Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Highjacked Boot sector and Google search redirects and web page ad pop-ups


  • This topic is locked This topic is locked
18 replies to this topic

#1 Shaun5152

Shaun5152

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 14 August 2010 - 04:19 PM

WIN XP Professional (32bit)

I have tried numerous malware removal tools to no avail. I tried to reboot into safe mode to run Malwarebytes, but boot sector was highjacked as well - showing a "warning" about hard drive infected and advertizing "Trend Micro Chipawayvirus" and then showing a "progress page" advertizing "Trend Micro www.antivirus.com"

In an effort to start up in safe mode I loaded the original WINXP Professional (32bit) disc and wound up using the repair function. I now have an operable system but back to Service Pack 1. I downloaded Service Pack 2 and it ran OK until I had to restart my computer, at which time the boot sequence went into a continuous cycle of failed boots.

I reloaded original disc and recovered system to Service pack 1 operation, and ad ware pop-ups are still present. I'm afraid to reboot computer until I can get rid of the boot sequence virus!

Please help - I love my XP system!

Shaun5152

CONTENTS OF DDS.txt LOG FOLLOWS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Shaun at 9:29:17.85 on Sat 08/14/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1535.938 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\system32\MSTMON_S.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Shaun\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.msn.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {2BDDFD3E-F7C8-4E71-A05C-9E3669A2210E} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [CTStartup] c:\program files\creative\splash screen\CTEaxSpl.EXE /run
mRun: [KONICA MINOLTA magicolor 2400W STD] c:\windows\system32\MSTMON_S.EXE STARTUP
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemywifi.verizon.net/sdcCommon/download/WIFI/Verizon%20WiFi%20Installer.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216154991296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: ssqOICUO - ssqOICUO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {AF209DB6-29BB-4F8B-84E8-2056EA999610} - No File
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\hgGAtRiF

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-1-21 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-7-16 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\AVGLDX86.SYS [2010-8-12 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-16 243024]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-22 921952]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-22 2331032]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-22 5897808]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-22 10384]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-7-16 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-1-21 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-1-21 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-1-21 26192]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-16 29584]
S1 iirtqvom;iirtqvom;\??\c:\windows\system32\drivers\iirtqvom.sys --> c:\windows\system32\drivers\iirtqvom.sys [?]
S2 gupdate1c9e3eaeb5a532c;Google Update Service (gupdate1c9e3eaeb5a532c);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-7-16 30104]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2008-8-21 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2008-8-21 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2008-8-21 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2008-8-21 10368]

