Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus?


  • This topic is locked This topic is locked
21 replies to this topic

#1 Queenie1

Queenie1

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 18 September 2011 - 05:03 AM

Hi, I really hope you clever people can help me!
I think my computer has the google redirect virus. It had a whole heap of problems, including claiming to have hard drive failure. (Windows diagnostic?) I managed to get rid of whatever was causing that, but there are still lots of strange things going on. When I put search terms into google, it is really slow, redirects to adverts, I also get a lot of audio ads in the background when I'm browsing sites (including this one!) I've tried TDSS killer and running Malwarebytes, Super anti-spyware and an Avast boot scan but none of those programmes have found anything.
What to do next?
Thank you so much, in advance.

BC AdBot (Login to Remove)

 


#2 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:03 AM

Posted 18 September 2011 - 05:19 AM

Hi :welcome: to BC,

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the results.


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#3 Queenie1

Queenie1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 18 September 2011 - 06:18 AM

Hi, this is the result of the Security Check log. I'll post the rest as they come in! BTW, is it ok to post logs on this thread? Or should I go to the Log section?
Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 26
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.3.183.7
Mozilla Firefox (3.6.22) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe
ALWILS~1 Avast5 avastUI.exe
``````````End of Log````````````

#4 Queenie1

Queenie1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 18 September 2011 - 06:22 AM

So, here is the Mini Toolbox result:
MiniToolBox by Farbar
Ran by Rupert (administrator) on 18-09-2011 at 12:20:25
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Wireless Network Connection 5"

set address name="Wireless Network Connection 5" source=dhcp
set dns name="Wireless Network Connection 5" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection 5" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : terrabyte

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller

Physical Address. . . . . . . . . : 00-15-58-78-CC-C0



Ethernet adapter Wireless Network Connection 5:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : (ZD1211B)IEEE 802.11 b+g USB Adapter #4

Physical Address. . . . . . . . . : 00-02-72-82-76-7A

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.4

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 194.168.4.100

194.168.8.100

Lease Obtained. . . . . . . . . . : 18 September 2011 12:01:05

Lease Expires . . . . . . . . . . : 18 September 2011 13:01:05

Server: cache1.service.virginmedia.net
Address: 194.168.4.100

Name: google.com
Addresses: 209.85.146.106, 209.85.146.105, 209.85.146.99, 209.85.146.104
209.85.146.147, 209.85.146.103



Pinging google.com [209.85.146.105] with 32 bytes of data:



Reply from 209.85.146.105: bytes=32 time=49ms TTL=53

Reply from 209.85.146.105: bytes=32 time=26ms TTL=52



Ping statistics for 209.85.146.105:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 26ms, Maximum = 49ms, Average = 37ms

Server: cache1.service.virginmedia.net
Address: 194.168.4.100

Name: yahoo.com
Addresses: 69.147.125.65, 72.30.2.43, 98.137.149.56, 209.191.122.70
67.195.160.76



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=165ms TTL=55

Reply from 72.30.2.43: bytes=32 time=154ms TTL=55



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 154ms, Maximum = 165ms, Average = 159ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 58 78 cc c0 ...... Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Packet Scheduler Miniport
0x10004 ...00 02 72 82 76 7a ...... (ZD1211B)IEEE 802.11 b+g USB Adapter #4 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.4 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.0.4 192.168.0.4 20
192.168.0.0 255.255.255.0 192.168.0.4 192.168.0.4 25
192.168.0.4 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.0.255 255.255.255.255 192.168.0.4 192.168.0.4 25
224.0.0.0 240.0.0.0 192.168.0.4 192.168.0.4 25
255.255.255.255 255.255.255.255 192.168.0.4 2 1
255.255.255.255 255.255.255.255 192.168.0.4 192.168.0.4 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/16/2011 08:20:50 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00029f07.
Processing media-specific event for [iexplore.exe!ws!]

Error: (09/15/2011 10:59:50 PM) (Source: Application Error) (User: )
Description: Fault bucket 223121472.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (09/15/2011 10:59:47 PM) (Source: Application Error) (User: )
Description: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Error: (09/15/2011 10:57:55 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x017f2688.
Processing media-specific event for [explorer.exe!ws!]

Error: (09/10/2011 00:43:45 PM) (Source: Application Error) (User: )
Description: Faulting application mDNSResponder.exe, version 2.0.4.0, faulting module mDNSResponder.exe, version 2.0.4.0, fault address 0x0001dc7b.
Processing media-specific event for [mDNSResponder.exe!ws!]

Error: (09/08/2011 11:44:25 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/25/2011 03:19:59 PM) (Source: Application Hang) (User: )
Description: Fault bucket -1737798330.

Error: (08/25/2011 03:19:30 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 1.9.2.4232, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/09/2011 01:16:43 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/09/2011 01:16:43 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (09/18/2011 11:37:55 AM) (Source: DCOM) (User: Rupert)
