Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect / Possible Other Issues


  • This topic is locked This topic is locked
31 replies to this topic

#1 Kung99

Kung99

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 19 May 2011 - 04:41 PM

Hello Bleeping Computer, my PC has Windows XP Pro with SP2 installed. My problem started a few weeks ago when I was alerted by Avira of a virus it had found. I then closed everything and had it run a full scan in which it found and quarantined a couple more viruses. I had hoped that was the end of it, but that was not the case. Throughout the day while the computer was not in use, Avira had detected a few more viruses. I also ran Malwarebytes but I don't recall it finding anything. I noticed that my windows theme had changed from the MS Zune theme, to the classic windows 98 theme if that means anything. I decided to try Windows Repair, which was probably not a wise choice as I had no experience running it before.

After the repair, my theme was back to normal. However, now upon using Google, I am often (about 70% of the time) being redirected to random websites. On top of that, my computer is running abnormally slow, and my sound isn't working properly. Whenever I try and play a song in Windows Media Player, I get the following error;

"Windows Media Player cannot play the file because there is a problem with your sound device. There may not be a sound device installed on your computer, it may be in use by another program, or it may not be functioning properly."

Actually, as I was typing this a screen popped up saying "A Windows Media update is currently available. Would you like to update now?" I'll leave that window untouched for now.

Edit: Moved topic from Am I infected? What do I do? to the more appropriate forum, at the request of a Malware Removal team member. ~ Animal

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:55 PM

Posted 23 May 2011 - 12:57 PM

Hello and welcome. Run these please and let me know how it os after.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.




Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
[color=green]Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Kung99

Kung99
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 23 May 2011 - 07:51 PM

Well I was able to download tdsskiller and run it without any issues. MBAM however encountered the following error when trying to update;

An error has occurred. Please report this error code to our support team.

PROGRAM_ERROR_UPDATING (12007, 0, WinHttpSendRequest)


I then tried manually installing the updates like suggested, however I could not load the malwarebytes website. I tried loading the website on Opera, Firefox, Chrome and IE but no dice.

Also of note, when clicking on a google website link a new page will open with the address google.com/rdr before being redirected to either the website I'm trying to get to, or (more often than not) some random site. Before, the redirecting would take place on the same tab instead of opening a new one like it is now.

Anyway, here is the TDSS log;