=============== Created Last 30 ================

2010-08-14 14:27:22 0 ----a-w- c:\documents and settings\shaun\defogger_reenable
2010-08-14 09:24:57 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-08-14 09:23:57 74752 -c--a-w- c:\windows\system32\dllcache\dayi.ime
2010-08-14 09:22:53 0 d-----w- c:\windows\LastGood.Tmp
2010-08-14 09:22:05 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-08-14 09:22:00 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-08-14 09:22:00 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-08-14 09:22:00 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-08-14 09:22:00 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-08-14 09:22:00 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-08-14 09:20:59 57344 -c--a-w- c:\windows\system32\dllcache\msadcf.dll
2010-08-14 09:19:59 468480 -c--a-w- c:\windows\system32\dllcache\clbcatq.dll
2010-08-14 09:18:13 50048 ----a-w- c:\windows\system32\drivers\DMusic.sys
2010-08-14 09:18:12 5888 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-08-14 09:17:45 24960 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-08-14 09:17:43 56576 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-08-14 09:17:40 23070 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-08-14 09:17:11 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-08-14 09:17:11 117248 ----a-w- c:\windows\system32\ksproxy.ax
2010-08-14 09:15:59 1086182 ----a-r- c:\windows\SET5A.tmp
2010-08-14 04:54:09 2694 ----a-w- c:\windows\system32\spupdsvc.inf
2010-08-14 04:48:19 0 d-----w- c:\windows\system32\wbem\Repository.002
2010-08-14 04:44:33 202496 ----a-w- c:\windows\system32\ati2dvag.dll
2010-08-14 04:44:32 1888992 ----a-w- c:\windows\system32\ati3duag.dll
2010-08-14 04:44:30 81920 ------w- c:\windows\system32\ieencode.dll
2010-08-14 04:29:57 19528 ----a-w- c:\windows\002690_.tmp
2010-08-14 03:28:28 518888 ----a-w- c:\program files\WindowsXP-KB884020-x86-enu.exe
2010-08-14 03:00:09 28160 -c--a-w- c:\windows\system32\dllcache\msoobe.exe
2010-08-14 02:43:16 22016 -c--a-w- c:\windows\system32\dllcache\agt0408.dll
2010-08-14 02:43:16 19968 -c--a-w- c:\windows\system32\dllcache\agt040e.dll
2010-08-14 02:43:16 19456 -c--a-w- c:\windows\system32\dllcache\agt041f.dll
2010-08-14 02:43:16 19456 -c--a-w- c:\windows\system32\dllcache\agt0419.dll
2010-08-14 02:43:16 19456 -c--a-w- c:\windows\system32\dllcache\agt0415.dll
2010-08-14 02:43:16 19456 -c--a-w- c:\windows\system32\dllcache\agt0405.dll
2010-08-14 02:42:55 13608 ----a-r- c:\windows\SET10F.tmp
2010-08-14 02:42:51 1086182 ----a-r- c:\windows\SETFA.tmp
2010-08-14 02:22:50 0 d-----w- C:\VundoFix Backups
2010-08-14 00:19:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-14 00:19:11 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-12 17:41:39 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-08-12 17:29:56 216400 ----a-w- c:\windows\system32\drivers\AVGLDX86.SYS
2010-08-12 14:14:47 0 d-----w- c:\windows\system32\MpEngineStore
2010-08-12 14:13:34 0 d-----w- C:\7ab34ed1609d4c432d624f
2010-08-12 14:02:42 0 d-----w- c:\docume~1\shaun\applic~1\Windows Search
2010-08-07 01:46:52 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-05 01:29:25 0 d-sh--w- c:\documents and settings\shaun\IECompatCache

==================== Find3M ====================

2010-08-14 09:20:17 23388 ----a-w- c:\windows\system32\emptyregdb.dat
2010-07-17 10:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-22 07:12:40 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-22 07:12:37 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-22 07:12:29 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-01-22 03:41:39 10038728 ----a-w- c:\program files\windows-kb890830-v3.3.exe
2008-11-16 14:07:53 903897 --sha-w- c:\windows\system32\FiRtAGgh.ini2
2008-11-15 16:54:15 896307 --sha-w- c:\windows\system32\QrrXaccf.ini2

============= FINISH: 9:30:29.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:56 PM

Posted 21 August 2010 - 01:54 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  1. Double click on RSIT.exe to run RSIT.
  2. Click Continue at the disclaimer screen.
  3. Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  1. Reply to this thread; do not start another!
  2. Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  3. Do not run any other tool until instructed to do so!
  4. Let me know if any of the links do not work or if any of the tools do not work.
  5. Tell me about problems or symptoms that occur during the fix.
  6. Do not run any other programs or open any other windows while doing a fix.
  7. Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 Shaun5152

Shaun5152
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 21 August 2010 - 05:01 PM

Thank you for replying to my post! I am out of town and away from my troubled XP desktop until Wednesday, 24 Aug "10. I do not remember running a Highjack This log, so if you would be kind enough to give me the link, I will do that first thing on Wednesday, as well as the RSIT log as directed. Thank you again for helping save my XP system!