Description: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Error: (09/18/2011 11:04:44 AM) (Source: Service Control Manager) (User: )
Description: The SASDIFSV service failed to start due to the following error:
%%183

Error: (09/18/2011 03:01:01 AM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows XP (KB2566454).

Error: (09/17/2011 03:00:47 AM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows XP (KB2566454).

Error: (09/16/2011 04:31:05 AM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.0.4 on the
Network Card with network address 00027282767A.

Error: (09/16/2011 03:00:36 AM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows XP (KB2566454).

Error: (09/15/2011 11:33:21 PM) (Source: Service Control Manager) (User: )
Description: The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (09/15/2011 11:25:27 PM) (Source: Service Control Manager) (User: )
Description: The iPod Service service terminated unexpectedly. It has done this 1 time(s).

Error: (09/15/2011 11:25:20 PM) (Source: Service Control Manager) (User: )
Description: The Zune Bus Enumerator service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (09/15/2011 11:24:55 PM) (Source: Service Control Manager) (User: )
Description: The SMART Board Service service terminated unexpectedly. It has done this 1 time(s).


Microsoft Office Sessions:
=========================
Error: (09/22/2010 09:12:01 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6541.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 293945 seconds with 4200 seconds of active time. This session ended with a crash.

Error: (05/24/2010 08:11:29 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 111756 seconds with 480 seconds of active time. This session ended with a crash.

Error: (04/14/2010 03:15:53 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 992701 seconds with 6360 seconds of active time. This session ended with a crash.

Error: (01/13/2010 10:46:13 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1615 seconds with 0 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

Acrobat.com (Version: 1.7.186)
Adobe AIR (Version: 1.5.1.8210)
Adobe Flash Player 10 ActiveX (Version: 10.3.183.7)
Adobe Flash Player 10 Plugin (Version: 10.3.183.7)
Adobe Reader 9.1 (Version: 9.1.0)
Adobe Shockwave Player 11.5 (Version: 11.5.9.620)
Apple Application Support (Version: 1.5.0)
Apple Mobile Device Support (Version: 3.4.0.25)
Apple Software Update (Version: 2.1.2.120)
Audacity 1.3.12 (Unicode)
avast! Free Antivirus (Version: 6.0.1289.0)
Bonjour (Version: 2.0.4.0)
Brother MFL-Pro Suite DCP-145C (Version: 1.0.0.0)
EasyRecovery DataRecovery Trial (Version: 6.12.02)
Email Subscriber Pro
Folding@home-gpu (Version: 6.23)
Folding@home-x86 (Version: 6.23)
Google Chrome (Version: 14.0.835.163)
Google Earth (Version: 6.0.3.2197)
Google SketchUp 8 (Version: 3.0.4811)
Google Update Helper (Version: 1.3.21.69)
HI-TECH C PRO for the PIC10/12/16 MCU Family V9.60PL5 (Version: 9.60)
HI-TECH C PRO for the PIC18 MCU Family V9.63PL1 (Version: 9.63)
HI-TECH C PRO for the PIC32 MCU Family V9.60PL1 (Version: 9.60)
IrfanView (remove only) (Version: 4.30)
iTunes (Version: 10.2.1.1)
Jasc Paint Shop Pro 9 (Version: 9.00.0000)
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
Java™ 6 Update 7 (Version: 1.6.0.70)
LAME v3.98.2 for Audacity
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
ManyCam 2.5.74 (remove only) (Version: 2.5.74)
Marvell Miniport Driver (Version: 8.56.2.3)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft ActiveSync (Version: 4.5.5096.0)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Standard 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft WinUsb 1.0
Microsoft WSE 3.0 Runtime (Version: 3.0.5305.0)
Mnemosyne 1.2.2
Mobile Partner (Version: 11.002.03.16.03)
Mozilla Firefox (3.6.22) (Version: 3.6.22 (en-US))
MPLAB Tools v8.20 (Version: 8.20)
MSVC80_x86_v2 (Version: 1.0.3.0)
MSVC90_x86 (Version: 1.0.1.2)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
NETGEAR WPN111 Smart Wizard Wireless Utility
Nokia Connectivity Cable Driver (Version: 7.1.36.0)
Nokia Ovi Suite (Version: 3.0.0.290)
Nokia Ovi Suite Software Updater (Version: 02.06.006.44298)
Notebook Interactive Viewer (Version: 9.5.126.5)
Notebook Software (Version: 10.0.631.3)
NVIDIA Drivers
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
OpenOffice.org 3.0 (Version: 3.0.9379)
Ovi Desktop Sync Engine (Version: 1.5.161.0)
OviMPlatform (Version: 2.7.44.2)
PaperPort Image Printer (Version: 1.00.0000)
PC Connectivity Solution (Version: 10.50.2.0)
PC Wizard 2010.1.93
Platform (Version: 1.24)
QuickTime (Version: 7.69.80.9)
Realtek High Definition Audio Driver
Recover My Files (Version: 3.9.8.6157)
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio (Version: 1.00.0000)
ScanSoft PaperPort 11 (Version: 11.1.0000)
Segoe UI (Version: 14.0.4327.805)
Skype Toolbars (Version: 1.0.4051)
Skype™ 4.2 (Version: 4.2.163)
SMART Board Drivers (Version: 10.0.528.7)
SopCast 3.2.4 (Version: 3.2.4)
Spotify (Version: 0.4.9)
Starry Night CSAP (Version: 2.0.0.0)
SUPERAntiSpyware (Version: 4.41.1000)
TeraCopy 2.0 beta 4a
The Sims™ 3 (Version: 1.14.11)
The Sims™ 3 World Adventures (Version: 2.9.10)
V Stuff Backup v1.6.2.18253 (Version: 1.6.2.18253)
Veetle TV 0.9.16 (Version: 0.9.16)
VIA Platform Device Manager (Version: 1.24)
Virgin Media Service Manager 3.7.47 (Version: 3.7.47)
VLC media player 1.0.3 (Version: 1.0.3)
WebFldrs XP (Version: 9.50.5318)