2011/05/23 21:16:46.0312 1792 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/23 21:16:46.0671 1792 ================================================================================
2011/05/23 21:16:46.0671 1792 SystemInfo:
2011/05/23 21:16:46.0671 1792
2011/05/23 21:16:46.0671 1792 OS Version: 5.1.2600 ServicePack: 2.0
2011/05/23 21:16:46.0671 1792 Product type: Workstation
2011/05/23 21:16:46.0671 1792 ComputerName: POWERHOUSE
2011/05/23 21:16:46.0671 1792 UserName: Sam
2011/05/23 21:16:46.0671 1792 Windows directory: C:\WINDOWS
2011/05/23 21:16:46.0671 1792 System windows directory: C:\WINDOWS
2011/05/23 21:16:46.0671 1792 Processor architecture: Intel x86
2011/05/23 21:16:46.0671 1792 Number of processors: 2
2011/05/23 21:16:46.0671 1792 Page size: 0x1000
2011/05/23 21:16:46.0671 1792 Boot type: Normal boot
2011/05/23 21:16:46.0671 1792 ================================================================================
2011/05/23 21:16:46.0921 1792 Initialize success
2011/05/23 21:16:52.0328 1856 ================================================================================
2011/05/23 21:16:52.0328 1856 Scan started
2011/05/23 21:16:52.0328 1856 Mode: Manual;
2011/05/23 21:16:52.0328 1856 ================================================================================
2011/05/23 21:16:54.0937 1856 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/23 21:16:54.0968 1856 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/23 21:16:55.0000 1856 ADIHdAudAddService (ce03d313a12cbc886c3beba3b4967a8a) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/05/23 21:16:55.0015 1856 AEAudio (058cdc314672a28a90566a787d9876e7) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/05/23 21:16:55.0062 1856 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/05/23 21:16:55.0078 1856 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2011/05/23 21:16:55.0156 1856 AmdLLD (ad8fa28d8ed0d0a689a0559085ce0f18) C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
2011/05/23 21:16:55.0234 1856 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\Aspi32.sys
2011/05/23 21:16:55.0281 1856 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/23 21:16:55.0296 1856 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/23 21:16:55.0375 1856 ati2mtag (8e54c76db5d88bf8b4e82b37e1322671) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/23 21:16:55.0421 1856 AtiHdmiService (d9bc8892b9440a2551b8148c57aa039e) C:\WINDOWS\system32\drivers\AtiHdmi.sys
2011/05/23 21:16:55.0484 1856 ATITool (0e4bb35c5305099ac82053ac992e3e0e) C:\WINDOWS\system32\DRIVERS\ATITool.sys
2011/05/23 21:16:55.0531 1856 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/23 21:16:55.0546 1856 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/23 21:16:55.0640 1856 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/05/23 21:16:55.0656 1856 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/05/23 21:16:55.0703 1856 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/05/23 21:16:55.0734 1856 bantext (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2011/05/23 21:16:55.0765 1856 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/23 21:16:55.0812 1856 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/23 21:16:55.0843 1856 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/23 21:16:55.0859 1856 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/23 21:16:55.0875 1856 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/23 21:16:55.0968 1856 DigiFilter (ba912376605b72b1039da461c1fa19c6) C:\WINDOWS\system32\drivers\DigiFilt.sys
2011/05/23 21:16:55.0984 1856 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/23 21:16:56.0046 1856 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/23 21:16:56.0062 1856 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
2011/05/23 21:16:56.0078 1856 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/23 21:16:56.0109 1856 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/23 21:16:56.0171 1856 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/23 21:16:56.0203 1856 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/23 21:16:56.0234 1856 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/23 21:16:56.0265 1856 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/23 21:16:56.0281 1856 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/23 21:16:56.0296 1856 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/23 21:16:56.0312 1856 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/23 21:16:56.0328 1856 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/23 21:16:56.0343 1856 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/23 21:16:56.0359 1856 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/23 21:16:56.0375 1856 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/23 21:16:56.0406 1856 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/23 21:16:56.0453 1856 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/23 21:16:56.0500 1856 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/23 21:16:56.0531 1856 iLokDrvr (4bfe38aec358dc49b17098ba0c028eb0) C:\WINDOWS\system32\DRIVERS\iLokDrvr.sys
2011/05/23 21:16:56.0546 1856 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/23 21:16:56.0578 1856 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/23 21:16:56.0609 1856 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/23 21:16:56.0625 1856 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/23 21:16:56.0656 1856 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/23 21:16:56.0656 1856 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/23 21:16:56.0671 1856 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/23 21:16:56.0718 1856 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/23 21:16:56.0750 1856 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/23 21:16:56.0765 1856 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/23 21:16:56.0781 1856 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/23 21:16:56.0812 1856 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/23 21:16:56.0843 1856 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/23 21:16:56.0906 1856 libusb0 (e2f1dcf4a68cc6cf694fbfba1842f4cd) C:\WINDOWS\system32\drivers\libusb0.sys
2011/05/23 21:16:56.0937 1856 MAUSB (a07af79cac2b923d65d51eaad5dafc69) C:\WINDOWS\system32\DRIVERS\mausb.sys
2011/05/23 21:16:56.0968 1856 MAUSBFT (af8ef3341db8a3aa922c3c2a453d5677) C:\WINDOWS\system32\DRIVERS\mausbft.sys
2011/05/23 21:16:56.0968 1856 MAUSBFTP (a07af79cac2b923d65d51eaad5dafc69) C:\WINDOWS\system32\DRIVERS\mausb.sys
2011/05/23 21:16:57.0000 1856 MA_CMIDI (6d03a526eeded908759ca8c0e581494d) C:\WINDOWS\system32\drivers\ma_cmidi.sys
2011/05/23 21:16:57.0031 1856 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2011/05/23 21:16:57.0046 1856 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/23 21:16:57.0093 1856 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/23 21:16:57.0125 1856 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/23 21:16:57.0156 1856 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/23 21:16:57.0171 1856 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/23 21:16:57.0187 1856 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/23 21:16:57.0203 1856 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/23 21:16:57.0234 1856 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/23 21:16:57.0265 1856 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/23 21:16:57.0281 1856 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/23 21:16:57.0281 1856 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/23 21:16:57.0312 1856 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/23 21:16:57.0343 1856 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/05/23 21:16:57.0359 1856 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/23 21:16:57.0375 1856 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/23 21:16:57.0390 1856 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/23 21:16:57.0421 1856 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/23 21:16:57.0421 1856 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/23 21:16:57.0437 1856 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/23 21:16:57.0453 1856 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/23 21:16:57.0468 1856 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/23 21:16:57.0500 1856 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/23 21:16:57.0515 1856 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/23 21:16:57.0546 1856 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/23 21:16:57.0562 1856 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/23 21:16:57.0578 1856 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/23 21:16:57.0593 1856 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/23 21:16:57.0609 1856 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/23 21:16:57.0640 1856 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/23 21:16:57.0656 1856 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/23 21:16:57.0687 1856 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/23 21:16:57.0734 1856 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/23 21:16:57.0843 1856 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/23 21:16:57.0859 1856 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/23 21:16:57.0875 1856 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/23 21:16:57.0890 1856 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/23 21:16:57.0953 1856 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/23 21:16:57.0968 1856 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/23 21:16:57.0984 1856 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/23 21:16:58.0000 1856 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/23 21:16:58.0000 1856 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/23 21:16:58.0015 1856 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/23 21:16:58.0046 1856 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/23 21:16:58.0078 1856 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/23 21:16:58.0109 1856 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/23 21:16:58.0140 1856 RTLE8023xp (b98455f2197fb560bde2c13d894db79d) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/05/23 21:16:58.0171 1856 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/23 21:16:58.0203 1856 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
2011/05/23 21:16:58.0250 1856 sensorsview32 (845af1ba23c8d5e64def61bcc441604c) C:\WINDOWS\system32\drivers\sensorsview32.sys
2011/05/23 21:16:58.0250 1856 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/23 21:16:58.0265 1856 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/23 21:16:58.0312 1856 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/23 21:16:58.0359 1856 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/23 21:16:58.0406 1856 sptd (a80cd850d69d996c832bea37e3a6aa1e) C:\WINDOWS\system32\Drivers\sptd.sys
2011/05/23 21:16:58.0437 1856 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/23 21:16:58.0500 1856 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/23 21:16:58.0562 1856 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/05/23 21:16:58.0609 1856 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/23 21:16:58.0625 1856 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/23 21:16:58.0703 1856 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/23 21:16:58.0750 1856 taphss (0c3b2a9c4bd2dd9a6c2e4084314dd719) C:\WINDOWS\system32\DRIVERS\taphss.sys
2011/05/23 21:16:58.0781 1856 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/23 21:16:58.0812 1856 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/23 21:16:58.0828 1856 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/23 21:16:58.0859 1856 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/23 21:16:58.0921 1856 TPkd (15fb67eb022a74b30e278d19b03da3b4) C:\WINDOWS\system32\drivers\TPkd.sys
2011/05/23 21:16:58.0968 1856 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/23 21:16:59.0031 1856 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/23 21:16:59.0046 1856 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/23 21:16:59.0078 1856 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/23 21:16:59.0109 1856 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/23 21:16:59.0125 1856 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/23 21:16:59.0140 1856 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/23 21:16:59.0156 1856 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/23 21:16:59.0171 1856 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/23 21:16:59.0203 1856 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/23 21:16:59.0218 1856 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/23 21:16:59.0250 1856 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/05/23 21:16:59.0296 1856 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/23 21:16:59.0328 1856 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/23 21:16:59.0375 1856 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/23 21:16:59.0453 1856 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/23 21:16:59.0468 1856 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/23 21:16:59.0500 1856 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/23 21:16:59.0500 1856 ================================================================================
2011/05/23 21:16:59.0500 1856 Scan finished
2011/05/23 21:16:59.0500 1856 ================================================================================
2011/05/23 21:16:59.0500 1484 Detected object count: 1
2011/05/23 21:17:14.0140 1484 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/23 21:17:14.0140 1484 \HardDisk0 - ok
2011/05/23 21:17:14.0140 1484 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/05/23 21:17:19.0859 1796 Deinitialize success

