Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Name: yzarius
Hi,
I've had the this problem with my google & yahoo search for a day. When I click the link, I get redirected to a different search engine or some sort of advertisement page.
I've DLed adware, spyware terminator, and spybot. However, spybot cannot be opened and none of the other scans have fixed my problem.
System Restore also doesn't work as there is a "disk failure."Here is my HJ logfile, thanks so much in advance.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:40 AM, on 7/17/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: NormalRunning processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Users\od\Desktop\FixThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://medley.isc-seo.upenn.edu/pen...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.exe C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CCDB9C7-08F8-44B1-9F57-1A0460ACCC05}: NameServer = 85.255.112.154,85.255.112.227
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D7BFFA3-7E56-4F1B-8F20-CCC763C31EBC}: NameServer = 85.255.112.154,85.255.112.227
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E4D1CA8-B5F5-40B2-9665-2599E22434F5}: NameServer = 85.255.112.154,85.255.112.227
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.154,85.255.112.227
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.154,85.255.112.227
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c9d7eefdf46390) (gupdate1c9d7eefdf46390) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\SNAC.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe--
End of file - 10879 bytes
Download and run Kaspersky AVP tool in safe mode: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool in safe mode:# Check below options: * Select all the objects/places to be scanned. # Click Scan # Fix what it detects # Zip/Rar Scan log/Summary and upload it to rapidshare.com. Post download link in your next message.Illustrated tutorial: http://img32.imageshack.us/img32/76...
If I'm helping you and I don't reply within 24 hours send me a PM.
0 
The server seems to be down -- network keeps timing out. I am unable to get to the site. I'll keep trying. Thanks for your quick response though.
0
Try: ftp://213.206.94.83/devbuilds/AVPTool/index.html
If I'm helping you and I don't reply within 24 hours send me a PM.
0
Thanks,
The scan finally finished and here's the link:
http://rapidshare.com/files/2573603...
I ran everything in safe mode. The google redirect is still present.
Let me know what's next, thanks again!
0
Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:
1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode and make sure you are connect to internet. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.
ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.
iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.
begin ExecuteAVUpdateEx( 'http://avz.virusinfo.info/avz_up/', 1, '','',''); ExecuteStdScr(3); RebootWindows(true); end.
Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs
1. DDS.txt 2. Attach.txt
Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.If I'm helping you and I don't reply within 24 hours send me a PM.
0
AVZ link:
http://rapidshare.com/files/2573969...DDS link:
http://rapidshare.com/files/2573967...Thank You!
0
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:
1) Run this script in AVZ like before, your computer will reboot:
begin SetAVZGuardStatus(True); SearchRootkit(true, true); DelCLSID('{9E4D1CA8-B5F5-40B2-9665-2599E22434F5}'); DelCLSID('{3D7BFFA3-7E56-4F1B-8F20-CCC763C31EBC}'); DelCLSID('{3CCDB9C7-08F8-44B1-9F57-1A0460ACCC05}'); QuarantineFile('C:\Windows\temp\7684624.tmp',''); DeleteFile('C:\Windows\temp\7684624.tmp'); DeleteFile('C:\windows\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job'); BC_ImportDeletedList; ExecuteSysClean; BC_Activate; RebootWindows(true); end.2) Change your dns servers to Open DNS and reboot.
PS: Check and see if you still are getting redirected.
If I'm helping you and I don't reply within 24 hours send me a PM.
0
Back to normal, thank you so much!
Would it now be acceptable for me to uninstall some of the spyware removal programs I had previously installed?
Or are there additional diagnostics that need to be executed?Thanks again!
0
Run one more log just to eliminate rootkit. Follow these steps in order numbered:
1) Download GMER: http://gmer.net/download.php
[This version will download a randomly named file (Recommended).]2) Disconnect from the Internet and close all running programs.
3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7) Now click the Scan button. If you see a rootkit warning window, click OK.
8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it rapidshare.com. Post the download link to the uploaded file in your post.
9) Exit GMER and re-enable all active protection when done.
Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.
If I'm helping you and I don't reply within 24 hours send me a PM.
0
Hi, I've ran the program 5 times and each time, Windows closes the program.
"The program has stopped working" or something along the lines of that.
Any ideas?
I disabled every real-time protection.
0
jdk, do you not know the rules of this site????
People are NOTsupposed to post a HJT log unless
requested by a qualified member. What gives with that???Some HELP in posting on Computing.net plus free progs and instructions Cheers
0
GMER still doesn't completely scan in safe mode -- it always stops working and the program needs to be closed.