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0) (Version: 02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0) (Version: 02/23/2007 2.5.0.0)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0) (Version: 08/22/2008 7.0.0.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Media Format 11 runtime
Windows Mobile Device Updater Component (Version: 04.08.2345.00)
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR archiver
YouTube Downloader 2.5.3
Zune (Version: 04.08.2345.00)
Zune Language Pack (CHS) (Version: 04.08.2345.00)
Zune Language Pack (CHT) (Version: 04.08.2345.00)
Zune Language Pack (CSY) (Version: 04.08.2345.00)
Zune Language Pack (DAN) (Version: 04.08.2345.00)
Zune Language Pack (DEU) (Version: 04.08.2345.00)
Zune Language Pack (ELL) (Version: 04.08.2345.00)
Zune Language Pack (ESP) (Version: 04.08.2345.00)
Zune Language Pack (FIN) (Version: 04.08.2345.00)
Zune Language Pack (FRA) (Version: 04.08.2345.00)
Zune Language Pack (HUN) (Version: 04.08.2345.00)
Zune Language Pack (IND) (Version: 04.08.2345.00)
Zune Language Pack (ITA) (Version: 04.08.2345.00)
Zune Language Pack (JPN) (Version: 04.08.2345.00)
Zune Language Pack (KOR) (Version: 04.08.2345.00)
Zune Language Pack (MSL) (Version: 04.08.2345.00)
Zune Language Pack (NLD) (Version: 04.08.2345.00)
Zune Language Pack (NOR) (Version: 04.08.2345.00)
Zune Language Pack (PLK) (Version: 04.08.2345.00)
Zune Language Pack (PTB) (Version: 04.08.2345.00)
Zune Language Pack (PTG) (Version: 04.08.2345.00)
Zune Language Pack (RUS) (Version: 04.08.2345.00)
Zune Language Pack (SVE) (Version: 04.08.2345.00)

========================= Memory info: ===================================

Percentage of memory in use: 68%
Total physical RAM: 2046.42 MB
Available physical RAM: 641.07 MB
Total Pagefile: 3939.05 MB
Available Pagefile: 2794.63 MB
Total Virtual: 2047.88 MB
Available Virtual: 1994.59 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:127.99 GB) (Free:29.97 GB) NTFS
3 Drive d: (Sims3EP01) (CDROM) (Total:5.48 GB) (Free:0 GB) UDF

========================= Users: ========================================

User accounts for \\TERRABYTE

Administrator Guest HelpAssistant
Rupert SUPPORT_388945a0


**** End of log ****

#5 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:03 AM

Posted 18 September 2011 - 06:25 AM

Hi Queenie,

It's ok to post logs here which I ask for.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#6 Queenie1

Queenie1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 18 September 2011 - 07:13 AM

Hi, when I run GMER I get this warning message: LoadDriver ("C:\Rupert\LOCALS~1\Temp\uwloypog.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key.

GMER then does run a scan, but says it hasn't found anything. Should I try to download it again? It didn't actually save onto the desktop and this might be the problem?

#7 Queenie1

Queenie1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 18 September 2011 - 07:30 AM

Also the only boxes ticked on the right hand side list are services, registry and files. Under that there is a box and the C drive is ticked there, plus ADS.
Is that all ok?
Oh and I don't know how to stop the computer calling itself Rupert!

#8 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:03 AM

Posted 18 September 2011 - 08:41 AM

Hi

Let's try running GMER once more.

This time download onto your desktop.

Tick all boxes on the right hand side apart from IAT/EAT and show all.

Now run GMER and post the log in your next reply.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Report tab.
  • Click the Scan button.
  • Check all seven boxes: Posted Image
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, a logfile will open Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


Also let me know of any problems when running any of these tools.

Oh and I don't know how to stop the computer calling itself Rupert!

Article here will show you how to change your computer name.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#9 Queenie1

Queenie1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 18 September 2011 - 08:49 AM

Hi, thank you for your patience!
I did finally manage to download GMER onto the desktop but only by downloading the zipped file and then unzipping it onto the desktop. (The computer gave me no option that I could see on where I wanted the download saved to) However I still got the error message I recorded earlier. Also, it won't actually let me tick any boxes other than the ones that are already ticked.
Shall I just move straight on to Rootrepeal or is there something else I can try with GMER?

#10 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:03 AM

Posted 18 September 2011 - 09:01 AM

Hi,

Please move straight to RootRepeal.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#11 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:03 AM

Posted 18 September 2011 - 09:13 AM

Hi,

Please move straight to RootRepeal.

Article here will show you how to change your computer name.

Please don't change anything until we have you cleaned up.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#12 Queenie1

Queenie1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 18 September 2011 - 09:33 AM

Here is the log:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2011/09/18 15:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 00000025
Image Path: \Driver\00000025
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: 00000066
Image Path: \Driver\00000066