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:55 PM

Posted 23 May 2011 - 08:07 PM

OK good, Reboot if you haven't, After we've finished you need to cahange passwords on here as that TDDS has stolen them.

Please ensure these items are excluded from your Antivirus AND your Firewall - 12007 error usually means that the download is being blocked -

Exclude Malwarebytes' Anti-Malware's Files and Folders From Other Active Security Programs:

For Windows XP:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

C:\Windows\System32\drivers\mbam.sys

C:\Windows\System32\drivers\mbamswissarmy.sys

Note: If using a software firewall besides the built in Windows Firewall you'll need to exclude MBAM.EXE from it as well

This FAQ contains examples of setting file exclusions for some known AV products -
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Kung99

Kung99
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 24 May 2011 - 12:47 PM

Added them to the exceptions list but it is still giving the same error. It might be because I can't access the Malwarebytes website on this computer. Is there some place I can get the update that isn't directly linked to the official website?

Also, my sound appears to be in working order now.

#6 invision

invision

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 24 May 2011 - 01:14 PM

Added them to the exceptions list but it is still giving the same error. It might be because I can't access the Malwarebytes website on this computer. Is there some place I can get the update that isn't directly linked to the official website?

Also, my sound appears to be in working order now.



Manual Update: http://data.mbamupdates.com/tools/mbam-rules.exe.

#7 Kung99

Kung99
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 24 May 2011 - 02:02 PM

That link isn't loading either. Should I just run the scan with the outdated version or is that pointless? It say it's 154 days out of date.