Shaun5152




QUOTE(suebaby41 @ Aug 21 2010, 01:54 PM) View Post
Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  1. Double click on RSIT.exe to run RSIT.
  2. Click Continue at the disclaimer screen.
  3. Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  1. Reply to this thread; do not start another!
  2. Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  3. Do not run any other tool until instructed to do so!
  4. Let me know if any of the links do not work or if any of the tools do not work.
  5. Tell me about problems or symptoms that occur during the fix.
  6. Do not run any other programs or open any other windows while doing a fix.
  7. Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.



#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:56 PM

Posted 22 August 2010 - 11:08 AM

  1. Please download Trend Micro - HijackThis.
  2. Double click HJTInstall.exe to begin installation.
  3. Accept the installation location, which by default is C:\Program Files\Trend Micro\HijackThis or click the Browse... button if you want to save it in another location.
  4. Click Install.
  5. A shortcut will be created on your Desktop and HijackThis will run automatically.
  6. You will need to accept the EULA, if it appears, to be able to use the tool.
  7. When HijackThis opens, click on the Do a system scan and save a log file button.
  8. When HijackThis has finished scanning, a window entitled hijackthis.log will open. When you close this window, the log will be saved into the HijackThis folder.
  9. If needed, see TrendMicro™ HijackThis™ Quick Start Guide
  10. Copy and paste this log into your next reply.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 Shaun5152

Shaun5152
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 24 August 2010 - 08:22 PM

I am trying to reply, but system is being blocked. I have the Highjack this log sent to my e-mail and will send from my laptop, but RSIT log is being blocked!

Shaun5152

#6 Shaun5152

Shaun5152
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 24 August 2010 - 08:35 PM

Here is Highjack this log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:09:39 AM, on 8/24/2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.4
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {2BDDFD3E-F7C8-4E71-A05C-9E3669A2210E} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\system32\MSTMON_S.EXE STARTUP
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\S-1-5-21-527237240-1604221776-725345543-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Colleen')
O4 - HKUS\S-1-5-21-527237240-1604221776-725345543-1004\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 (User 'Colleen')
O4 - HKUS\S-1-5-21-527237240-1604221776-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Colleen')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemywifi.verizon.net/sdcCommo...20Installer.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.8.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6770.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216154991296
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: ssqOICUO - ssqOICUO.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c9e3eaeb5a532c) (gupdate1c9e3eaeb5a532c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

--
End of file - 9114 bytes


#7 Shaun5152

Shaun5152
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 24 August 2010 - 09:00 PM

RSIT file will not transfer, copy, paste, e-mail, burn.....

#8 Shaun5152

Shaun5152
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 24 August 2010 - 09:27 PM

I have managed to PRINT 13 pages of RSIT LOG, would you accept a FAX?

#9 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:56 PM

Posted 27 August 2010 - 02:20 PM

I can use the HijackThis log. We will work on what may be causing the problems with RSIT.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#10 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:56 PM

Posted 27 August 2010 - 02:51 PM

Boot into Safe Mode and run your AVG9 antivirus program. Let me know how your computer behaves after doing this.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#11 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:56 PM

Posted 27 August 2010 - 03:51 PM

Another method to repair the boot sector:
  1. Boot with the XP installation CD.
  2. When prompted, press R to repair a Windows XP installation.
  3. If repairing a host with multiple operating systems, select the appropriate one (XP) from the menu. If you have only one operating system, enter 1 to select it.
  4. Enter the administrator password if prompted.
  5. To fix the MBR, use the following command:

    fixmbr
  6. This assumes that your installation is on the C:\ drive. You will be presented with several scary warning lines the reading of which will make you want to say no. Microsoft is exceptionally vague regarding the conditions under which fixmbr can cause problems although they are clear about the consequences (losing all data on the hard drive), so use this at your own risk.
  7. Type y and ENTER to fix the MBR.
  8. Type Exit to leave the recovery console and reboot.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#12 Shaun5152

Shaun5152
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 30 August 2010 - 06:35 PM

QUOTE(suebaby41 @ Aug 27 2010, 02:51 PM) View Post
Boot into Safe Mode and run your AVG9 antivirus program. Let me know how your computer behaves after doing this.

