread will now be closed due to lack of activity.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users