#8 invision

invision

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 24 May 2011 - 02:06 PM

Try this before running Malwarebytes

1. Click Start > Run and type C:\Windows\System32\drivers\etc then hit ENTER
2. Right Click on HOSTS and Open with and select Notepad
3. Make sure you only have this listed
# Copyright 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

4. Close Notepad and if you made any changes go ahead and save it

Next Steps

1. Click Start > Control Panel > Network connections (Depends on the flavor of windows you have)
2. Right click on Local Area Connections and click on Properties
3. Click on TCP/IPv4
4. Under DNS do you see anything listed? IF you do, write it down and change it to Google's DNS 8.8.8.8
5. Click OK then OK
6. Close any opened windows and try to use any browser now.

Please report back.

#9 Kung99

Kung99
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 24 May 2011 - 02:36 PM

The hosts file was as you described, so no changes were made.

As for the DNS part of the page, this is what it looked like; (the underscores represents the lines that can be selected, and the X for the line that is selected)


___ Obtain DNS server automatically

_X_ Use the following DNS server addresses

Preferred DNS server: (it had 4 different numbers listed here)

Alternate DNS server: (again, 4 numbers, but different from the ones listed above)



So I changed them to 8 8 8 8 in the Preferred row, and 9 8 8 8 in the Alternate row. Upon running Opera, nothing seems different. Google is still redirecting itself, and the Malwarebytes website (as well as the link you posted) still won't load.

#10 invision

invision

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 24 May 2011 - 02:53 PM

Change the DNS to 8.8.8.8 and 8.8.4.4

Also check the Opera Internet Options and make sure no Proxy is selected.

Try to download this file

Click start > Run and type http://tigzy.geekstogo.com/Tools/RogueKiller.exe then hit enter

If you are able to download it

1. Quit all running programs.
2. Simply run RogueKiller.exe.
3. When prompted, type 1 and validate.
4. The RKreport.txt shall be generated next to the executable.
5. If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to iexplorer.exe.


Please post the contents of the RKreport.txt in your next Reply.

#11 Kung99

Kung99
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 24 May 2011 - 03:30 PM

Ok, here is the RogueKiller log;


RogueKiller V5.1.6 [05/21/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Sam [Admin rights]
Mode: Scan -- Date : 05/24/2011 17:28:21

Bad processes: 0

Registry Entries: 5
[BLACKLIST DLL] HKLM\[...]\Run : Epijife (rundll32.exe "C:\WINDOWS\ejahogajim.dll",Startup) -> FOUND
[SUSP PATH] GoogleUpdateTaskUserS-1-5-21-796845957-484763869-725345543-1004UA.job : c:\documents and settings\sam.powerhouse\local -> FOUND
[SUSP PATH] GoogleUpdateTaskUserS-1-5-21-796845957-484763869-725345543-1004Core.job : c:\documents and settings\sam.powerhouse\local -> FOUND
[DNS] HKLM\[...]\ControlSet003\Parameters : NameServer (93.188.165.200,93.188.160.171) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{AC0088E5-CFAA-4274-8680-600522532EE0} : NameServer (8.8.8.8,8.8.4.4) -> FOUND

HOSTS File:


Finished : << RKreport[1].txt >>
RKreport[1].txt

#12 invision

invision

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 24 May 2011 - 03:44 PM

Kung99

Please do the following

1. Click > Start > Run > Type regedit.exe and hit enter
2. Back up the Registry. Highlight Computer by clicking on it once. From the Registry Editor menu, choose File and then Export.. Save it to C:\Registry-Backup-5-24-2011.reg
3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\ and doble click NameServer
4. 93.188.165.200,93.188.160.171 are pointing to the Ukraine so delete the numbers and leave NameServer empty
5. Navigate to HKLM\Software\Microsoft\Windows\ CurrentVersion\Run.
6. Delete the key for Epijife (rundll32.exe "C:\WINDOWS\ejahogajim.dll",Startup)
7. Close the Registry and reboot the PC

Run RogueKiller.exe. again and select 1 again


Post Log and check your internet now.

Good Luck

Edited by invision, 24 May 2011 - 03:46 PM.


#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:55 PM

Posted 24 May 2011 - 03:57 PM

@invision,

Before you provide any additional advice to users in the Am I Infected forum, please take a look at this thread here: http://www.bleepingcomputer.com/forums/topic383782.html for the rules to posting in this forum.

Kindest Regards,
SweetTech.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 Kung99

Kung99
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 24 May 2011 - 05:01 PM

So should I follow the instructions in the last post made by invision or should I wait for one of the official tech support?

Either way, I appreciate the help invision.

#15 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:55 PM

Posted 24 May 2011 - 05:05 PM

Hi Kung99!

So should I follow the instructions in the last post made by invision or should I wait for one of the official tech support?

I'm going to continue assisting you with this issue. I'm going to ask that this thread be moved to the malware forum, so I can have you run some more powerful tools.


____________________________________________________

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________


Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users