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F0B000 Size: 96512 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAE264000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5FE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAAF03000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\rupert\local settings\temp\~df96c9.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\rupert\local settings\temp\~df9e6e.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\rupert\local settings\temp\~dfa28c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\rupert\local settings\temp\~dfce98.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\rupert\local settings\temp\~dfd1e8.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\rupert\local settings\temp\~df7d8a.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\rupert\local settings\temp\~df1f12.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\rupert\local settings\application data\microsoft\internet explorer\recovery\active\{269a2c88-e202-11e0-a6c4-00027282767a}.dat
Status: Size mismatch (API: 10752, Raw: 6144)

SSDT
-------------------
#: 009 Function Name: NtAddBootEntry
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a0374

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xae3072b8

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2c4829

#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2996

#: 036 Function Name: NtCreateEventPair
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a29ee

#: 038 Function Name: NtCreateIoCompletion
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2b04

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2c41dd

#: 043 Function Name: NtCreateMutant
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a28ec

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2a3e

#: 051 Function Name: NtCreateSemaphore
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2940

#: 054 Function Name: NtCreateTimer
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2ab2

#: 061 Function Name: NtDeleteBootEntry
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a0398

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2c4eef

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2c51a5

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2d88

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2c4d5a

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2c4bc5

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xae307368

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a0162

#: 109 Function Name: NtModifyBootEntry
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a03bc

#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2efc

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a0e54

#: 114 Function Name: NtOpenEvent
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a29c6

#: 115 Function Name: NtOpenEventPair
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2a16

#: 117 Function Name: NtOpenIoCompletion
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2b2e

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2c4539

#: 120 Function Name: NtOpenMutant
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2918

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2bc0

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2a7e

#: 126 Function Name: NtOpenSemaphore
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a296e

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2ca4

#: 131 Function Name: NtOpenTimer
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a2adc

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xae307400

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2c4a40

#: 163 Function Name: NtQueryObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a0d1a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2c4892

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xae30f6e2

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2c3850

#: 211 Function Name: NtSetBootEntryOrder
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a03e0

#: 212 Function Name: NtSetBootOptions
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a0404

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a01bc

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a02f8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2c4ff6

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a02d4

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a031c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xae3ef620

#: 268 Function Name: NtVdmControl
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSnx.SYS" at address 0xae2a0428

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x8a922b10]
Process: System Address: 0x8a911108 Size: 3832

Object: Hidden Code [ETHREAD: 0x8a95d950]
Process: System Address: 0x8a911b2d Size: 1235

Object: Hidden Code [ETHREAD: 0x8a983ad8]
Process: System Address: 0x8a912a11 Size: 1519

==EOF==

#13 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:03 AM

Posted 18 September 2011 - 03:23 PM

Hi Queenie1,

Sorry about the delay but this is taking a bit longer to track down.

We need you to produce another log if that's ok?

Please download aswMBR , save it to your desktop and run the program.

Click Scan button.

On completion of scan click Save log, save it to your desktop and post in your next reply.

Which browser is giving you redirects? Is it IE, FF or both?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#14 Queenie1

Queenie1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 18 September 2011 - 04:05 PM

I'm grateful for the help!
It's both FF and IE. I have XP, incidently. The scan is going on as I write and I'll post it as soon as its through.

#15 Queenie1

Queenie1
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 18 September 2011 - 04:07 PM

Oh and those audio ads were going on today even when I had no browsers open at all. It was very creepy!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users