The first time it closed, my computer was rebooted.
Do I need to delete GMER and download another copy in safe mode?
0
Run complete scan with http://onecare.live.com/site/en-Us/... . Post screenshot of what gets detected.
XpUser4Real talk to the admins? I didn't post HjT... yzarius did. If they have problem they can delete his post. If i see something wrong i try to help :).
If I'm helping you and I don't reply within 24 hours send me a PM.
0
Here's the rapidshare link:
http://rapidshare.com/files/2580092...
For the scan, should I just leave it there or click next?
0
Follow:
1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.
2) Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.
If I'm helping you and I don't reply within 24 hours send me a PM.
0
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:
1) Attach a Combofix log, please review and follow these instructions carefully.
Download it here -> http://download.bleepingcomputer.co...
Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.
Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.
2) Please zip up C:\qoobox\quarantine and upload it, to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files.
If I'm helping you and I don't reply within 24 hours send me a PM.
0
I renamed the Malwarebytes file and now it is running properly, should I run a scan from there first?
0
Follow: Response Number 22 first.
If I'm helping you and I don't reply within 24 hours send me a PM.
0
Link doesn't work log should be here c:\combofix.txt .
If I'm helping you and I don't reply within 24 hours send me a PM.
0
Uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok.
No need run it again follow:
Please download RootRepeal Rootkit Detector and save it to your Desktop.
* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Report tab at the bottom of the program window
* Click the Scan button
* In the Select Scan dialog, check:* Drivers * Processes * SSDT * Hidden Services
* Click the OK button
* In the next dialog, select all drives showing
* Click OK to start the scan
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Upload rootrepeal.txt to rapidshare.com and post the download link in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
If I'm helping you and I don't reply within 24 hours send me a PM.
0
I was getting the following messages: "Could not read the boot sector. Try adjusting the disk access level in the options dialog." & then another rootrepeal error message saying "Could not read the system registry! Please contact the author!"
But there was no crash.
Here's the report I still received though:
http://rapidshare.com/files/2581868...Thanks again
0
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:
1) Run this script in AVZ like before, your computer will reboot:
begin SetAVZGuardStatus(True); SearchRootkit(true, true); QuarantineFile('C:\Windows\system32\drivers\ESQULpohctvxthcxrsbpbpneedkivdtpuyjwi.sys',''); DeleteFile('C:\Windows\system32\drivers\ESQULpohctvxthcxrsbpbpneedkivdtpuyjwi.sys'); ExecuteRepair(10); ExecuteRepair(11); ExecuteRepair(17); BC_ImportAll; ExecuteSysClean; BC_Activate; RebootWindows(true); end.2) After reboot execute following script in AVZ:
begin CreateQurantineArchive('C:\quarantine.zip'); end.
A file called quarantine.zip should be created in C:\. Upload that file to rapidshare.com and Private message me download link.3) Follow these steps carefully and in order numbered:
1) Download The Avenger by Swandog46 from here.
2) Unzip/extract it to a folder on your desktop.
3) Double click on avenger.exe to run The Avenger.
4) Click OK.
5) Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
6) Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
Files to delete: C:\Windows\system32\drivers\ESQULpohctvxthcxrsbpbpneedkivdtpuyjwi.sys
7) In the avenger window, click the Paste Script from Clipboard, button.8) Click the Execute button.
9) You will be asked Are you sure you want to execute the current script?.
10) Click Yes.
11) You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
12) Click Yes.
13) Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
14) After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
15) Please upload this log to rapidshare.com and post a download link to the uploaded file.
If I'm helping you and I don't reply within 24 hours send me a PM.
0
jdk (by neoark)
Obviously you are no Jabuck. He understood the rules of the forum and KNEW that HJT posts had to be requested by a qualified helper. When someone posted a HJT without a request, he would let the poster know. it is forum etiquette.Some HELP in posting on Computing.net plus free progs and instructions Cheers
0
yzarius: Redo Response Number 22 in normal mode. How is your computer running now?
XpUser4Real: Gotcha will keep that in mind.
If I'm helping you and I don't reply within 24 hours send me a PM.
0
Still need combofix log. The link you send me is wrong link.
If I'm helping you and I don't reply within 24 hours send me a PM.
0
How is your system running now? Seems like we got everything just some cleaning up left to do. Follow Response Number 20. Then Downlaod and run ccleaner (temp and registry).
Uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok.
If I'm helping you and I don't reply within 24 hours send me a PM.