Ran AVG9.0 in safe mode and found the following under "infections"

C:\WINDOWS\System32\svchost.exe(1108):\memory_001a0000 Trojan horse Adload_r.AKH Object is inaccessible
C:\WINDOWS\Explorer.EXE(180):\memory_001a0000 Trojan horse Adload_r.AKH Object is inaccessible

Also: Results Overview = 4 infections found, 2 removed, 2 not removed

#13 Shaun5152

Shaun5152
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 30 August 2010 - 06:36 PM

QUOTE(Shaun5152 @ Aug 30 2010, 06:35 PM) View Post
QUOTE(suebaby41 @ Aug 27 2010, 02:51 PM) View Post
Boot into Safe Mode and run your AVG9 antivirus program. Let me know how your computer behaves after doing this.

Ran AVG9.0 in safe mode and found the following under "infections"

C:\WINDOWS\System32\svchost.exe(1108):\memory_001a0000 Trojan horse Adload_r.AKH Object is inaccessible
C:\WINDOWS\Explorer.EXE(180):\memory_001a0000 Trojan horse Adload_r.AKH Object is inaccessible

Also: Results Overview = 4 infections found, 2 removed, 2 not removed

Scan "Command line scan" completed.
Infections;"4";"2";"2"
Information;"28"
Folders selected for scanning:;"Scan whole computer"
Scan started:;"Monday, August 30, 2010, 4:06:45 PM"
Scan finished:;"Monday, August 30, 2010, 6:09:25 PM (2 hour(s) 2 minute(s) 39 second(s))"
Total object scanned:;"341233"
User who launched the scan:;"Administrator"

Infections
File;"Infection";"Result"
C:\WINDOWS\System32\svchost.exe (1108):\memory_001a0000;"Trojan horse Adload_r.AKH";"Object is inaccessible."
C:\WINDOWS\System32\svchost.exe (1108);"Trojan horse Adload_r.AKH";""
C:\WINDOWS\Explorer.EXE (180):\memory_001a0000;"Trojan horse Adload_r.AKH";"Object is inaccessible."
C:\WINDOWS\Explorer.EXE (180);"Trojan horse Adload_r.AKH";""

Information
File;"Information";"Result"
C:\WINDOWS\system32\config\SYSTEM.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\system;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\SOFTWARE.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\software;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\SECURITY.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\security;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\SAM.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\sam;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\DEFAULT.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\default;"Locked file. Not tested.";"Locked file. Not tested."
C:\pagefile.sys;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\NetworkService\ntuser.dat.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\NetworkService\ntuser.dat;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\LocalService\ntuser.dat.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\LocalService\ntuser.dat;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\Administrator.OFFICE.001\NTUSER.DAT.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\Administrator.OFFICE.001\NTUSER.DAT;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\Administrator.OFFICE.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\Administrator.OFFICE.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat;"Locked file. Not tested.";"Locked file. Not tested."
C:\7ab34ed1609d4c432d624f\mrtstub.exe;"Locked file. Not tested.";"Locked file. Not tested."
C:\7ab34ed1609d4c432d624f\mrt.exe;"Locked file. Not tested.";"Locked file. Not tested."
C:\4f837b3d36b7fa12fa78e6c81afaf27a\mrtstub.exe;"Locked file. Not tested.";"Locked file. Not tested."
C:\4f837b3d36b7fa12fa78e6c81afaf27a\mrt.exe;"Locked file. Not tested.";"Locked file. Not tested."


#14 Shaun5152

Shaun5152
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 30 August 2010 - 06:38 PM

QUOTE(Shaun5152 @ Aug 30 2010, 06:36 PM) View Post
QUOTE(Shaun5152 @ Aug 30 2010, 06:35 PM) View Post
QUOTE(suebaby41 @ Aug 27 2010, 02:51 PM) View Post
Boot into Safe Mode and run your AVG9 antivirus program. Let me know how your computer behaves after doing this.

Ran AVG9.0 in safe mode and found the following under "infections"

C:\WINDOWS\System32\svchost.exe(1108):\memory_001a0000 Trojan horse Adload_r.AKH Object is inaccessible
C:\WINDOWS\Explorer.EXE(180):\memory_001a0000 Trojan horse Adload_r.AKH Object is inaccessible

Also: Results Overview = 4 infections found, 2 removed, 2 not removed

Scan "Command line scan" completed.
Infections;"4";"2";"2"
Information;"28"
Folders selected for scanning:;"Scan whole computer"
Scan started:;"Monday, August 30, 2010, 4:06:45 PM"
Scan finished:;"Monday, August 30, 2010, 6:09:25 PM (2 hour(s) 2 minute(s) 39 second(s))"
Total object scanned:;"341233"
User who launched the scan:;"Administrator"

Infections
File;"Infection";"Result"
C:\WINDOWS\System32\svchost.exe (1108):\memory_001a0000;"Trojan horse Adload_r.AKH";"Object is inaccessible."
C:\WINDOWS\System32\svchost.exe (1108);"Trojan horse Adload_r.AKH";""
C:\WINDOWS\Explorer.EXE (180):\memory_001a0000;"Trojan horse Adload_r.AKH";"Object is inaccessible."
C:\WINDOWS\Explorer.EXE (180);"Trojan horse Adload_r.AKH";""

Information
File;"Information";"Result"
C:\WINDOWS\system32\config\SYSTEM.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\system;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\SOFTWARE.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\software;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\SECURITY.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\security;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\SAM.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\sam;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\DEFAULT.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\WINDOWS\system32\config\default;"Locked file. Not tested.";"Locked file. Not tested."
C:\pagefile.sys;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\NetworkService\ntuser.dat.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\NetworkService\ntuser.dat;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\LocalService\ntuser.dat.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\LocalService\ntuser.dat;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\Administrator.OFFICE.001\NTUSER.DAT.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\Administrator.OFFICE.001\NTUSER.DAT;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\Administrator.OFFICE.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG;"Locked file. Not tested.";"Locked file. Not tested."
C:\Documents and Settings\Administrator.OFFICE.001\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat;"Locked file. Not tested.";"Locked file. Not tested."
C:\7ab34ed1609d4c432d624f\mrtstub.exe;"Locked file. Not tested.";"Locked file. Not tested."
C:\7ab34ed1609d4c432d624f\mrt.exe;"Locked file. Not tested.";"Locked file. Not tested."
C:\4f837b3d36b7fa12fa78e6c81afaf27a\mrtstub.exe;"Locked file. Not tested.";"Locked file. Not tested."
C:\4f837b3d36b7fa12fa78e6c81afaf27a\mrt.exe;"Locked file. Not tested.";"Locked file. Not tested."


First thing computer did was a redirect to ad pages when ie 8 selected!!

#15 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:56 PM

Posted 31 August 2010 - 08:00 AM

Step A

Often redirection is caused by a DNS and Hosts file hijack. Flush and restore both.

Clean Hosts File
    * Access folder C:\WINDOWS\SYSTEM32\DRIVERS\ETC in Explorer.
  1. Open file HOSTS in Notepad . Before making changes, do a Save As and save a backup of this file as HOSTS.BAK .
  2. Reopen the HOSTS file.
  3. Delete all entries in this file except for the following and any other entries you are sure have legitimate uses:

    127.0.0.1 localhost
  4. Save the file.
Note: If you use customized Hosts Files such as the mvps hosts file, you will need to download and install it again. Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE.

Step B

Flush DNS:
  1. Open up a command prompt Start > Run > "cmd.exe" > OK.
  2. Type in the command ipconfig /flushdns.
Step C

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Step D

Prior to using this program, please back up your data:

There are several free Backup Programs. Please decide for yourself which one meets your needs. Use at your own risk. You can check out other BackUp Programs at the sites below:Step E

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.1.2) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
Please post a new HijackThis log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users