0
Where can I find CCleaner?
The System seems to be running fine, google search is back to normal in Firefox and IE. And I didn't have to rename MalwareBytes, now I'm just waiting for the other scan to finish.
Thanks again.
0
Ccleaner: http://www.ccleaner.com/download/bu...
If I'm helping you and I don't reply within 24 hours send me a PM.
0
Malwarebytes' Anti-Malware 1.39
Database version: 2476
Windows 6.0.6001 Service Pack 17/21/2009 10:53:29 PM
mbam-log-2009-07-21 (22-53-29).txtScan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 347595
Time elapsed: 3 hour(s), 29 minute(s), 50 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
(No malicious items detected)Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
(No malicious items detected)Folders Infected:
(No malicious items detected)Files Infected:
c:\Users\od\Desktop\avenger.exe (Trojan.Agnet) -> Quarantined and deleted successfully.
0
SUPERAntiSpyware Scan Log
http://www.superantispyware.comGenerated 07/22/2009 at 00:30 AM
Application Version : 4.26.1006
Core Rules Database Version : 4010
Trace Rules Database Version: 1950Scan type : Complete Scan
Total Scan Time : 01:22:50Memory items scanned : 773
Memory threats detected : 0
Registry items scanned : 7799
Registry threats detected : 0
File items scanned : 27925
File threats detected : 82Adware.Tracking Cookie
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@msnservices.112.2o7[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@adopt.euroclick[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@ads.mediamayhemcorp[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@questionmarket[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@microsoftwlsearchcrm.112.2o7[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@realmedia[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@ads.pointroll[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@clicksor[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@2o7[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@www.burstbeacon[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@ad.yieldmanager[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@hitbox[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@ads.bridgetrack[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@myroitracking[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@ar.atwola[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@adserver.easyad[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@advertising[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@ads.addynamix[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@cdn.at.atwola[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@trafficmp[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@atdmt[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@qnsr[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@ad.zanox[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@bannersulike[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@media6degrees[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@247realmedia[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@fastclick[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@mediaplex[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@microsoftwlmessengermkt.112.2o7[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@network.realmedia[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@msnportal.112.2o7[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@doubleclick[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@a1.interclick[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@ads.bootcampmedia[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@adserver.adtechus[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@apmebf[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@zedo[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@bs.serving-sys[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@microsoftwlmailmkt.112.2o7[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@msnaccountservices.112.2o7[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@adbrite[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@statcounter[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@revsci[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@interclick[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@tracker.adprotracker[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@yadro[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@rotator.adjuggler[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@zillow.adbureau[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@adlegend[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@ads.us.e-planning[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@nextag[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@at.atwola[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@burstbeacon[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@ehg-morningstar.hitbox[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@imrworldwide[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@www.burstnet[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@insightexpressai[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@atwola[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@burstnet[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@oasn04.247realmedia[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@serving-sys[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@adserv.brandaffinity[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@2o7[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@ad.yieldmanager[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@adrevolver[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@ads.widgetbucks[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@advertising[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@apmebf[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@atdmt[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@azjmp[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@doubleclick[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@dynamic.media.adrevolver[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@fastclick[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@media.adrevolver[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@mediaplex[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@microsoftwlsearchcrm.112.2o7[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@msnportal.112.2o7[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@msnservices.112.2o7[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@specificclick[2].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@specificmedia[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\Low\od@statcounter[1].txt
C:\Users\od\AppData\Roaming\Microsoft\Windows\Cookies\od@atdmt[2].txt
0
combofix is uninstalled.
Is it safe to uninstall anything else or install a new program for class?
0
Yes you can delete everything else. Avenger was false positive detection. Your clean :).
If I'm helping you and I don't reply within 24 hours send me a PM.
0
This was my first time using this site and it was very helpful.
Thanks again for everything!
0
i had this problem long time ago. i fixed it with windows live one care. it's actually some kind of spy ware or virus or Trojan. this Trojan is redirecting your page because it wants to download other viruses from the internet ad infect the computer. it turns off windows defender and you can't turn it on. i had trend micro internet security 14, which could not even try to remove the Trojan. some how i got the info about it on Microsoft's website. they told me to download windows live one care. as soon as i finished installing it. it said there is a Trojan in you computer. it deleted about 25 Trojans off my computer. now it works fine. . i will put the link about it if i find it.
0
if it doesnot work try deleting all the cooking. every time you search something on google.
0
i got the link of the trogan from windows defender. if it finds some thing, you can get more information about it.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
